SUSE: CVE-2024-26657: SUSE Linux Security Advisory

SUSE: CVE-2024-26657: SUSE Linux Security Advisory

Severity

5

CVSS

(AV:L/AC:L/Au:S/C:N/I:N/A:C)

Published

04/02/2024

Created

06/24/2024

Added

06/24/2024

Modified

01/28/2025

Description

In the Linux kernel, the following vulnerability has been resolved: drm/sched: fix null-ptr-deref in init entity The bug can be triggered by sending an amdgpu_cs_wait_ioctl to the AMDGPU DRM driver on any ASICs with valid context. The bug was reported by Joonkyo Jung <[email protected]>. For example the following code: static void Syzkaller2(int fd) { union drm_amdgpu_ctx arg1; union drm_amdgpu_wait_cs arg2; arg1.in.op = AMDGPU_CTX_OP_ALLOC_CTX; ret = drmIoctl(fd, 0x140106442 /* amdgpu_ctx_ioctl */, &arg1); arg2.in.handle = 0x0; arg2.in.timeout = 0x2000000000000; arg2.in.ip_type = AMD_IP_VPE /* 0x9 */; arg2->in.ip_instance = 0x0; arg2.in.ring = 0x0; arg2.in.ctx_id = arg1.out.alloc.ctx_id; drmIoctl(fd, 0xc0206449 /* AMDGPU_WAIT_CS * /, &arg2); } The ioctl AMDGPU_WAIT_CS without previously submitted job could be assumed that the error should be returned, but the following commit 1decbf6bb0b4dc56c9da6c5e57b994ebfc2be3aa modified the logic and allowed to have sched_rq equal to NULL. As a result when there is no job the ioctl AMDGPU_WAIT_CS returns success. The change fixes null-ptr-deref in init entity and the stack below demonstrates the error condition: [+0.000007] BUG: kernel NULL pointer dereference, address: 0000000000000028 [+0.007086] #PF: supervisor read access in kernel mode [+0.005234] #PF: error_code(0x0000) - not-present page [+0.005232] PGD 0 P4D 0 [+0.002501] Oops: 0000 [#1] PREEMPT SMP KASAN NOPTI [+0.005034] CPU: 10 PID: 9229 Comm: amd_basic Tainted: GB WL 6.7.0+ #4 [+0.007797] Hardware name: ASUS System Product Name/ROG STRIX B550-F GAMING (WI-FI), BIOS 1401 12/03/2020 [+0.009798] RIP: 0010:drm_sched_entity_init+0x2d3/0x420 [gpu_sched] [+0.006426] Code: 80 00 00 00 00 00 00 00 e8 1a 81 82 e0 49 89 9c 24 c0 00 00 00 4c 89 ef e8 4a 80 82 e0 49 8b 5d 00 48 8d 7b 28 e8 3d 80 82 e0 <48> 83 7b 28 00 0f 84 28 01 00 00 4d 8d ac 24 98 00 00 00 49 8d 5c [+0.019094] RSP: 0018:ffffc90014c1fa40 EFLAGS: 00010282 [+0.005237] RAX: 0000000000000001 RBX: 0000000000000000 RCX: ffffffff8113f3fa [+0.007326] RDX: fffffbfff0a7889d RSI: 0000000000000008 RDI: ffffffff853c44e0 [+0.007264] RBP: ffffc90014c1fa80 R08: 0000000000000001 R09: fffffbfff0a7889c [+0.007266] R10: ffffffff853c44e7 R11: 0000000000000001 R12: ffff8881a719b010 [+0.007263] R13: ffff88810d412748 R14: 0000000000000002 R15: 0000000000000000 [+0.007264] FS:00007ffff7045540(0000) GS:ffff8883cc900000(0000) knlGS:0000000000000000 [+0.008236] CS:0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [+0.005851] CR2: 0000000000000028 CR3: 000000011912e000 CR4: 0000000000350ef0 [+0.007175] Call Trace: [+0.002561]<TASK> [+0.002141]? show_regs+0x6a/0x80 [+0.003473]? __die+0x25/0x70 [+0.003124]? page_fault_oops+0x214/0x720 [+0.004179]? preempt_count_sub+0x18/0xc0 [+0.004093]? __pfx_page_fault_oops+0x10/0x10 [+0.004590]? srso_return_thunk+0x5/0x5f [+0.004000]? vprintk_default+0x1d/0x30 [+0.004063]? srso_return_thunk+0x5/0x5f [+0.004087]? vprintk+0x5c/0x90 [+0.003296]? drm_sched_entity_init+0x2d3/0x420 [gpu_sched] [+0.005807]? srso_return_thunk+0x5/0x5f [+0.004090]? _printk+0xb3/0xe0 [+0.003293]? __pfx__printk+0x10/0x10 [+0.003735]? asm_sysvec_apic_timer_interrupt+0x1b/0x20 [+0.005482]? do_user_addr_fault+0x345/0x770 [+0.004361]? exc_page_fault+0x64/0xf0 [+0.003972]? asm_exc_page_fault+0x27/0x30 [+0.004271]? add_taint+0x2a/0xa0 [+0.003476]? drm_sched_entity_init+0x2d3/0x420 [gpu_sched] [+0.005812]amdgpu_ctx_get_entity+0x3f9/0x770 [amdgpu] [+0.009530]? finish_task_switch.isra.0+0x129/0x470 [+0.005068]? __pfx_amdgpu_ctx_get_entity+0x10/0x10 [amdgpu] [+0.010063]? __kasan_check_write+0x14/0x20 [+0.004356]? srso_return_thunk+0x5/0x5f [+0.004001]? mutex_unlock+0x81/0xd0 [+0.003802]? srso_return_thunk+0x5/0x5f [+0.004096]amdgpu_cs_wait_ioctl+0xf6/0x270 [amdgpu] [+0.009355]? __pfx_ ---truncated---

