mbox series

[SRU,Focal,0/3] CVE-2023-39198

Message ID 20240222225049.72030-1-bethany.jamison@canonical.com
Headers show
Series CVE-2023-39198 | expand

Message

Bethany Jamison Feb. 22, 2024, 10:50 p.m. UTC 
[Impact]

A race condition was found in the QXL driver in the Linux kernel. The
qxl_mode_dumb_create() function dereferences the qobj returned by the
qxl_gem_object_create_with_handle(), but the handle is the only one holding
a reference to it. This flaw allows an attacker to guess the returned
handle value and trigger a use-after-free issue, potentially leading to a
denial of service or privilege escalation.

[Fix]

2 prerequisite and 1 fix commit cherry-picked cleanly.

[Test Case]

Compile and boot tested.

[Regression Potential]

Issues could occur for users who use the qxl driver when creating a drm
gem object.

Emil Velikov (1):
  drm/qxl: remove _unlocked suffix in drm_gem_object_put_unlocked

Gerd Hoffmann (1):
  drm/qxl: allocate dumb buffers in ram

Wander Lairson Costa (1):
  drm/qxl: fix UAF on handle creation

 drivers/gpu/drm/qxl/qxl_cmd.c     |  2 +-
 drivers/gpu/drm/qxl/qxl_display.c |  6 +++---
 drivers/gpu/drm/qxl/qxl_drv.h     |  2 +-
 drivers/gpu/drm/qxl/qxl_dumb.c    |  9 ++++++---
 drivers/gpu/drm/qxl/qxl_gem.c     | 25 +++++++++++++++++--------
 drivers/gpu/drm/qxl/qxl_ioctl.c   | 10 ++++------
 drivers/gpu/drm/qxl/qxl_object.c  |  4 ++--
 7 files changed, 34 insertions(+), 24 deletions(-)

Comments

Tim Gardner Feb. 23, 2024, 3:35 p.m. UTC | #1 
On 2/22/24 3:50 PM, Bethany Jamison wrote:
> [Impact]
> 
> A race condition was found in the QXL driver in the Linux kernel. The
> qxl_mode_dumb_create() function dereferences the qobj returned by the
> qxl_gem_object_create_with_handle(), but the handle is the only one holding
> a reference to it. This flaw allows an attacker to guess the returned
> handle value and trigger a use-after-free issue, potentially leading to a
> denial of service or privilege escalation.
> 
> [Fix]
> 
> 2 prerequisite and 1 fix commit cherry-picked cleanly.
> 
> [Test Case]
> 
> Compile and boot tested.
> 
> [Regression Potential]
> 
> Issues could occur for users who use the qxl driver when creating a drm
> gem object.
> 
> Emil Velikov (1):
>    drm/qxl: remove _unlocked suffix in drm_gem_object_put_unlocked
> 
> Gerd Hoffmann (1):
>    drm/qxl: allocate dumb buffers in ram
> 
> Wander Lairson Costa (1):
>    drm/qxl: fix UAF on handle creation
> 
>   drivers/gpu/drm/qxl/qxl_cmd.c     |  2 +-
>   drivers/gpu/drm/qxl/qxl_display.c |  6 +++---
>   drivers/gpu/drm/qxl/qxl_drv.h     |  2 +-
>   drivers/gpu/drm/qxl/qxl_dumb.c    |  9 ++++++---
>   drivers/gpu/drm/qxl/qxl_gem.c     | 25 +++++++++++++++++--------
>   drivers/gpu/drm/qxl/qxl_ioctl.c   | 10 ++++------
>   drivers/gpu/drm/qxl/qxl_object.c  |  4 ++--
>   7 files changed, 34 insertions(+), 24 deletions(-)
> 
Acked-by: Tim Gardner <tim.gardner@canonical.com>
Stefan Bader March 1, 2024, 8:19 a.m. UTC | #2 
On 22.02.24 23:50, Bethany Jamison wrote:
> [Impact]
> 
> A race condition was found in the QXL driver in the Linux kernel. The
> qxl_mode_dumb_create() function dereferences the qobj returned by the
> qxl_gem_object_create_with_handle(), but the handle is the only one holding
> a reference to it. This flaw allows an attacker to guess the returned
> handle value and trigger a use-after-free issue, potentially leading to a
> denial of service or privilege escalation.
> 
> [Fix]
> 
> 2 prerequisite and 1 fix commit cherry-picked cleanly.
> 
> [Test Case]
> 
> Compile and boot tested.
> 
> [Regression Potential]
> 
> Issues could occur for users who use the qxl driver when creating a drm
> gem object.
> 
> Emil Velikov (1):
>    drm/qxl: remove _unlocked suffix in drm_gem_object_put_unlocked
> 
> Gerd Hoffmann (1):
>    drm/qxl: allocate dumb buffers in ram
> 
> Wander Lairson Costa (1):
>    drm/qxl: fix UAF on handle creation
> 
>   drivers/gpu/drm/qxl/qxl_cmd.c     |  2 +-
>   drivers/gpu/drm/qxl/qxl_display.c |  6 +++---
>   drivers/gpu/drm/qxl/qxl_drv.h     |  2 +-
>   drivers/gpu/drm/qxl/qxl_dumb.c    |  9 ++++++---
>   drivers/gpu/drm/qxl/qxl_gem.c     | 25 +++++++++++++++++--------
>   drivers/gpu/drm/qxl/qxl_ioctl.c   | 10 ++++------
>   drivers/gpu/drm/qxl/qxl_object.c  |  4 ++--
>   7 files changed, 34 insertions(+), 24 deletions(-)
> 

Acked-by: Stefan Bader <stefan.bader@canonical.com>
Stefan Bader March 1, 2024, 8:57 a.m. UTC | #3 
On 22.02.24 23:50, Bethany Jamison wrote:
> [Impact]
> 
> A race condition was found in the QXL driver in the Linux kernel. The
> qxl_mode_dumb_create() function dereferences the qobj returned by the
> qxl_gem_object_create_with_handle(), but the handle is the only one holding
> a reference to it. This flaw allows an attacker to guess the returned
> handle value and trigger a use-after-free issue, potentially leading to a
> denial of service or privilege escalation.
> 
> [Fix]
> 
> 2 prerequisite and 1 fix commit cherry-picked cleanly.
> 
> [Test Case]
> 
> Compile and boot tested.
> 
> [Regression Potential]
> 
> Issues could occur for users who use the qxl driver when creating a drm
> gem object.
> 
> Emil Velikov (1):
>    drm/qxl: remove _unlocked suffix in drm_gem_object_put_unlocked
> 
> Gerd Hoffmann (1):
>    drm/qxl: allocate dumb buffers in ram
> 
> Wander Lairson Costa (1):
>    drm/qxl: fix UAF on handle creation
> 
>   drivers/gpu/drm/qxl/qxl_cmd.c     |  2 +-
>   drivers/gpu/drm/qxl/qxl_display.c |  6 +++---
>   drivers/gpu/drm/qxl/qxl_drv.h     |  2 +-
>   drivers/gpu/drm/qxl/qxl_dumb.c    |  9 ++++++---
>   drivers/gpu/drm/qxl/qxl_gem.c     | 25 +++++++++++++++++--------
>   drivers/gpu/drm/qxl/qxl_ioctl.c   | 10 ++++------
>   drivers/gpu/drm/qxl/qxl_object.c  |  4 ++--
>   7 files changed, 34 insertions(+), 24 deletions(-)
> 

Applied to focal:linux/master-next. Thanks.

-Stefan