CVE-2023-52486: Linux Kernel Vulnerability Resolved in drm_mode_page_flip_ioctl()

A vulnerability has been discovered and resolved in the Linux kernel's DRM (Direct Rendering Manager) subsystem. The issue could lead to a potential use-after-free situation, affecting the stability and security of the system. The vulnerability has been assigned with the CVE identifier of CVE-2023-52486.

Vulnerability Details

In the Linux kernel, a deadlock handling issue can lead to incorrect dereferencing of framebuffer objects (fb) in the drm_mode_page_flip_ioctl() function. Due to the deadlock, the fb object is unreferenced multiple times, potentially freeing it while still in use, resulting in a use-after-free vulnerability.

There is a deadlock after the framebuffer lookup in the drm_mode_page_flip_ioctl() function.

2. The fb object is not reset to NULL after the unreference operation, leading to multiple unreferences of the same object.

This issue has been observed on Intel's DG2 platform when performing asynchronous page flipping with CONFIG_DEBUG_WW_MUTEX_SLOWPATH enabled, resulting in a busy loop during drm_closefb() and eventually causing an oops (kernel panic).

Patch Details

The patch resolves the issue by resetting the fb object to NULL after the unreference operation. This ensures that the fb object is not unreferenced again until a new framebuffer lookup has been performed.

The code snippet below shows the modification in the Linux kernel source code

  retry:
    fb = drm_mode_fb_cmd2fb(file_priv, req->fb_id);
    if (IS_ERR(fb)) {
        ret = PTR_ERR(fb);
        goto out;
    }

    /* ... */

    if (ret == -EDEADLK) {
        drm_framebuffer_put(fb);  // Unreference the framebuffer
        fb = NULL;               // Reset fb object to avoid double unreference
        goto retry;
    }

This simple modification to the code resolves the issue and prevents the use-after-free vulnerability.

References

- Original Patch Submitted to LKML
- CVE ID Assignment

Conclusion

The Linux kernel vulnerability CVE-2023-52486 has been successfully patched, improving the stability, security, and overall resilience of the system. System administrators and users are encouraged to update their kernel to the latest version, which includes the patch for this vulnerability, to ensure the security and stability of their system.

Timeline

Published on: 03/11/2024 18:15:16 UTC
Last modified on: 03/12/2024 12:40:13 UTC