Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

CVE-2024-58018

Severity CVSS v4.0:
Pending analysis
Type:
Unavailable / Other
Publication date:
27/02/2025
Last modified:
22/10/2025

Description

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> nvkm: correctly calculate the available space of the GSP cmdq buffer<br /> <br /> r535_gsp_cmdq_push() waits for the available page in the GSP cmdq<br /> buffer when handling a large RPC request. When it sees at least one<br /> available page in the cmdq, it quits the waiting with the amount of<br /> free buffer pages in the queue.<br /> <br /> Unfortunately, it always takes the [write pointer, buf_size) as<br /> available buffer pages before rolling back and wrongly calculates the<br /> size of the data should be copied. Thus, it can overwrite the RPC<br /> request that GSP is currently reading, which causes GSP hang due<br /> to corrupted RPC request:<br /> <br /> [ 549.209389] ------------[ cut here ]------------<br /> [ 549.214010] WARNING: CPU: 8 PID: 6314 at drivers/gpu/drm/nouveau/nvkm/subdev/gsp/r535.c:116 r535_gsp_msgq_wait+0xd0/0x190 [nvkm]<br /> [ 549.225678] Modules linked in: nvkm(E+) gsp_log(E) snd_seq_dummy(E) snd_hrtimer(E) snd_seq(E) snd_timer(E) snd_seq_device(E) snd(E) soundcore(E) rfkill(E) qrtr(E) vfat(E) fat(E) ipmi_ssif(E) amd_atl(E) intel_rapl_msr(E) intel_rapl_common(E) mlx5_ib(E) amd64_edac(E) edac_mce_amd(E) kvm_amd(E) ib_uverbs(E) kvm(E) ib_core(E) acpi_ipmi(E) ipmi_si(E) mxm_wmi(E) ipmi_devintf(E) rapl(E) i2c_piix4(E) wmi_bmof(E) joydev(E) ptdma(E) acpi_cpufreq(E) k10temp(E) pcspkr(E) ipmi_msghandler(E) xfs(E) libcrc32c(E) ast(E) i2c_algo_bit(E) crct10dif_pclmul(E) drm_shmem_helper(E) nvme_tcp(E) crc32_pclmul(E) ahci(E) drm_kms_helper(E) libahci(E) nvme_fabrics(E) crc32c_intel(E) nvme(E) cdc_ether(E) mlx5_core(E) nvme_core(E) usbnet(E) drm(E) libata(E) ccp(E) ghash_clmulni_intel(E) mii(E) t10_pi(E) mlxfw(E) sp5100_tco(E) psample(E) pci_hyperv_intf(E) wmi(E) dm_multipath(E) sunrpc(E) dm_mirror(E) dm_region_hash(E) dm_log(E) dm_mod(E) be2iscsi(E) bnx2i(E) cnic(E) uio(E) cxgb4i(E) cxgb4(E) tls(E) libcxgbi(E) libcxgb(E) qla4xxx(E)<br /> [ 549.225752] iscsi_boot_sysfs(E) iscsi_tcp(E) libiscsi_tcp(E) libiscsi(E) scsi_transport_iscsi(E) fuse(E) [last unloaded: gsp_log(E)]<br /> [ 549.326293] CPU: 8 PID: 6314 Comm: insmod Tainted: G E 6.9.0-rc6+ #1<br /> [ 549.334039] Hardware name: ASRockRack 1U1G-MILAN/N/ROMED8-NL, BIOS L3.12E 09/06/2022<br /> [ 549.341781] RIP: 0010:r535_gsp_msgq_wait+0xd0/0x190 [nvkm]<br /> [ 549.347343] Code: 08 00 00 89 da c1 e2 0c 48 8d ac 11 00 10 00 00 48 8b 0c 24 48 85 c9 74 1f c1 e0 0c 4c 8d 6d 30 83 e8 30 89 01 e9 68 ff ff ff 0b 49 c7 c5 92 ff ff ff e9 5a ff ff ff ba ff ff ff ff be c0 0c<br /> [ 549.366090] RSP: 0018:ffffacbccaaeb7d0 EFLAGS: 00010246<br /> [ 549.371315] RAX: 0000000000000000 RBX: 0000000000000012 RCX: 0000000000923e28<br /> [ 549.378451] RDX: 0000000000000000 RSI: 0000000055555554 RDI: ffffacbccaaeb730<br /> [ 549.385590] RBP: 0000000000000001 R08: ffff8bd14d235f70 R09: ffff8bd14d235f70<br /> [ 549.392721] R10: 0000000000000002 R11: ffff8bd14d233864 R12: 0000000000000020<br /> [ 549.399854] R13: ffffacbccaaeb818 R14: 0000000000000020 R15: ffff8bb298c67000<br /> [ 549.406988] FS: 00007f5179244740(0000) GS:ffff8bd14d200000(0000) knlGS:0000000000000000<br /> [ 549.415076] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033<br /> [ 549.420829] CR2: 00007fa844000010 CR3: 00000001567dc005 CR4: 0000000000770ef0<br /> [ 549.427963] PKRU: 55555554<br /> [ 549.430672] Call Trace:<br /> [ 549.433126] <br /> [ 549.435233] ? __warn+0x7f/0x130<br /> [ 549.438473] ? r535_gsp_msgq_wait+0xd0/0x190 [nvkm]<br /> [ 549.443426] ? report_bug+0x18a/0x1a0<br /> [ 549.447098] ? handle_bug+0x3c/0x70<br /> [ 549.450589] ? exc_invalid_op+0x14/0x70<br /> [ 549.454430] ? asm_exc_invalid_op+0x16/0x20<br /> [ 549.458619] ? r535_gsp_msgq_wait+0xd0/0x190 [nvkm]<br /> [ 549.463565] r535_gsp_msg_recv+0x46/0x230 [nvkm]<br /> [ 549.468257] r535_gsp_rpc_push+0x106/0x160 [nvkm]<br /> [ 549.473033] r535_gsp_rpc_rm_ctrl_push+0x40/0x130 [nvkm]<br /> [ 549.478422] nvidia_grid_init_vgpu_types+0xbc/0xe0 [nvkm]<br /> [ 549.483899] nvidia_grid_init+0xb1/0xd0 [nvkm]<br /> [ 549.488420] ? srso_alias_return_thunk+0x5/0xfbef5<br /> [ 549.493213] nvkm_device_pci_probe+0x305/0x420 [nvkm]<br /> [ 549.498338] local_pci_probe+0x46/<br /> ---truncated---

Impact

Vector 3.x
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVSS v3.1 Severity and Metrics:

Base Score: 5.50 MEDIUM
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Attack Vector (AV): Local
Attack Complexity (AC): Low
Privileges Required (PR): Low
User Interaction (UI): None
Scope (S): Unchanged
Confidentiality (C): None
Integrity (I): None
Availability (A): High

Base Score 3.x
5.50
Severity 3.x
MEDIUM

Vulnerable products and versions

CPE From Up to
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 6.7 (including) 6.12.14 (excluding)
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 6.13 (including) 6.13.3 (excluding)

To consult the complete list of CPE names with products and versions, see this page


References to Advisories, Solutions, and Tools