CVE-2024-58018
Vulnerability from cvelistv5
Published
2025-02-27 02:12
Modified
2025-02-27 02:12
Severity ?
Summary
In the Linux kernel, the following vulnerability has been resolved: nvkm: correctly calculate the available space of the GSP cmdq buffer r535_gsp_cmdq_push() waits for the available page in the GSP cmdq buffer when handling a large RPC request. When it sees at least one available page in the cmdq, it quits the waiting with the amount of free buffer pages in the queue. Unfortunately, it always takes the [write pointer, buf_size) as available buffer pages before rolling back and wrongly calculates the size of the data should be copied. Thus, it can overwrite the RPC request that GSP is currently reading, which causes GSP hang due to corrupted RPC request: [ 549.209389] ------------[ cut here ]------------ [ 549.214010] WARNING: CPU: 8 PID: 6314 at drivers/gpu/drm/nouveau/nvkm/subdev/gsp/r535.c:116 r535_gsp_msgq_wait+0xd0/0x190 [nvkm] [ 549.225678] Modules linked in: nvkm(E+) gsp_log(E) snd_seq_dummy(E) snd_hrtimer(E) snd_seq(E) snd_timer(E) snd_seq_device(E) snd(E) soundcore(E) rfkill(E) qrtr(E) vfat(E) fat(E) ipmi_ssif(E) amd_atl(E) intel_rapl_msr(E) intel_rapl_common(E) mlx5_ib(E) amd64_edac(E) edac_mce_amd(E) kvm_amd(E) ib_uverbs(E) kvm(E) ib_core(E) acpi_ipmi(E) ipmi_si(E) mxm_wmi(E) ipmi_devintf(E) rapl(E) i2c_piix4(E) wmi_bmof(E) joydev(E) ptdma(E) acpi_cpufreq(E) k10temp(E) pcspkr(E) ipmi_msghandler(E) xfs(E) libcrc32c(E) ast(E) i2c_algo_bit(E) crct10dif_pclmul(E) drm_shmem_helper(E) nvme_tcp(E) crc32_pclmul(E) ahci(E) drm_kms_helper(E) libahci(E) nvme_fabrics(E) crc32c_intel(E) nvme(E) cdc_ether(E) mlx5_core(E) nvme_core(E) usbnet(E) drm(E) libata(E) ccp(E) ghash_clmulni_intel(E) mii(E) t10_pi(E) mlxfw(E) sp5100_tco(E) psample(E) pci_hyperv_intf(E) wmi(E) dm_multipath(E) sunrpc(E) dm_mirror(E) dm_region_hash(E) dm_log(E) dm_mod(E) be2iscsi(E) bnx2i(E) cnic(E) uio(E) cxgb4i(E) cxgb4(E) tls(E) libcxgbi(E) libcxgb(E) qla4xxx(E) [ 549.225752] iscsi_boot_sysfs(E) iscsi_tcp(E) libiscsi_tcp(E) libiscsi(E) scsi_transport_iscsi(E) fuse(E) [last unloaded: gsp_log(E)] [ 549.326293] CPU: 8 PID: 6314 Comm: insmod Tainted: G E 6.9.0-rc6+ #1 [ 549.334039] Hardware name: ASRockRack 1U1G-MILAN/N/ROMED8-NL, BIOS L3.12E 09/06/2022 [ 549.341781] RIP: 0010:r535_gsp_msgq_wait+0xd0/0x190 [nvkm] [ 549.347343] Code: 08 00 00 89 da c1 e2 0c 48 8d ac 11 00 10 00 00 48 8b 0c 24 48 85 c9 74 1f c1 e0 0c 4c 8d 6d 30 83 e8 30 89 01 e9 68 ff ff ff <0f> 0b 49 c7 c5 92 ff ff ff e9 5a ff ff ff ba ff ff ff ff be c0 0c [ 549.366090] RSP: 0018:ffffacbccaaeb7d0 EFLAGS: 00010246 [ 549.371315] RAX: 0000000000000000 RBX: 0000000000000012 RCX: 0000000000923e28 [ 549.378451] RDX: 0000000000000000 RSI: 0000000055555554 RDI: ffffacbccaaeb730 [ 549.385590] RBP: 0000000000000001 R08: ffff8bd14d235f70 R09: ffff8bd14d235f70 [ 549.392721] R10: 0000000000000002 R11: ffff8bd14d233864 R12: 0000000000000020 [ 549.399854] R13: ffffacbccaaeb818 R14: 0000000000000020 R15: