CVE-2024-26984

nouveau: fix instmem race condition around ptr stores

Severity Score

5.5

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

Track

*SSVC

Descriptions

In the Linux kernel, the following vulnerability has been resolved:

nouveau: fix instmem race condition around ptr stores

Running a lot of VK CTS in parallel against nouveau, once every
few hours you might see something like this crash.

BUG: kernel NULL pointer dereference, address: 0000000000000008
PGD 8000000114e6e067 P4D 8000000114e6e067 PUD 109046067 PMD 0
Oops: 0000 [#1] PREEMPT SMP PTI
CPU: 7 PID: 53891 Comm: deqp-vk Not tainted 6.8.0-rc6+ #27
Hardware name: Gigabyte Technology Co., Ltd. Z390 I AORUS PRO WIFI/Z390 I AORUS PRO WIFI-CF, BIOS F8 11/05/2021
RIP: 0010:gp100_vmm_pgt_mem+0xe3/0x180 [nouveau]
Code: c7 48 01 c8 49 89 45 58 85 d2 0f 84 95 00 00 00 41 0f b7 46 12 49 8b 7e 08 89 da 42 8d 2c f8 48 8b 47 08 41 83 c7 01 48 89 ee <48> 8b 40 08 ff d0 0f 1f 00 49 8b 7e 08 48 89 d9 48 8d 75 04 48 c1
RSP: 0000:ffffac20c5857838 EFLAGS: 00010202
RAX: 0000000000000000 RBX: 00000000004d8001 RCX: 0000000000000001
RDX: 00000000004d8001 RSI: 00000000000006d8 RDI: ffffa07afe332180
RBP: 00000000000006d8 R08: ffffac20c5857ad0 R09: 0000000000ffff10
R10: 0000000000000001 R11: ffffa07af27e2de0 R12: 000000000000001c
R13: ffffac20c5857ad0 R14: ffffa07a96fe9040 R15: 000000000000001c
FS: 00007fe395eed7c0(0000) GS:ffffa07e2c980000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000000000008 CR3: 000000011febe001 CR4: 00000000003706f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:

...

? gp100_vmm_pgt_mem+0xe3/0x180 [nouveau]
? gp100_vmm_pgt_mem+0x37/0x180 [nouveau]
nvkm_vmm_iter+0x351/0xa20 [nouveau]
? __pfx_nvkm_vmm_ref_ptes+0x10/0x10 [nouveau]
? __pfx_gp100_vmm_pgt_mem+0x10/0x10 [nouveau]
? __pfx_gp100_vmm_pgt_mem+0x10/0x10 [nouveau]
? __lock_acquire+0x3ed/0x2170
? __pfx_gp100_vmm_pgt_mem+0x10/0x10 [nouveau]
nvkm_vmm_ptes_get_map+0xc2/0x100 [nouveau]
? __pfx_nvkm_vmm_ref_ptes+0x10/0x10 [nouveau]
? __pfx_gp100_vmm_pgt_mem+0x10/0x10 [nouveau]
nvkm_vmm_map_locked+0x224/0x3a0 [nouveau]

Adding any sort of useful debug usually makes it go away, so I hand
wrote the function in a line, and debugged the asm.

Every so often pt->memory->ptrs is NULL. This ptrs ptr is set in
the nv50_instobj_acquire called from nvkm_kmap.

If Thread A and Thread B both get to nv50_instobj_acquire around
the same time, and Thread A hits the refcount_set line, and in
lockstep thread B succeeds at refcount_inc_not_zero, there is a
chance the ptrs value won't have been stored since refcount_set
is unordered. Force a memory barrier here, I picked smp_mb, since
we want it on all CPUs and it's write followed by a read.

v2: use paired smp_rmb/smp_wmb.