Solution(s)

• suse-upgrade-cluster-md-kmp-64kb
• suse-upgrade-cluster-md-kmp-azure
• suse-upgrade-cluster-md-kmp-default
• suse-upgrade-cluster-md-kmp-rt
• suse-upgrade-dlm-kmp-64kb
• suse-upgrade-dlm-kmp-azure
• suse-upgrade-dlm-kmp-default
• suse-upgrade-dlm-kmp-rt
• suse-upgrade-dtb-allwinner
• suse-upgrade-dtb-altera
• suse-upgrade-dtb-amazon
• suse-upgrade-dtb-amd
• suse-upgrade-dtb-amlogic
• suse-upgrade-dtb-apm
• suse-upgrade-dtb-apple
• suse-upgrade-dtb-arm
• suse-upgrade-dtb-broadcom
• suse-upgrade-dtb-cavium
• suse-upgrade-dtb-exynos
• suse-upgrade-dtb-freescale
• suse-upgrade-dtb-hisilicon
• suse-upgrade-dtb-lg
• suse-upgrade-dtb-marvell
• suse-upgrade-dtb-mediatek
• suse-upgrade-dtb-nvidia
• suse-upgrade-dtb-qcom
• suse-upgrade-dtb-renesas
• suse-upgrade-dtb-rockchip
• suse-upgrade-dtb-socionext
• suse-upgrade-dtb-sprd
• suse-upgrade-dtb-xilinx
• suse-upgrade-gfs2-kmp-64kb
• suse-upgrade-gfs2-kmp-azure
• suse-upgrade-gfs2-kmp-default
• suse-upgrade-gfs2-kmp-rt
• suse-upgrade-kernel-64kb
• suse-upgrade-kernel-64kb-devel
• suse-upgrade-kernel-64kb-extra
• suse-upgrade-kernel-64kb-livepatch-devel
• suse-upgrade-kernel-64kb-optional
• suse-upgrade-kernel-azure
• suse-upgrade-kernel-azure-devel
• suse-upgrade-kernel-azure-extra
• suse-upgrade-kernel-azure-livepatch-devel
• suse-upgrade-kernel-azure-optional
• suse-upgrade-kernel-azure-vdso
• suse-upgrade-kernel-debug
• suse-upgrade-kernel-debug-devel
• suse-upgrade-kernel-debug-livepatch-devel
• suse-upgrade-kernel-debug-vdso
• suse-upgrade-kernel-default
• suse-upgrade-kernel-default-base
• suse-upgrade-kernel-default-base-rebuild
• suse-upgrade-kernel-default-devel
• suse-upgrade-kernel-default-extra
• suse-upgrade-kernel-default-livepatch
• suse-upgrade-kernel-default-livepatch-devel
• suse-upgrade-kernel-default-optional
• suse-upgrade-kernel-default-vdso
• suse-upgrade-kernel-devel
• suse-upgrade-kernel-devel-azure
• suse-upgrade-kernel-devel-rt
• suse-upgrade-kernel-docs
• suse-upgrade-kernel-docs-html
• suse-upgrade-kernel-kvmsmall
• suse-upgrade-kernel-kvmsmall-devel
• suse-upgrade-kernel-kvmsmall-livepatch-devel
• suse-upgrade-kernel-kvmsmall-vdso
• suse-upgrade-kernel-macros
• suse-upgrade-kernel-obs-build
• suse-upgrade-kernel-obs-qa
• suse-upgrade-kernel-rt
• suse-upgrade-kernel-rt-devel
• suse-upgrade-kernel-rt-extra
• suse-upgrade-kernel-rt-livepatch-devel
• suse-upgrade-kernel-rt-optional
• suse-upgrade-kernel-rt-vdso
• suse-upgrade-kernel-rt_debug
• suse-upgrade-kernel-rt_debug-devel
• suse-upgrade-kernel-rt_debug-livepatch-devel
• suse-upgrade-kernel-rt_debug-vdso
• suse-upgrade-kernel-source
• suse-upgrade-kernel-source-azure
• suse-upgrade-kernel-source-rt
• suse-upgrade-kernel-source-vanilla
• suse-upgrade-kernel-syms
• suse-upgrade-kernel-syms-azure
• suse-upgrade-kernel-syms-rt
• suse-upgrade-kernel-zfcpdump
• suse-upgrade-kselftests-kmp-64kb
• suse-upgrade-kselftests-kmp-azure
• suse-upgrade-kselftests-kmp-default
• suse-upgrade-kselftests-kmp-rt
• suse-upgrade-ocfs2-kmp-64kb
• suse-upgrade-ocfs2-kmp-azure
• suse-upgrade-ocfs2-kmp-default
• suse-upgrade-ocfs2-kmp-rt
• suse-upgrade-reiserfs-kmp-64kb
• suse-upgrade-reiserfs-kmp-azure
• suse-upgrade-reiserfs-kmp-default
• suse-upgrade-reiserfs-kmp-rt

References

• https://attackerkb.com/topics/cve-2024-26657
• CVE - 2024-26657