ffff8bb298c67000 [ 549.406988] FS: 00007f5179244740(0000) GS:ffff8bd14d200000(0000) knlGS:0000000000000000 [ 549.415076] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 549.420829] CR2: 00007fa844000010 CR3: 00000001567dc005 CR4: 0000000000770ef0 [ 549.427963] PKRU: 55555554 [ 549.430672] Call Trace: [ 549.433126] <TASK> [ 549.435233] ? __warn+0x7f/0x130 [ 549.438473] ? r535_gsp_msgq_wait+0xd0/0x190 [nvkm] [ 549.443426] ? report_bug+0x18a/0x1a0 [ 549.447098] ? handle_bug+0x3c/0x70 [ 549.450589] ? exc_invalid_op+0x14/0x70 [ 549.454430] ? asm_exc_invalid_op+0x16/0x20 [ 549.458619] ? r535_gsp_msgq_wait+0xd0/0x190 [nvkm] [ 549.463565] r535_gsp_msg_recv+0x46/0x230 [nvkm] [ 549.468257] r535_gsp_rpc_push+0x106/0x160 [nvkm] [ 549.473033] r535_gsp_rpc_rm_ctrl_push+0x40/0x130 [nvkm] [ 549.478422] nvidia_grid_init_vgpu_types+0xbc/0xe0 [nvkm] [ 549.483899] nvidia_grid_init+0xb1/0xd0 [nvkm] [ 549.488420] ? srso_alias_return_thunk+0x5/0xfbef5 [ 549.493213] nvkm_device_pci_probe+0x305/0x420 [nvkm] [ 549.498338] local_pci_probe+0x46/ ---truncated---
References
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/01ed662bdd6fce4f59c1804b334610d710d79fa0
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/56e6c7f6d2a6b4e0aae0528c502e56825bb40598
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/6b6b75728c86f60c1fc596f0d4542427d0e6065b
Impacted products
Vendor Product Version
Linux Linux Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
 Create a notification for this product.
   Linux Linux Create a notification for this product.
Show details on NVD website

To clipboard 

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/gpu/drm/nouveau/nvkm/subdev/gsp/r535.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "56e6c7f6d2a6b4e0aae0528c502e56825bb40598",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "6b6b75728c86f60c1fc596f0d4542427d0e6065b",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "01ed662bdd6fce4f59c1804b334610d710d79fa0",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/gpu/drm/nouveau/nvkm/subdev/gsp/r535.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.14",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.13.*",
              "status": "unaffected",
              "version": "6.13.3",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.14-rc1",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnvkm: correctly calculate the available space of the GSP cmdq buffer\n\nr535_gsp_cmdq_push() waits for the available page in the GSP cmdq\nbuffer when handling a large RPC request. When it sees at least one\navailable page in the cmdq, it quits the waiting with the amount of\nfree buffer pages in the queue.