Oracle Linux: (CVE-2024-26656) ELSA-2024-4211: kernel security and bug fix update

Description

In the Linux kernel, the following vulnerability has been resolved:

drm/amdgpu: fix use-after-free bug

The bug can be triggered by sending a single amdgpu_gem_userptr_ioctl

to the AMDGPU DRM driver on any ASICs with an invalid address and size.

The bug was reported by Joonkyo Jung <joonkyoj@yonsei.ac.kr>.

For example the following code:

static void Syzkaller1(int fd)

{

struct drm_amdgpu_gem_userptr arg;

int ret;

arg.addr = 0xffffffffffff0000;

arg.size = 0x80000000; /*2 Gb*/

arg.flags = 0x7;

ret = drmIoctl(fd, 0xc1186451/*amdgpu_gem_userptr_ioctl*/, &arg);

}

Due to the address and size are not valid there is a failure in

amdgpu_hmm_register->mmu_interval_notifier_insert->__mmu_interval_notifier_insert->

check_shl_overflow, but we even the amdgpu_hmm_register failure we still call

amdgpu_hmm_unregister into amdgpu_gem_object_free which causes access to a bad address.

The following stack is below when the issue is reproduced when Kazan is enabled:

[ +0.000014] Hardware name: ASUS System Product Name/ROG STRIX B550-F GAMING (WI-FI), BIOS 1401 12/03/2020

[ +0.000009] RIP: 0010:mmu_interval_notifier_remove+0x327/0x340

[ +0.000017] Code: ff ff 49 89 44 24 08 48 b8 00 01 00 00 00 00 ad de 4c 89 f7 49 89 47 40 48 83 c0 22 49 89 47 48 e8 ce d1 2d 01 e9 32 ff ff ff <0f> 0b e9 16 ff ff ff 4c 89 ef e8 fa 14 b3 ff e9 36 ff ff ff e8 80

[ +0.000014] RSP: 0018:ffffc90002657988 EFLAGS: 00010246

[ +0.000013] RAX: 0000000000000000 RBX: 1ffff920004caf35 RCX: ffffffff8160565b

[ +0.000011] RDX: dffffc0000000000 RSI: 0000000000000004 RDI: ffff8881a9f78260

[ +0.000010] RBP: ffffc90002657a70 R08: 0000000000000001 R09: fffff520004caf25

[ +0.000010] R10: 0000000000000003 R11: ffffffff8161d1d6 R12: ffff88810e988c00

[ +0.000010] R13: ffff888126fb5a00 R14: ffff88810e988c0c R15: ffff8881a9f78260

[ +0.000011] FS: 00007ff9ec848540(0000) GS:ffff8883cc880000(0000) knlGS:0000000000000000

[ +0.000012] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033

[ +0.000010] CR2: 000055b3f7e14328 CR3: 00000001b5770000 CR4: 0000000000350ef0

[ +0.000010] Call Trace:

[ +0.000006] <TASK>

[ +0.000007] ? show_regs+0x6a/0x80

[ +0.000018] ? __warn+0xa5/0x1b0

[ +0.000019] ? mmu_interval_notifier_remove+0x327/0x340

[ +0.000018] ? report_bug+0x24a/0x290

[ +0.000022] ? handle_bug+0x46/0x90

[ +0.000015] ? exc_invalid_op+0x19/0x50

[ +0.000016] ? asm_exc_invalid_op+0x1b/0x20

[ +0.000017] ? kasan_save_stack+0x26/0x50

[ +0.000017] ? mmu_interval_notifier_remove+0x23b/0x340

[ +0.000019] ? mmu_interval_notifier_remove+0x327/0x340

[ +0.000019] ? mmu_interval_notifier_remove+0x23b/0x340

[ +0.000020] ? __pfx_mmu_interval_notifier_remove+0x10/0x10

[ +0.000017] ? kasan_save_alloc_info+0x1e/0x30

[ +0.000018] ? srso_return_thunk+0x5/0x5f

[ +0.000014] ? __kasan_kmalloc+0xb1/0xc0

[ +0.000018] ? srso_return_thunk+0x5/0x5f

[ +0.000013] ? __kasan_check_read+0x11/0x20

[ +0.000020] amdgpu_hmm_unregister+0x34/0x50 [amdgpu]

[ +0.004695] amdgpu_gem_object_free+0x66/0xa0 [amdgpu]

[ +0.004534] ? __pfx_amdgpu_gem_object_free+0x10/0x10 [amdgpu]

[ +0.004291] ? do_syscall_64+0x5f/0xe0

[ +0.000023] ? srso_return_thunk+0x5/0x5f

[ +0.000017] drm_gem_object_free+0x3b/0x50 [drm]

[ +0.000489] amdgpu_gem_userptr_ioctl+0x306/0x500 [amdgpu]

[ +0.004295] ? __pfx_amdgpu_gem_userptr_ioctl+0x10/0x10 [amdgpu]

[ +0.004270] ? srso_return_thunk+0x5/0x5f

[ +0.000014] ? __this_cpu_preempt_check+0x13/0x20

[ +0.000015] ? srso_return_thunk+0x5/0x5f

[ +0.000013] ? sysvec_apic_timer_interrupt+0x57/0xc0

[ +0.000020] ? srso_return_thunk+0x5/0x5f

[ +0.000014] ? asm_sysvec_apic_timer_interrupt+0x1b/0x20

[ +0.000022] ? drm_ioctl_kernel+0x17b/0x1f0 [drm]

[ +0.000496] ? __pfx_amdgpu_gem_userptr_ioctl+0x10/0x10 [amdgpu]

[ +0.004272] ? drm_ioctl_kernel+0x190/0x1f0 [drm]

[ +0.000492] drm_ioctl_kernel+0x140/0x1f0 [drm]

[ +0.000497] ? __pfx_amdgpu_gem_userptr_ioctl+0x10/0x10 [amdgpu]

[ +0.004297] ? __pfx_drm_ioctl_kernel+0x10/0x10 [d

---truncated---