fkie_cve-2024-49942
Vulnerability from fkie_nvd
Published
2024-10-21 18:15
Modified
2024-10-25 14:56
Severity ?
5.5 (Medium) - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Summary
In the Linux kernel, the following vulnerability has been resolved: drm/xe: Prevent null pointer access in xe_migrate_copy xe_migrate_copy designed to copy content of TTM resources. When source resource is null, it will trigger a NULL pointer dereference in xe_migrate_copy. To avoid this situation, update lacks source flag to true for this case, the flag will trigger xe_migrate_clear rather than xe_migrate_copy. Issue trace: <7> [317.089847] xe 0000:00:02.0: [drm:xe_migrate_copy [xe]] Pass 14, sizes: 4194304 & 4194304 <7> [317.089945] xe 0000:00:02.0: [drm:xe_migrate_copy [xe]] Pass 15, sizes: 4194304 & 4194304 <1> [317.128055] BUG: kernel NULL pointer dereference, address: 0000000000000010 <1> [317.128064] #PF: supervisor read access in kernel mode <1> [317.128066] #PF: error_code(0x0000) - not-present page <6> [317.128069] PGD 0 P4D 0 <4> [317.128071] Oops: Oops: 0000 [#1] PREEMPT SMP NOPTI <4> [317.128074] CPU: 1 UID: 0 PID: 1440 Comm: kunit_try_catch Tainted: G U N 6.11.0-rc7-xe #1 <4> [317.128078] Tainted: [U]=USER, [N]=TEST <4> [317.128080] Hardware name: Intel Corporation Lunar Lake Client Platform/LNL-M LP5 RVP1, BIOS LNLMFWI1.R00.3221.D80.2407291239 07/29/2024 <4> [317.128082] RIP: 0010:xe_migrate_copy+0x66/0x13e0 [xe] <4> [317.128158] Code: 00 00 48 89 8d e0 fe ff ff 48 8b 40 10 4c 89 85 c8 fe ff ff 44 88 8d bd fe ff ff 65 48 8b 3c 25 28 00 00 00 48 89 7d d0 31 ff <8b> 79 10 48 89 85 a0 fe ff ff 48 8b 00 48 89 b5 d8 fe ff ff 83 ff <4> [317.128162] RSP: 0018:ffffc9000167f9f0 EFLAGS: 00010246 <4> [317.128164] RAX: ffff8881120d8028 RBX: ffff88814d070428 RCX: 0000000000000000 <4> [317.128166] RDX: ffff88813cb99c00 RSI: 0000000004000000 RDI: 0000000000000000 <4> [317.128168] RBP: ffffc9000167fbb8 R08: ffff88814e7b1f08 R09: 0000000000000001 <4> [317.128170] R10: 0000000000000001 R11: 0000000000000001 R12: ffff88814e7b1f08 <4> [317.128172] R13: ffff88814e7b1f08 R14: ffff88813cb99c00 R15: 0000000000000001 <4> [317.128174] FS: 0000000000000000(0000) GS:ffff88846f280000(0000) knlGS:0000000000000000 <4> [317.128176] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 <4> [317.128178] CR2: 0000000000000010 CR3: 000000011f676004 CR4: 0000000000770ef0 <4> [317.128180] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 <4> [317.128182] DR3: 0000000000000000 DR6: 00000000ffff07f0 DR7: 0000000000000400 <4> [317.128184] PKRU: 55555554 <4> [317.128185] Call Trace: <4> [317.128187] <TASK> <4> [317.128189] ? show_regs+0x67/0x70 <4> [317.128194] ? __die_body+0x20/0x70 <4> [317.128196] ? __die+0x2b/0x40 <4> [317.128198] ? page_fault_oops+0x15f/0x4e0 <4> [317.128203] ? do_user_addr_fault+0x3fb/0x970 <4> [317.128205] ? lock_acquire+0xc7/0x2e0 <4> [317.128209] ? exc_page_fault+0x87/0x2b0 <4> [317.128212] ? asm_exc_page_fault+0x27/0x30 <4> [317.128216] ? xe_migrate_copy+0x66/0x13e0 [xe] <4> [317.128263] ? __lock_acquire+0xb9d/0x26f0 <4> [317.128265] ? __lock_acquire+0xb9d/0x26f0 <4> [317.128267] ? sg_free_append_table+0x20/0x80 <4> [317.128271] ? lock_acquire+0xc7/0x2e0 <4> [317.128273] ? mark_held_locks+0x4d/0x80 <4> [317.128275] ? trace_hardirqs_on+0x1e/0xd0 <4> [317.128278] ? _raw_spin_unlock_irqrestore+0x31/0x60 <4> [317.128281] ? __pm_runtime_resume+0x60/0xa0 <4> [317.128284] xe_bo_move+0x682/0xc50 [xe] <4> [317.128315] ? lock_is_held_type+0xaa/0x120 <4> [317.128318] ttm_bo_handle_move_mem+0xe5/0x1a0 [ttm] <4> [317.128324] ttm_bo_validate+0xd1/0x1a0 [ttm] <4> [317.128328] shrink_test_run_device+0x721/0xc10 [xe] <4> [317.128360] ? find_held_lock+0x31/0x90 <4> [317.128363] ? lock_release+0xd1/0x2a0 <4> [317.128365] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10 [kunit] <4> [317.128370] xe_bo_shrink_kunit+0x11/0x20 [xe] <4> [317.128397] kunit_try_run_case+0x6e/0x150 [kunit] <4> [317.128400] ? trace_hardirqs_on+0x1e/0xd0 <4> [317.128402] ? _raw_spin_unlock_irqrestore+0x31/0x60 <4> [317.128404] kunit_generic_run_threadfn_adapter+0x1e/0x40 [ku ---truncated---
References
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/16e0267db156f8a4ea16bfb3ac3f5743c9698df3Patch
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/7257d9c9a3c6cfe26c428e9b7ae21d61f2f55a79Patch
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/8f5199b6971f0717c2d31685953971fa2e1b9e1aPatch
Impacted products
Vendor Product Version
linux linux_kernel *
linux linux_kernel *
linux linux_kernel 6.12


To clipboard 

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "0E3AE738-A62B-4806-9D9C-933998214C6A",
              "versionEndExcluding": "6.10.14",
              "versionStartIncluding": "6.8",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "54D9C704-D679-41A7-9C40-10A6B1E7FFE9",
              "versionEndExcluding": "6.11.3",
              "versionStartIncluding": "6.11",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:linux:linux_kernel:6.12:rc1:*:*:*:*:*:*",
              "matchCriteriaId": "7F361E1D-580F-4A2D-A509-7615F73167A1",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/xe: Prevent null pointer access in xe_migrate_copy\n\nxe_migrate_copy designed to copy content of TTM resources. When source\nresource is null, it will trigger a NULL pointer dereference in\nxe_migrate_copy. To avoid this situation, update lacks source flag to\ntrue for this case, the flag will trigger xe_migrate_clear rather than\nxe_migrate_copy.\n\nIssue trace:\n\u003c7\u003e [317.089847] xe 0000:00:02.0: [drm:xe_migrate_copy [xe]] Pass 14,\n sizes: 4194304 \u0026 4194304\n\u003c7\u003e [317.089945] xe 0000:00:02.0: [drm:xe_migrate_copy [xe]] Pass 15,\n sizes: 4194304 \u0026 4194304\n\u003c1\u003e [317.128055] BUG: kernel NULL pointer dereference, address:\n 0000000000000010\n\u003c1\u003e [317.128064] #PF: supervisor read access in kernel mode\n\u003c1\u003e [317.128066] #PF: error_code(0x0000) - not-present page\n\u003c6\u003e [317.128069] PGD 0 P4D 0\n\u003c4\u003e [317.128071] Oops: Oops: 0000 [#1] PREEMPT SMP NOPTI\n\u003c4\u003e [317.128074] CPU: 1 UID: 0 PID: 1440 Comm: kunit_try_catch Tainted:\n G     U           N 6.11.0-rc7-xe #1\n\u003c4\u003e [317.128078] Tainted: [U]=USER, [N]=TEST\n\u003c4\u003e [317.128080] Hardware name: Intel Corporation