\n\nUnfortunately, it always takes the [write pointer, buf_size) as\navailable buffer pages before rolling back and wrongly calculates the\nsize of the data should be copied. Thus, it can overwrite the RPC\nrequest that GSP is currently reading, which causes GSP hang due\nto corrupted RPC request:\n\n[  549.209389] ------------[ cut here ]------------\n[  549.214010] WARNING: CPU: 8 PID: 6314 at drivers/gpu/drm/nouveau/nvkm/subdev/gsp/r535.c:116 r535_gsp_msgq_wait+0xd0/0x190 [nvkm]\n[  549.225678] Modules linked in: nvkm(E+) gsp_log(E) snd_seq_dummy(E) snd_hrtimer(E) snd_seq(E) snd_timer(E) snd_seq_device(E) snd(E) soundcore(E) rfkill(E) qrtr(E) vfat(E) fat(E) ipmi_ssif(E) amd_atl(E) intel_rapl_msr(E) intel_rapl_common(E) mlx5_ib(E) amd64_edac(E) edac_mce_amd(E) kvm_amd(E) ib_uverbs(E) kvm(E) ib_core(E) acpi_ipmi(E) ipmi_si(E) mxm_wmi(E) ipmi_devintf(E) rapl(E) i2c_piix4(E) wmi_bmof(E) joydev(E) ptdma(E) acpi_cpufreq(E) k10temp(E) pcspkr(E) ipmi_msghandler(E) xfs(E) libcrc32c(E) ast(E) i2c_algo_bit(E) crct10dif_pclmul(E) drm_shmem_helper(E) nvme_tcp(E) crc32_pclmul(E) ahci(E) drm_kms_helper(E) libahci(E) nvme_fabrics(E) crc32c_intel(E) nvme(E) cdc_ether(E) mlx5_core(E) nvme_core(E) usbnet(E) drm(E) libata(E) ccp(E) ghash_clmulni_intel(E) mii(E) t10_pi(E) mlxfw(E) sp5100_tco(E) psample(E) pci_hyperv_intf(E) wmi(E) dm_multipath(E) sunrpc(E) dm_mirror(E) dm_region_hash(E) dm_log(E) dm_mod(E) be2iscsi(E) bnx2i(E) cnic(E) uio(E) cxgb4i(E) cxgb4(E) tls(E) libcxgbi(E) libcxgb(E) qla4xxx(E)\n[  549.225752]  iscsi_boot_sysfs(E) iscsi_tcp(E) libiscsi_tcp(E) libiscsi(E) scsi_transport_iscsi(E) fuse(E) [last unloaded: gsp_log(E)]\n[  549.326293] CPU: 8 PID: 6314 Comm: insmod Tainted: G            E      6.9.0-rc6+ #1\n[  549.334039] Hardware name: ASRockRack 1U1G-MILAN/N/ROMED8-NL, BIOS L3.12E 09/06/2022\n[  549.341781] RIP: 0010:r535_gsp_msgq_wait+0xd0/0x190 [nvkm]\n[  549.347343] Code: 08 00 00 89 da c1 e2 0c 48 8d ac 11 00 10 00 00 48 8b 0c 24 48 85 c9 74 1f c1 e0 0c 4c 8d 6d 30 83 e8 30 89 01 e9 68 ff ff ff \u003c0f\u003e 0b 49 c7 c5 92 ff ff ff e9 5a ff ff ff ba ff ff ff ff be c0 0c\n[  549.366090] RSP: 0018:ffffacbccaaeb7d0 EFLAGS: 00010246\n[  549.371315] RAX: 0000000000000000 RBX: 0000000000000012 RCX: 0000000000923e28\n[  549.378451] RDX: 0000000000000000 RSI: 0000000055555554 RDI: ffffacbccaaeb730\n[  549.385590] RBP: 0000000000000001 R08: ffff8bd14d235f70 R09: ffff8bd14d235f70\n[  549.392721] R10: 0000000000000002 R11: ffff8bd14d233864 R12: 0000000000000020\n[  549.399854] R13: ffffacbccaaeb818 R14: 0000000000000020 R15: ffff8bb298c67000\n[  549.406988] FS:  00007f5179244740(0000) GS:ffff8bd14d200000(0000) knlGS:0000000000000000\n[  549.415076] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[  549.420829] CR2: 00007fa844000010 CR3: 00000001567dc005 CR4: 0000000000770ef0\n[  549.427963] PKRU: 55555554\n[  549.430672] Call Trace:\n[  549.433126]  \u003cTASK\u003e\n[  549.435233]  ? __warn+0x7f/0x130\n[  549.438473]  ? r535_gsp_msgq_wait+0xd0/0x190 [nvkm]\n[  549.443426]  ? report_bug+0x18a/0x1a0\n[  549.447098]  ? handle_bug+0x3c/0x70\n[  549.450589]  ? exc_invalid_op+0x14/0x70\n[  549.454430]  ? asm_exc_invalid_op+0x16/0x20\n[  549.458619]  ? r535_gsp_msgq_wait+0xd0/0x190 [nvkm]\n[  549.463565]  r535_gsp_msg_recv+0x46/0x230 [nvkm]\n[  549.468257]  