A recent vulnerability in the Linux kernel's Direct Rendering Manager (DRM) module, specifically, the "drm/vmwgfx" component, has been resolved. The issue was causing crashes in the KDE KWin 6. window manager when running on Wayland.

The root of the problem was that switching to a new plane state required unreferencing of all held surfaces, but a variable indicating whether the surface was currently mapped was not being reset. This led to crashes as the duplicated state would falsely indicate that the surface was mapped when no surface was present.

To fix this issue, the surface mapped flag is now reset when unreferencing the plane state surface. This eliminates any null dereferences in cleanup, ultimately resolving the crashes in KDE KWin 6. on Wayland.

The kernel log generated by the issue was as follows

---truncated---
RIP: 001:vmw_du_cursor_plane_cleanup_fb+x124/x140 [vmwgfx]
Code: 00 00 00 75 3a 48 83 c4 10 5b 5d c3 cc cc cc cc 48 8b b3 a8 00 00 00 48 c7 c7 99 90 43 c e8 93 c5 db ca 48 8b 83 a8 00 00 00 <48> 8b 78 28 e8 e3 f>
RSP: 0018:ffffb6b98216fa80 EFLAGS: 00010246
---truncated---

References

- Linux Kernel Mailing List - Patch to fix vmwgfx
- drm/vmwgfx GitHub Repository

Exploit Details

The exploit would involve running the affected graphical environment (KDE KWin 6. on Wayland) and triggering plane state changes, causing crashes due to incorrect handling of unreferenced surfaces in the drm/vmwgfx module of the Linux kernel.

Mitigation

The issue has been resolved by resetting the surface mapped flag when unreferencing the plane state surface, eliminating null dereferences in cleanup. Updating the Linux kernel to a patched version will resolve this vulnerability. Check to see if an updated version of your distribution's kernel is available in the repositories and update accordingly.

Timeline

Published on: 05/01/2024 06:15:07 UTC
Last modified on: 12/19/2024 08:23:18 UTC