Lunar Lake Client\n Platform/LNL-M LP5 RVP1, BIOS LNLMFWI1.R00.3221.D80.2407291239 07/29/2024\n\u003c4\u003e [317.128082] RIP: 0010:xe_migrate_copy+0x66/0x13e0 [xe]\n\u003c4\u003e [317.128158] Code: 00 00 48 89 8d e0 fe ff ff 48 8b 40 10 4c 89 85 c8\n fe ff ff 44 88 8d bd fe ff ff 65 48 8b 3c 25 28 00 00 00 48 89 7d d0 31\n ff \u003c8b\u003e 79 10 48 89 85 a0 fe ff ff 48 8b 00 48 89 b5 d8 fe ff ff 83 ff\n\u003c4\u003e [317.128162] RSP: 0018:ffffc9000167f9f0 EFLAGS: 00010246\n\u003c4\u003e [317.128164] RAX: ffff8881120d8028 RBX: ffff88814d070428 RCX:\n 0000000000000000\n\u003c4\u003e [317.128166] RDX: ffff88813cb99c00 RSI: 0000000004000000 RDI:\n 0000000000000000\n\u003c4\u003e [317.128168] RBP: ffffc9000167fbb8 R08: ffff88814e7b1f08 R09:\n 0000000000000001\n\u003c4\u003e [317.128170] R10: 0000000000000001 R11: 0000000000000001 R12:\n ffff88814e7b1f08\n\u003c4\u003e [317.128172] R13: ffff88814e7b1f08 R14: ffff88813cb99c00 R15:\n 0000000000000001\n\u003c4\u003e [317.128174] FS:  0000000000000000(0000) GS:ffff88846f280000(0000)\n knlGS:0000000000000000\n\u003c4\u003e [317.128176] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n\u003c4\u003e [317.128178] CR2: 0000000000000010 CR3: 000000011f676004 CR4:\n 0000000000770ef0\n\u003c4\u003e [317.128180] DR0: 0000000000000000 DR1: 0000000000000000 DR2:\n 0000000000000000\n\u003c4\u003e [317.128182] DR3: 0000000000000000 DR6: 00000000ffff07f0 DR7:\n 0000000000000400\n\u003c4\u003e [317.128184] PKRU: 55555554\n\u003c4\u003e [317.128185] Call Trace:\n\u003c4\u003e [317.128187]  \u003cTASK\u003e\n\u003c4\u003e [317.128189]  ? show_regs+0x67/0x70\n\u003c4\u003e [317.128194]  ? __die_body+0x20/0x70\n\u003c4\u003e [317.128196]  ? __die+0x2b/0x40\n\u003c4\u003e [317.128198]  ? page_fault_oops+0x15f/0x4e0\n\u003c4\u003e [317.128203]  ? do_user_addr_fault+0x3fb/0x970\n\u003c4\u003e [317.128205]  ? lock_acquire+0xc7/0x2e0\n\u003c4\u003e [317.128209]  ? exc_page_fault+0x87/0x2b0\n\u003c4\u003e [317.128212]  ? asm_exc_page_fault+0x27/0x30\n\u003c4\u003e [317.128216]  ? xe_migrate_copy+0x66/0x13e0 [xe]\n\u003c4\u003e [317.128263]  ? __lock_acquire+0xb9d/0x26f0\n\u003c4\u003e [317.128265]  ? __lock_acquire+0xb9d/0x26f0\n\u003c4\u003e [317.128267]  ? sg_free_append_table+0x20/0x80\n\u003c4\u003e [317.128271]  ? lock_acquire+0xc7/0x2e0\n\u003c4\u003e [317.128273]  ? mark_held_locks+0x4d/0x80\n\u003c4\u003e [317.128275]  ? trace_hardirqs_on+0x1e/0xd0\n\u003c4\u003e [317.128278]  ? _raw_spin_unlock_irqrestore+0x31/0x60\n\u003c4\u003e [317.128281]  ? __pm_runtime_resume+0x60/0xa0\n\u003c4\u003e [317.128284]  xe_bo_move+0x682/0xc50 [xe]\n\u003c4\u003e [317.128315]  ? lock_is_held_type+0xaa/0x120\n\u003c4\u003e [317.128318]  ttm_bo_handle_move_mem+0xe5/0x1a0 [ttm]\n\u003c4\u003e [317.128324]  ttm_bo_validate+0xd1/0x1a0 [ttm]\n\u003c4\u003e [317.128328]  shrink_test_run_device+0x721/0xc10 [xe]\n\u003c4\u003e [317.128360]  ? find_held_lock+0x31/0x90\n\u003c4\u003e [317.128363]  ? lock_release+0xd1/0x2a0\n\u003c4\u003e [317.128365]  ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10\n [kunit]\n\u003c4\u003e [317.128370]  xe_bo_shrink_kunit+0x11/0x20 [xe]\n\u003c4\u003e [317.128397]  kunit_try_run_case+0x6e/0x150 [kunit]\n\u003c4\u003e [317.128400]  ? trace_hardirqs_on+0x1e/0xd0\n\u003c4\u003e [317.128402]  ? _raw_spin_unlock_irqrestore+0x31/0x60\n\u003c4\u003e [317.128404]  kunit_generic_run_threadfn_adapter+0x1e/0x40 [ku\n---truncated---"