r535_gsp_rpc_push+0x106/0x160 [nvkm]\n[  549.473033]  r535_gsp_rpc_rm_ctrl_push+0x40/0x130 [nvkm]\n[  549.478422]  nvidia_grid_init_vgpu_types+0xbc/0xe0 [nvkm]\n[  549.483899]  nvidia_grid_init+0xb1/0xd0 [nvkm]\n[  549.488420]  ? srso_alias_return_thunk+0x5/0xfbef5\n[  549.493213]  nvkm_device_pci_probe+0x305/0x420 [nvkm]\n[  549.498338]  local_pci_probe+0x46/\n---truncated---"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-02-27T02:12:09.595Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/56e6c7f6d2a6b4e0aae0528c502e56825bb40598"
        },
        {
          "url": "https://git.kernel.org/stable/c/6b6b75728c86f60c1fc596f0d4542427d0e6065b"
        },
        {
          "url": "https://git.kernel.org/stable/c/01ed662bdd6fce4f59c1804b334610d710d79fa0"
        }
      ],
      "title": "nvkm: correctly calculate the available space of the GSP cmdq buffer",
      "x_generator": {
        "engine": "bippy-5f407fcff5a0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2024-58018",
    "datePublished": "2025-02-27T02:12:09.595Z",
    "dateReserved": "2025-02-27T02:10:48.228Z",
    "dateUpdated": "2025-02-27T02:12:09.595Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2024-58018\",\"sourceIdentifier\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"published\":\"2025-02-27T03:15:12.797\",\"lastModified\":\"2025-02-27T03:15:12.797\",\"vulnStatus\":\"Received\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"In the Linux kernel, the following vulnerability has been resolved:\\n\\nnvkm: correctly calculate the available space of the GSP cmdq buffer\\n\\nr535_gsp_cmdq_push() waits for the available page in the GSP cmdq\\nbuffer when handling a large RPC request. When it sees at least one\\navailable page in the cmdq, it quits the waiting with the amount of\\nfree buffer pages in the queue.\\n\\nUnfortunately, it always takes the [write pointer, buf_size) as\\navailable buffer pages before rolling back and wrongly calculates the\\nsize of the data should be copied. Thus, it can overwrite the RPC\\nrequest that GSP is currently reading, which causes GSP hang due\\nto corrupted RPC request:\\n\\n[  549.209389] ------------[ cut here ]------------\\n[  549.214010] WARNING: CPU: 8 PID: 6314 at drivers/gpu/drm/nouveau/nvkm/subdev/gsp/r535.c:116 r535_gsp_msgq_wait+0xd0/0x190 [nvkm]\\n[  549.225678] Modules linked in: nvkm(E+) gsp_log(E) snd_seq_dummy(E) snd_hrtimer(E) snd_seq(E) snd_timer(E) snd_seq_device(E) snd(E) soundcore(E) rfkill(E) qrtr(E) vfat(E) fat(E) ipmi_ssif(E) amd_atl(E) intel_rapl_msr(E) intel_rapl_common(E) mlx5_ib(E) amd64_edac(E) edac_mce_amd(E) kvm_amd(E) ib_uverbs(E) kvm(E) ib_core(E) acpi_ipmi(E) ipmi_si(E) mxm_wmi(E) ipmi_devintf(E) rapl(E) i2c_piix4(E) wmi_bmof(E) joydev(E) ptdma(E) acpi_cpufreq(E) k10temp(E) pcspkr(E) ipmi_msghandler(E) xfs(E) libcrc32c(E) ast(E) i2c_algo_bit(E) crct10dif_pclmul(E) drm_shmem_helper(E) nvme_tcp(E) crc32_pclmul(E) ahci(E) drm_kms_helper(E) libahci(E) nvme_fabrics(E) crc32c_intel(E) nvme(E) cdc_ether(E) mlx5_core(E) nvme_core(E) usbnet(E) drm(E) libata(E) ccp(E) ghash_clmulni_intel(E) mii(E) t10_pi(E) mlxfw(E) sp5100_tco(E) psample(E) pci_hyperv_intf(E) wmi(E) dm_multipath(E) sunrpc(E) dm_mirror(E) dm_region_hash(E) dm_log(E) dm_mod(E) be2iscsi(E) bnx2i(E) cnic(E) uio(E) cxgb4i(E) cxgb4(E) tls(E) libcxgbi(E) libcxgb(E) qla4xxx(E)\\n[  