A recent vulnerability, identified by the identifier CVE-2023-52470, was discovered in the Linux kernel and reported publicly. This vulnerability affected the drm/radeon subsystem by exposing a null pointer dereference issue in the radeon_crtc_init() function. This post explores the details of this vulnerability and provides information related to its discovery, impact, and fix.

Context

The drm/radeon subsystem of the Linux kernel is responsible for handling communication between the Linux kernel and Radeon graphics cards, which are developed by Advanced Micro Devices (AMD). The involved radeon_crtc_init() function is a part of the display code within the drm/radeon codebase.

Below is the code snippet from the radeon_crtc_init() function in the Linux kernel

static int radeon_crtc_init(struct drm_device *dev, int index)
{
   ...
   radeon_crtc->flip_queue = alloc_workqueue("radeondrmflip%c",
                      WQ_HIGHPRI | WQ_UNBOUND, 1, 1023 - index);

   ...
}

Here, the alloc_workqueue() function is called to create a new workqueue that manages the queued activities related to the display driver. However, the function call does not validate the return value of the alloc_workqueue(). The code assumes that the workqueue is always successfully created, which can lead to a null pointer dereference if the creation fails.

Impact

An attacker with direct access to the targeted computer could exploit the vulnerability in the drm/radeon subsystem and achieve denial of service, unauthorized information disclosure, or other malicious activities.

Fix:

To address the vulnerability, a patch has been submitted by developer Alex Deucher for review. The following code shows the updated radeon_crtc_init() with additional checks for the return value of the alloc_workqueue() function:

static int radeon_crtc_init(struct drm_device *dev, int index)
{
   ...
   radeon_crtc->flip_queue = alloc_workqueue("radeondrmflip%c",
                      WQ_HIGHPRI | WQ_UNBOUND, 1, 1023 - index);

   if (!radeon_crtc->flip_queue) {
       DRM_ERROR("failed to create radeondrmflip workqueue for crtc %d\n", index);
       return -ENOMEM;
   }

   ...
}

The patch introduces a check for the radeon_crtc->flip_queue, ensuring it is not null. If the alloc_workqueue() fails to create a new workqueue, the error message will be logged, and the function will immediately return -ENOMEM error code.

Original References

1. Patch Submission by Alex Deucher: Link
2. CVE details: Link

Conclusion

The vulnerability CVE-2023-52470 in the drm/radeon subsystem of the Linux kernel has been appropriately addressed with the addition of the necessary checks for allocation failure. To secure your system, ensure that you have applied the identified fix. Keep yourself updated on the latest security improvements and patches to protect against any future vulnerabilities.

Timeline

Published on: 02/26/2024 16:27:48 UTC
Last modified on: 04/17/2024 18:46:07 UTC