CVE

CVE-2024-46683

Severity:
HIGH
Type:
CWE-416 Use After Free
Publication date:
13/09/2024
Last modified:
13/09/2024

Description

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> drm/xe: prevent UAF around preempt fence<br /> <br /> The fence lock is part of the queue, therefore in the current design<br /> anything locking the fence should then also hold a ref to the queue to<br /> prevent the queue from being freed.<br /> <br /> However, currently it looks like we signal the fence and then drop the<br /> queue ref, but if something is waiting on the fence, the waiter is<br /> kicked to wake up at some later point, where upon waking up it first<br /> grabs the lock before checking the fence state. But if we have already<br /> dropped the queue ref, then the lock might already be freed as part of<br /> the queue, leading to uaf.<br /> <br /> To prevent this, move the fence lock into the fence itself so we don&amp;#39;t<br /> run into lifetime issues. Alternative might be to have device level<br /> lock, or only release the queue in the fence release callback, however<br /> that might require pushing to another worker to avoid locking issues.<br /> <br /> References: https://gitlab.freedesktop.org/drm/xe/kernel/-/issues/2454<br /> References: https://gitlab.freedesktop.org/drm/xe/kernel/-/issues/2342<br /> References: https://gitlab.freedesktop.org/drm/xe/kernel/-/issues/2020<br /> (cherry picked from commit 7116c35aacedc38be6d15bd21b2fc936eed0008b)

Vulnerable products and versions

CPE From Up to
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 6.10 (including) 6.10.8 (excluding)
cpe:2.3:o:linux:linux_kernel:6.11:rc1:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.11:rc2:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.11:rc3:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.11:rc4:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.11:rc5:*:*:*:*:*:*