549.225752]  iscsi_boot_sysfs(E) iscsi_tcp(E) libiscsi_tcp(E) libiscsi(E) scsi_transport_iscsi(E) fuse(E) [last unloaded: gsp_log(E)]\\n[  549.326293] CPU: 8 PID: 6314 Comm: insmod Tainted: G            E      6.9.0-rc6+ #1\\n[  549.334039] Hardware name: ASRockRack 1U1G-MILAN/N/ROMED8-NL, BIOS L3.12E 09/06/2022\\n[  549.341781] RIP: 0010:r535_gsp_msgq_wait+0xd0/0x190 [nvkm]\\n[  549.347343] Code: 08 00 00 89 da c1 e2 0c 48 8d ac 11 00 10 00 00 48 8b 0c 24 48 85 c9 74 1f c1 e0 0c 4c 8d 6d 30 83 e8 30 89 01 e9 68 ff ff ff \u003c0f\u003e 0b 49 c7 c5 92 ff ff ff e9 5a ff ff ff ba ff ff ff ff be c0 0c\\n[  549.366090] RSP: 0018:ffffacbccaaeb7d0 EFLAGS: 00010246\\n[  549.371315] RAX: 0000000000000000 RBX: 0000000000000012 RCX: 0000000000923e28\\n[  549.378451] RDX: 0000000000000000 RSI: 0000000055555554 RDI: ffffacbccaaeb730\\n[  549.385590] RBP: 0000000000000001 R08: ffff8bd14d235f70 R09: ffff8bd14d235f70\\n[  549.392721] R10: 0000000000000002 R11: ffff8bd14d233864 R12: 0000000000000020\\n[  549.399854] R13: ffffacbccaaeb818 R14: 0000000000000020 R15: ffff8bb298c67000\\n[  549.406988] FS:  00007f5179244740(0000) GS:ffff8bd14d200000(0000) knlGS:0000000000000000\\n[  549.415076] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033\\n[  549.420829] CR2: 00007fa844000010 CR3: 00000001567dc005 CR4: 0000000000770ef0\\n[  549.427963] PKRU: 55555554\\n[  549.430672] Call Trace:\\n[  549.433126]  \u003cTASK\u003e\\n[  549.435233]  ? __warn+0x7f/0x130\\n[  549.438473]  ? r535_gsp_msgq_wait+0xd0/0x190 [nvkm]\\n[  549.443426]  ? report_bug+0x18a/0x1a0\\n[  549.447098]  ? handle_bug+0x3c/0x70\\n[  549.450589]  ? exc_invalid_op+0x14/0x70\\n[  549.454430]  ? asm_exc_invalid_op+0x16/0x20\\n[  549.458619]  ? r535_gsp_msgq_wait+0xd0/0x190 [nvkm]\\n[  549.463565]  r535_gsp_msg_recv+0x46/0x230 [nvkm]\\n[  549.468257]  r535_gsp_rpc_push+0x106/0x160 [nvkm]\\n[  549.473033]  r535_gsp_rpc_rm_ctrl_push+0x40/0x130 [nvkm]\\n[  549.478422]  nvidia_grid_init_vgpu_types+0xbc/0xe0 [nvkm]\\n[  549.483899]  nvidia_grid_init+0xb1/0xd0 [nvkm]\\n[  549.488420]  ? srso_alias_return_thunk+0x5/0xfbef5\\n[  549.493213]  nvkm_device_pci_probe+0x305/0x420 [nvkm]\\n[  549.498338]  local_pci_probe+0x46/\\n---truncated---\"}],\"metrics\":{},\"references\":[{\"url\":\"https://git.kernel.org/stable/c/01ed662bdd6fce4f59c1804b334610d710d79fa0\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/56e6c7f6d2a6b4e0aae0528c502e56825bb40598\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/6b6b75728c86f60c1fc596f0d4542427d0e6065b\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"}]}}"
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.