Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

CVE-2023-52738

Severity CVSS v4.0:
Pending analysis
Type:
CWE-476 NULL Pointer Dereference
Publication date:
21/05/2024
Last modified:
02/04/2025

Description

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> drm/amdgpu/fence: Fix oops due to non-matching drm_sched init/fini<br /> <br /> Currently amdgpu calls drm_sched_fini() from the fence driver sw fini<br /> routine - such function is expected to be called only after the<br /> respective init function - drm_sched_init() - was executed successfully.<br /> <br /> Happens that we faced a driver probe failure in the Steam Deck<br /> recently, and the function drm_sched_fini() was called even without<br /> its counter-part had been previously called, causing the following oops:<br /> <br /> amdgpu: probe of 0000:04:00.0 failed with error -110<br /> BUG: kernel NULL pointer dereference, address: 0000000000000090<br /> PGD 0 P4D 0<br /> Oops: 0002 [#1] PREEMPT SMP NOPTI<br /> CPU: 0 PID: 609 Comm: systemd-udevd Not tainted 6.2.0-rc3-gpiccoli #338<br /> Hardware name: Valve Jupiter/Jupiter, BIOS F7A0113 11/04/2022<br /> RIP: 0010:drm_sched_fini+0x84/0xa0 [gpu_sched]<br /> [...]<br /> Call Trace:<br /> <br /> amdgpu_fence_driver_sw_fini+0xc8/0xd0 [amdgpu]<br /> amdgpu_device_fini_sw+0x2b/0x3b0 [amdgpu]<br /> amdgpu_driver_release_kms+0x16/0x30 [amdgpu]<br /> devm_drm_dev_init_release+0x49/0x70<br /> [...]<br /> <br /> To prevent that, check if the drm_sched was properly initialized for a<br /> given ring before calling its fini counter-part.<br /> <br /> Notice ideally we&amp;#39;d use sched.ready for that; such field is set as the latest<br /> thing on drm_sched_init(). But amdgpu seems to "override" the meaning of such<br /> field - in the above oops for example, it was a GFX ring causing the crash, and<br /> the sched.ready field was set to true in the ring init routine, regardless of<br /> the state of the DRM scheduler. Hence, we ended-up using sched.ops as per<br /> Christian&amp;#39;s suggestion [0], and also removed the no_scheduler check [1].<br /> <br /> [0] https://lore.kernel.org/amd-gfx/984ee981-2906-0eaf-ccec-9f80975cb136@amd.com/<br /> [1] https://lore.kernel.org/amd-gfx/cd0e2994-f85f-d837-609f-7056d5fb7231@amd.com/

Impact

Vector 3.x
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L CVSS v3.1 Severity and Metrics:

Base Score: 5.30 MEDIUM
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

Attack Vector (AV): Network
Attack Complexity (AC): Low
Privileges Required (PR): None
User Interaction (UI): None
Scope (S): Unchanged
Confidentiality (C): None
Integrity (I): None
Availability (A): Low

Base Score 3.x
5.30
Severity 3.x
MEDIUM

Vulnerable products and versions

CPE From Up to
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 5.14.10 (including) 5.15.94 (excluding)
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 5.16 (including) 6.1.12 (including)
cpe:2.3:o:linux:linux_kernel:6.2:rc1:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.2:rc2:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.2:rc3:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.2:rc4:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.2:rc5:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.2:rc6:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.2:rc7:*:*:*:*:*:*

To consult the complete list of CPE names with products and versions, see this page


References to Advisories, Solutions, and Tools