    },
    {
      "lang": "es",
      "value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: drm/xe: Impedir el acceso a puntero nulo en xe_migrate_copy xe_migrate_copy est\u00e1 dise\u00f1ado para copiar el contenido de los recursos de TTM. Cuando el recurso de origen es nulo, activar\u00e1 una desreferencia de puntero NULL en xe_migrate_copy. Para evitar esta situaci\u00f3n, actualice el indicador de origen a verdadero para este caso; el indicador activar\u00e1 xe_migrate_clear en lugar de xe_migrate_copy. Rastreo de problemas: \u0026lt;7\u0026gt; [317.089847] xe 0000:00:02.0: [drm:xe_migrate_copy [xe]] Paso 14, tama\u00f1os: 4194304 y 4194304 \u0026lt;7\u0026gt; [317.089945] xe 0000:00:02.0: [drm:xe_migrate_copy [xe]] Paso 15, tama\u00f1os: 4194304 y 4194304 \u0026lt;1\u0026gt; [317.128055] ERROR: desreferencia de puntero NULL del n\u00facleo, direcci\u00f3n: 0000000000000010 \u0026lt;1\u0026gt; [317.128064] #PF: acceso de lectura del supervisor en modo n\u00facleo \u0026lt;1\u0026gt; [317.128066] #PF: error_code(0x0000) - no presente p\u00e1gina \u0026lt;6\u0026gt; [317.128069] PGD 0 P4D 0 \u0026lt;4\u0026gt; [317.128071] Ups: Ups: 0000 [#1] PREEMPT SMP NOPTI \u0026lt;4\u0026gt; [317.128074] CPU: 1 UID: 0 PID: 1440 Comm: kunit_try_catch Contaminado: G U N 6.11.0-rc7-xe #1 \u0026lt;4\u0026gt; [317.128078] Contaminado: [U]=USUARIO, [N]=PRUEBA \u0026lt;4\u0026gt; [317.128080] Nombre del hardware: Intel Corporation Lunar Lake Client Platform/LNL-M LP5 RVP1, BIOS LNLMFWI1.R00.3221.D80.2407291239 29/07/2024 \u0026lt;4\u0026gt; [317.128082] RIP: 0010:xe_migrate_copy+0x66/0x13e0 [xe] \u0026lt;4\u0026gt; [317.128158] C\u00f3digo: 00 00 48 89 8d e0 fe ff ff 48 8b 40 10 4c 89 85 c8 fe ff ff 44 88 8d bd fe ff ff 65 48 8b 3c 25 28 00 00 00 48 89 7d d0 31 ff \u0026lt;8b\u0026gt; 79 10 48 89 85 a0 fe ff ff 48 8b 00 48 89 b5 d8 fe ff ff 83 ff \u0026lt;4\u0026gt; [317.128162] RSP: 0018:ffffc9000167f9f0 EFLAGS: 00010246 \u0026lt;4\u0026gt; [317.128164] RAX: ffff8881120d8028 RBX: ffff88814d070428 RCX: 0000000000000000 \u0026lt;4\u0026gt; [317.128166] X: ffff88813cb99c00 RSI: 0000000004000000 RDI: 0000000000000000 \u0026lt;4\u0026gt; [317.128168] RBP: ffffc9000167fbb8 R08: ffff88814e7b1f08 R09: 00000000000000001 \u0026lt;4\u0026gt; [317.128170] R10: 0000000000000001 R11: 0000000000000001 R12: ffff88814e7b1f08 \u0026lt;4\u0026gt; [317.128172] R13: ffff88814e7b1f08 R14: ffff88813cb99c00 R15: 0000000000000001 \u0026lt;4\u0026gt; [317.128174] FS: 0000000000000000(0000) GS:ffff88846f280000(0000) knlGS:0000000000000000 \u0026lt;4\u0026gt; [317.128176] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 \u0026lt;4\u0026gt; [317.128178] CR2: 000000000000010 CR3: 000000011f676004 CR4: 0000000000770ef0 \u0026lt;4\u0026gt; [317.128180] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 \u0026lt;4\u0026gt; [317.128182] DR3: knlGS:0000000000000000 \u0026lt;4\u0026gt; [317.128176] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 \u0026lt;4\u0026gt; [317.128178] CR2: 0000000000000010 CR3: 000000011f676004 CR4: 0000000000770ef0 \u0026lt;4\u0026gt; [317.128180] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 \u0026lt;4\u0026gt; [317.128182] DR3: 0000000000000000 DR6: 00000000ffff07f0 DR7: 0000000000000400 \u0026lt;4\u0026gt; [317.128184] PKRU: 55555554 \u0026lt;4\u0026gt; [317.128185] Seguimiento de llamadas: \u0026lt;4\u0026gt; [317.128187]  \u0026lt;4\u0026gt; [317.128189] ? show_regs+0x67/0x70 \u0026lt;4\u0026gt; [317.128194] ? __die_body+0x20/0x70 \u0026lt;4\u0026gt; [317.128196] ? __die+0x2b/0x40 \u0026lt;4\u0026gt; [317.128198] ? page_fault_oops+0x15f/0x4e0 \u0026lt;4\u0026gt; [317.128203] ? do_user_addr_fault+0x3fb/0x970 \u0026lt;4\u0026gt; [317.128205] ? lock_acquire+0xc7/0x2e0 \u0026lt;4\u0026gt; [317.128209]? exc_page_fault+0x87/0x2b0 \u0026lt;4\u0026gt; [317.128212] ? asm_exc_page_fault+0x27/0x30 \u0026lt;4\u0026gt; [317.128216] ? xe_migrate_copy+0x66/0x13e0 [xe] \u0026lt;4\u0026gt; [317.128263] ? __lock_acquire+0xb9d/0x26f0 \u0026lt;4\u0026gt; [317.128265] ? __lock_acquire+0xb9d/0x26f0 \u0026lt;4\u0026gt; [317.128267] ? sg_free_append_table+0x20/0x80 \u0026lt;4\u0026gt; [317.128271] ? lock_acquire+0xc7/0x2e0 \u0026lt;4\u0026gt; [317.128273] ? mark_held_locks+0x4d/0x80 \u0026lt;4\u0026gt; [317.128275] ? trace_hardirqs_on+0x1e/0xd0 \u0026lt;4\u0026gt; [317.128278] ? __pm_runtime_resume+0x60/0xa0 \u0026lt;4\u0026gt; [317.128284] xe_bo_move+0x682/0xc50 [xe] \u0026lt;4\u0026gt; [317.128315] ? lock_is_held_type+0xaa/0x120 \u0026lt;4\u0026gt; [317.128318] ttm_bo_handle_move_mem+0xe5/0x1a0 [ttm] \u0026lt;4\u0026gt; [317.128324] ttm_bo_validate+0xd1/0x1a0 [ttm] \u0026lt;4\u0026gt; [317.128328] +0x721/0xc10 [xe] \u0026lt"
    }
  ],
  "id": "CVE-2024-49942",
  "lastModified": "2024-10-25T14:56:59.397",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "LOCAL",
          "availabilityImpact": "HIGH",
          "baseScore": 5.5,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "NONE",
          "integrityImpact": "NONE",
          "privilegesRequired": "LOW",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 1.8,
        "impactScore": 3.6,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ]
  },
  "published": "2024-10-21T18:15:15.843",
  "references": [
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "tags": [
        "Patch"
      ],
      "url": "https://git.kernel.org/stable/c/16e0267db156f8a4ea16bfb3ac3f5743c9698df3"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "tags": [
        "Patch"
      ],
      "url": "https://git.kernel.org/stable/c/7257d9c9a3c6cfe26c428e9b7ae21d61f2f55a79"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "tags": [
        "Patch"
      ],
      "url": "https://git.kernel.org/stable/c/8f5199b6971f0717c2d31685953971fa2e1b9e1a"
    }
  ],
  "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
  "vulnStatus": "Analyzed",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-476"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Primary"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.