Message ID | 20240222225049.72030-1-bethany.jamison@canonical.com |
---|---|
Headers | show |
Series | CVE-2023-39198 | expand |
On 2/22/24 3:50 PM, Bethany Jamison wrote: > [Impact] > > A race condition was found in the QXL driver in the Linux kernel. The > qxl_mode_dumb_create() function dereferences the qobj returned by the > qxl_gem_object_create_with_handle(), but the handle is the only one holding > a reference to it. This flaw allows an attacker to guess the returned > handle value and trigger a use-after-free issue, potentially leading to a > denial of service or privilege escalation. > > [Fix] > > 2 prerequisite and 1 fix commit cherry-picked cleanly. > > [Test Case] > > Compile and boot tested. > > [Regression Potential] > > Issues could occur for users who use the qxl driver when creating a drm > gem object. > > Emil Velikov (1): > drm/qxl: remove _unlocked suffix in drm_gem_object_put_unlocked > > Gerd Hoffmann (1): > drm/qxl: allocate dumb buffers in ram > > Wander Lairson Costa (1): > drm/qxl: fix UAF on handle creation > > drivers/gpu/drm/qxl/qxl_cmd.c | 2 +- > drivers/gpu/drm/qxl/qxl_display.c | 6 +++--- > drivers/gpu/drm/qxl/qxl_drv.h | 2 +- > drivers/gpu/drm/qxl/qxl_dumb.c | 9 ++++++--- > drivers/gpu/drm/qxl/qxl_gem.c | 25 +++++++++++++++++-------- > drivers/gpu/drm/qxl/qxl_ioctl.c | 10 ++++------ > drivers/gpu/drm/qxl/qxl_object.c | 4 ++-- > 7 files changed, 34 insertions(+), 24 deletions(-) > Acked-by: Tim Gardner <tim.gardner@canonical.com>
On 22.02.24 23:50, Bethany Jamison wrote: > [Impact] > > A race condition was found in the QXL driver in the Linux kernel. The > qxl_mode_dumb_create() function dereferences the qobj returned by the > qxl_gem_object_create_with_handle(), but the handle is the only one holding > a reference to it. This flaw allows an attacker to guess the returned > handle value and trigger a use-after-free issue, potentially leading to a > denial of service or privilege escalation. > > [Fix] > > 2 prerequisite and 1 fix commit cherry-picked cleanly. > > [Test Case] > > Compile and boot tested. > > [Regression Potential] > > Issues could occur for users who use the qxl driver when creating a drm > gem object. > > Emil Velikov (1): > drm/qxl: remove _unlocked suffix in drm_gem_object_put_unlocked > > Gerd Hoffmann (1): > drm/qxl: allocate dumb buffers in ram > > Wander Lairson Costa (1): > drm/qxl: fix UAF on handle creation > > drivers/gpu/drm/qxl/qxl_cmd.c | 2 +- > drivers/gpu/drm/qxl/qxl_display.c | 6 +++--- > drivers/gpu/drm/qxl/qxl_drv.h | 2 +- > drivers/gpu/drm/qxl/qxl_dumb.c | 9 ++++++--- > drivers/gpu/drm/qxl/qxl_gem.c | 25 +++++++++++++++++-------- > drivers/gpu/drm/qxl/qxl_ioctl.c | 10 ++++------ > drivers/gpu/drm/qxl/qxl_object.c | 4 ++-- > 7 files changed, 34 insertions(+), 24 deletions(-) > Acked-by: Stefan Bader <stefan.bader@canonical.com>
On 22.02.24 23:50, Bethany Jamison wrote: > [Impact] > > A race condition was found in the QXL driver in the Linux kernel. The > qxl_mode_dumb_create() function dereferences the qobj returned by the > qxl_gem_object_create_with_handle(), but the handle is the only one holding > a reference to it. This flaw allows an attacker to guess the returned > handle value and trigger a use-after-free issue, potentially leading to a > denial of service or privilege escalation. > > [Fix] > > 2 prerequisite and 1 fix commit cherry-picked cleanly. > > [Test Case] > > Compile and boot tested. > > [Regression Potential] > > Issues could occur for users who use the qxl driver when creating a drm > gem object. > > Emil Velikov (1): > drm/qxl: remove _unlocked suffix in drm_gem_object_put_unlocked > > Gerd Hoffmann (1): > drm/qxl: allocate dumb buffers in ram > > Wander Lairson Costa (1): > drm/qxl: fix UAF on handle creation > > drivers/gpu/drm/qxl/qxl_cmd.c | 2 +- > drivers/gpu/drm/qxl/qxl_display.c | 6 +++--- > drivers/gpu/drm/qxl/qxl_drv.h | 2 +- > drivers/gpu/drm/qxl/qxl_dumb.c | 9 ++++++--- > drivers/gpu/drm/qxl/qxl_gem.c | 25 +++++++++++++++++-------- > drivers/gpu/drm/qxl/qxl_ioctl.c | 10 ++++------ > drivers/gpu/drm/qxl/qxl_object.c | 4 ++-- > 7 files changed, 34 insertions(+), 24 deletions(-) > Applied to focal:linux/master-next. Thanks. -Stefan