CVE-2024-44993

In the Linux kernel, the following vulnerability has been resolved: drm/v3d: Fix out-of-bounds read in `v3d_csd_job_run()` When enabling UBSAN on Raspberry Pi 5, we get the following warning: [ 387.894977] UBSAN: array-index-out-of-bounds in drivers/gpu/drm/v3d/v3d_sched.c:320:3 [ 387.903868] index 7 is out of range for type '__u32 [7]' [ 387.909692] CPU: 0 PID: 1207 Comm: kworker/u16:2 Tainted: G WC 6.10.3-v8-16k-numa #151 [ 387.919166] Hardware name: Raspberry Pi 5 Model B Rev 1.0 (DT) [ 387.925961] Workqueue: v3d_csd drm_sched_run_job_work [gpu_sched] [ 387.932525] Call trace: [ 387.935296] dump_backtrace+0x170/0x1b8 [ 387.939403] show_stack+0x20/0x38 [ 387.942907] dump_stack_lvl+0x90/0xd0 [ 387.946785] dump_stack+0x18/0x28 [ 387.950301] __ubsan_handle_out_of_bounds+0x98/0xd0 [ 387.955383] v3d_csd_job_run+0x3a8/0x438 [v3d] [ 387.960707] drm_sched_run_job_work+0x520/0x6d0 [gpu_sched] [ 387.966862] process_one_work+0x62c/0xb48 [ 387.971296] worker_thread+0x468/0x5b0 [ 387.975317] kthread+0x1c4/0x1e0 [ 387.978818] ret_from_fork+0x10/0x20 [ 387.983014] ---[ end trace ]--- This happens because the UAPI provides only seven configuration registers and we are reading the eighth position of this u32 array. Therefore, fix the out-of-bounds read in `v3d_csd_job_run()` by accessing only seven positions on the '__u32 [7]' array. The eighth register exists indeed on V3D 7.1, but it isn't currently used. That being so, let's guarantee that it remains unused and add a note that it could be set in a future patch.
Configurations

Configuration 1 (hide)

OR cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.11:rc1:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.11:rc2:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.11:rc3:*:*:*:*:*:*

History

06 Sep 2024, 16:28

Type Values Removed Values Added
CPE cpe:2.3:o:linux:linux_kernel:6.11:rc2:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.11:rc1:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.11:rc3:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
References () https://git.kernel.org/stable/c/497d370a644d95a9f04271aa92cb96d32e84c770 - () https://git.kernel.org/stable/c/497d370a644d95a9f04271aa92cb96d32e84c770 - Patch
References () https://git.kernel.org/stable/c/d656b82c4b30cf12715e6cd129d3df808fde24a7 - () https://git.kernel.org/stable/c/d656b82c4b30cf12715e6cd129d3df808fde24a7 - Patch
CVSS v2 : unknown
v3 : unknown
v2 : unknown
v3 : 7.1
First Time Linux linux Kernel
Linux
CWE CWE-125

05 Sep 2024, 12:53

Type Values Removed Values Added
Summary
  • (es) En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: drm/v3d: Corregir lectura fuera de los límites en `v3d_csd_job_run()` Al habilitar UBSAN en Raspberry Pi 5, obtenemos la siguiente advertencia: [ 387.894977] UBSAN: array-index-out-of-bounds en drivers/gpu/drm/v3d/v3d_sched.c:320:3 [ 387.903868] el índice 7 está fuera de rango para el tipo '__u32 [7]' [ 387.909692] CPU: 0 PID: 1207 Comm: kworker/u16:2 Tainted: G WC 6.10.3-v8-16k-numa #151 [ 387.919166] Nombre del hardware: Raspberry Pi 5 Model B Rev 1.0 (DT) [ 387.925961] Cola de trabajo: v3d_csd drm_sched_run_job_work [gpu_sched] [ 387.932525] Rastreo de llamadas: [ 387.935296] dump_backtrace+0x170/0x1b8 [ 387.939403] show_stack+0x20/0x38 [ 387.942907] dump_stack_lvl+0x90/0xd0 [ 387.946785] dump_stack+0x18/0x28 [ 387.950301] __ubsan_handle_out_of_bounds+0x98/0xd0 [ 387.955383] v3d_csd_job_run+0x3a8/0x438 [v3d] [ 387.960707] drm_sched_run_job_work+0x520/0x6d0 [gpu_sched] [ 387.966862] process_one_work+0x62c/0xb48 [ 387.971296] worker_thread+0x468/0x5b0 [ 387.975317] kthread+0x1c4/0x1e0 [ 387.978818] ret_from_fork+0x10/0x20 [ 387.983014] ---[ fin del seguimiento ]--- Esto sucede porque la UAPI proporciona solo siete registros de configuración y estamos leyendo la octava posición de esta matriz u32. Por lo tanto, solucione la lectura fuera de los límites en `v3d_csd_job_run()` accediendo solo a siete posiciones en la matriz '__u32 [7]'. El octavo registro existe de hecho en V3D 7.1, pero no se utiliza actualmente. Siendo así, garanticemos que permanezca sin uso y agreguemos una nota que indique que podría configurarse en un parche futuro.

04 Sep 2024, 20:15

Type Values Removed Values Added
New CVE

Information

Published : 2024-09-04 20:15

Updated : 2024-09-06 16:28


NVD link : CVE-2024-44993

Mitre link : CVE-2024-44993

CVE.ORG link : CVE-2024-44993


JSON object : View

Products Affected

linux

  • linux_kernel
CWE
CWE-125

Out-of-bounds Read