CVE-2024-46683
Description
In the Linux kernel, the following vulnerability has been resolved:<br />
<br />
drm/xe: prevent UAF around preempt fence<br />
<br />
The fence lock is part of the queue, therefore in the current design<br />
anything locking the fence should then also hold a ref to the queue to<br />
prevent the queue from being freed.<br />
<br />
However, currently it looks like we signal the fence and then drop the<br />
queue ref, but if something is waiting on the fence, the waiter is<br />
kicked to wake up at some later point, where upon waking up it first<br />
grabs the lock before checking the fence state. But if we have already<br />
dropped the queue ref, then the lock might already be freed as part of<br />
the queue, leading to uaf.<br />
<br />
To prevent this, move the fence lock into the fence itself so we don&#39;t<br />
run into lifetime issues. Alternative might be to have device level<br />
lock, or only release the queue in the fence release callback, however<br />
that might require pushing to another worker to avoid locking issues.<br />
<br />
References: https://gitlab.freedesktop.org/drm/xe/kernel/-/issues/2454<br />
References: https://gitlab.freedesktop.org/drm/xe/kernel/-/issues/2342<br />
References: https://gitlab.freedesktop.org/drm/xe/kernel/-/issues/2020<br />
(cherry picked from commit 7116c35aacedc38be6d15bd21b2fc936eed0008b)
Impact
Base Score 3.x
7.80
Severity 3.x
HIGH
Vulnerable products and versions
CPE | From | Up to |
---|---|---|
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 6.10 (including) | 6.10.8 (excluding) |
cpe:2.3:o:linux:linux_kernel:6.11:rc1:*:*:*:*:*:* | ||
cpe:2.3:o:linux:linux_kernel:6.11:rc2:*:*:*:*:*:* | ||
cpe:2.3:o:linux:linux_kernel:6.11:rc3:*:*:*:*:*:* | ||
cpe:2.3:o:linux:linux_kernel:6.11:rc4:*:*:*:*:*:* | ||
cpe:2.3:o:linux:linux_kernel:6.11:rc5:*:*:*:*:*:* |
To consult the complete list of CPE names with products and versions, see this page