En el kernel de Linux, se resolvió la siguiente vulnerabilidad: nouveau: corrige la condición de ejecución de instmem alrededor de las tiendas ptr Al ejecutar una gran cantidad de VK CTS en paralelo contra nouveau, una vez cada pocas horas es posible que vea algo como este bloqueo. ERROR: desreferencia del puntero NULL del kernel, dirección: 0000000000000008 PGD 8000000114e6e067 P4D 8000000114e6e067 PUD 109046067 PMD 0 Ups: 0000 [#1] PREEMPT SMP PTI CPU: 7 PID: 53891 Comm: deqp-vk No contaminado 6.8.0-rc6+ #27 Nombre del hardware : Gigabyte Technology Co., Ltd. Z390 I AORUS PRO WIFI/Z390 I AORUS PRO WIFI-CF, BIOS F8 05/11/2021 RIP: 0010:gp100_vmm_pgt_mem+0xe3/0x180 [nuevo] Código: c7 48 01 c8 49 89 45 58 85 d2 0f 84 95 00 00 00 41 0f b7 46 12 49 8b 7e 08 89 da 42 8d 2c f8 48 8b 47 08 41 83 c7 01 48 89 ee <48> 8b 40 08 ff d0 0f 1f 0 0 49 8b 7e 08 48 89 d9 48 8d 75 04 48 c1 RSP: 0000:ffffac20c5857838 EFLAGS: 00010202 RAX: 0000000000000000 RBX: 00000000004d8001 RCX: 0000000000000001 RDX: 00000000004d8001 RSI: 00000000000006d8 RDI: ffffa07afe332180 RBP: 00000000000006d8 R08: ffffac20c5857ad0 R09: 0000000000ffff10 R10: 000000001 R11: ffffa07af27e2de0 R12: 000000000000001c R13: ffffac20c5857ad0 R14: ffffa07a96fe9040 R15: 000000000000001c FS: 00007fe395eed7c0(0000) GS:ffffa07e2c980000(0000) nlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000000000008 CR3: 000000011febe001 CR4: 00000000003706f0 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Rastreo de llamadas: ... ? gp100_vmm_pgt_mem+0xe3/0x180 [nuevo]? gp100_vmm_pgt_mem+0x37/0x180 [nuevo] nvkm_vmm_iter+0x351/0xa20 [nuevo] ? __pfx_nvkm_vmm_ref_ptes+0x10/0x10 [nuevo] ? __pfx_gp100_vmm_pgt_mem+0x10/0x10 [nuevo] ? __pfx_gp100_vmm_pgt_mem+0x10/0x10 [nuevo] ? __lock_acquire+0x3ed/0x2170? __pfx_gp100_vmm_pgt_mem+0x10/0x10 [nuevo] nvkm_vmm_ptes_get_map+0xc2/0x100 [nuevo] ? __pfx_nvkm_vmm_ref_ptes+0x10/0x10 [nuevo] ? __pfx_gp100_vmm_pgt_mem+0x10/0x10 [nuevo] nvkm_vmm_map_locked+0x224/0x3a0 [nuevo] Agregar cualquier tipo de depuración útil generalmente hace que desaparezca, así que escribí la función a mano en una línea y depuré el asm. De vez en cuando pt->memoria->ptrs es NULL. Este ptrs ptr se establece en nv50_instobj_acquire llamado desde nvkm_kmap. Si el subproceso A y el subproceso B llegan a nv50_instobj_acquire aproximadamente al mismo tiempo, y el subproceso A llega a la línea refcount_set, y en paralelo el subproceso B tiene éxito en refcount_inc_not_zero, existe la posibilidad de que el valor de ptrs no se haya almacenado ya que refcount_set no está ordenado. Forzar una barrera de memoria aquí, elegí smp_mb, ya que lo queremos en todas las CPU y es escritura seguida de lectura. v2: use smp_rmb/smp_wmb emparejado.

*Credits: N/A

CVSS Scores

CISAv3.1 5.5

Attack Vector

Local

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

None

Availability

High

* Common Vulnerability Scoring System

SSVC

Decision:Track

Exploitation

None

Automatable

Tech. Impact

Partial

* Organization's Worst-case Scenario

Timeline

2024-02-19 CVE Reserved
2024-05-01 CVE Published
2024-05-03 EPSS Updated
2024-08-02 CVE Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')

CAPEC

References (11)

URL	Tag	Source
https://git.kernel.org/stable/c/be55287aa5ba6895e9d4d3ed2f08a1be7a065957	Vuln. Introduced
https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html
https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html

URL	Date	SRC

URL	Date	SRC
https://git.kernel.org/stable/c/bba8ec5e9b16649d85bc9e9086bf7ae5b5716ff9	2024-05-02
https://git.kernel.org/stable/c/1bc4825d4c3ec6abe43cf06c3c39d664d044cbf7	2024-05-02
https://git.kernel.org/stable/c/13d76b2f443dc371842916dd8768009ff1594716	2024-05-02
https://git.kernel.org/stable/c/3ab056814cd8ab84744c9a19ef51360b2271c572	2024-04-27
https://git.kernel.org/stable/c/ad74d208f213c06d860916ad40f609ade8c13039	2024-04-27
https://git.kernel.org/stable/c/a019b44b1bc6ed224c46fb5f88a8a10dd116e525	2024-04-27
https://git.kernel.org/stable/c/21ca9539f09360fd83654f78f2c361f2f5ddcb52	2024-04-27
https://git.kernel.org/stable/c/fff1386cc889d8fb4089d285f883f8cba62d82ce	2024-04-15

URL	Date	SRC

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 4.15 < 4.19.313 Search vendor "Linux" for product "Linux Kernel" and version " >= 4.15 < 4.19.313"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 4.15 < 5.4.275 Search vendor "Linux" for product "Linux Kernel" and version " >= 4.15 < 5.4.275"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 4.15 < 5.10.216 Search vendor "Linux" for product "Linux Kernel" and version " >= 4.15 < 5.10.216"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 4.15 < 5.15.157 Search vendor "Linux" for product "Linux Kernel" and version " >= 4.15 < 5.15.157"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 4.15 < 6.1.88 Search vendor "Linux" for product "Linux Kernel" and version " >= 4.15 < 6.1.88"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 4.15 < 6.6.29 Search vendor "Linux" for product "Linux Kernel" and version " >= 4.15 < 6.6.29"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 4.15 < 6.8.8 Search vendor "Linux" for product "Linux Kernel" and version " >= 4.15 < 6.8.8"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 4.15 < 6.9 Search vendor "Linux" for product "Linux Kernel" and version " >= 4.15 < 6.9"		en		Affected