In the Linux kernel, the following vulnerability has been resolved:
drm/vmwgfx: Create debugfs ttmresourcemanager entry only if needed
The driver creates /sys/kernel/debug/dri/0/mobttm even when the corresponding ttmresource_manager is not allocated. This leads to a crash when trying to read from this file.
Add a check to create mobttm, systemmobttm, and gmrttm debug file only when the corresponding ttmresourcemanager is allocated.
crash> bt PID: 3133409 TASK: ffff8fe4834a5000 CPU: 3 COMMAND: "grep" #0 [ffffb954506b3b20] machinekexec at ffffffffb2a6bec3 #1 [ffffb954506b3b78] _crashkexec at ffffffffb2bb598a #2 [ffffb954506b3c38] crashkexec at ffffffffb2bb68c1 #3 [ffffb954506b3c50] oopsend at ffffffffb2a2a9b1 #4 [ffffb954506b3c70] nocontext at ffffffffb2a7e913 #5 [ffffb954506b3cc8] _badareanosemaphore at ffffffffb2a7ec8c #6 [ffffb954506b3d10] dopagefault at ffffffffb2a7f887 #7 [ffffb954506b3d40] pagefault at ffffffffb360116e [exception RIP: ttmresourcemanagerdebug+0x11] RIP: ffffffffc04afd11 RSP: ffffb954506b3df0 RFLAGS: 00010246 RAX: ffff8fe41a6d1200 RBX: 0000000000000000 RCX: 0000000000000940 RDX: 0000000000000000 RSI: ffffffffc04b4338 RDI: 0000000000000000 RBP: ffffb954506b3e08 R8: ffff8fee3ffad000 R9: 0000000000000000 R10: ffff8fe41a76a000 R11: 0000000000000001 R12: 00000000ffffffff R13: 0000000000000001 R14: ffff8fe5bb6f3900 R15: ffff8fe41a6d1200 ORIGRAX: ffffffffffffffff CS: 0010 SS: 0018 #8 [ffffb954506b3e00] ttmresourcemanagershow at ffffffffc04afde7 [ttm] #9 [ffffb954506b3e30] seqread at ffffffffb2d8f9f3 RIP: 00007f4c4eda8985 RSP: 00007ffdbba9e9f8 RFLAGS: 00000246 RAX: ffffffffffffffda RBX: 000000000037e000 RCX: 00007f4c4eda8985 RDX: 000000000037e000 RSI: 00007f4c41573000 RDI: 0000000000000003 RBP: 000000000037e000 R8: 0000000000000000 R9: 000000000037fe30 R10: 0000000000000000 R11: 0000000000000246 R12: 00007f4c41573000 R13: 0000000000000003 R14: 00007f4c41572010 R15: 0000000000000003 ORIG_RAX: 0000000000000000 CS: 0033 SS: 002b
[ { "signature_type": "Line", "target": { "file": "drivers/gpu/drm/vmwgfx/vmwgfx_drv.c" }, "deprecated": false, "digest": { "threshold": 0.9, "line_hashes": [ "190955641525857901571056571948435356614", "146323459410009246250038498217183783379", "48246823370462054743022128936159282242", "317197852226856245077017107111608980482", "7050877699234941131549548698673853239", "67892384168171434578922429570050410478", "94984043687140918692049201632094505181", "157965191632864145528517097344376422138", "54422473991527432871282200900298292502" ] }, "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@4be9075fec0a639384ed19975634b662bfab938f", "signature_version": "v1", "id": "CVE-2024-26940-3d32f6b5" }, { "signature_type": "Line", "target": { "file": "drivers/gpu/drm/vmwgfx/vmwgfx_drv.c" }, "deprecated": false, "digest": { "threshold": 0.9, "line_hashes": [ "190955641525857901571056571948435356614", "146323459410009246250038498217183783379", "48246823370462054743022128936159282242", "317197852226856245077017107111608980482", "7050877699234941131549548698673853239", "67892384168171434578922429570050410478", "94984043687140918692049201632094505181", "157965191632864145528517097344376422138", "54422473991527432871282200900298292502" ] }, "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@016119154981d81c9e8f2ea3f56b9e2b4ea14500", "signature_version": "v1", "id": "CVE-2024-26940-4638e20b" }, { "signature_type": "Function", "target": { "function": "vmw_debugfs_resource_managers_init", "file": "drivers/gpu/drm/vmwgfx/vmwgfx_drv.c" }, "deprecated": false, "digest": { "function_hash": "84821328882704388192105418388753213297", "length": 511.0 }, "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@4be9075fec0a639384ed19975634b662bfab938f", "signature_version": "v1", "id": "CVE-2024-26940-4d02a830" }, { "signature_type": "Function", "target": { "function": "vmw_debugfs_resource_managers_init", "file": "drivers/gpu/drm/vmwgfx/vmwgfx_drv.c" }, "deprecated": false, "digest": { "function_hash": "84821328882704388192105418388753213297", "length": 511.0 }, "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@016119154981d81c9e8f2ea3f56b9e2b4ea14500", "signature_version": "v1", "id": "CVE-2024-26940-568e4a07" }, { "signature_type": "Function", "target": { "function": "vmw_debugfs_resource_managers_init", "file": "drivers/gpu/drm/vmwgfx/vmwgfx_drv.c" }, "deprecated": false, "digest": { "function_hash": "84821328882704388192105418388753213297", "length": 511.0 }, "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@25e3ce59c1200f1f0563e39de151f34962ab0fe1", "signature_version": "v1", "id": "CVE-2024-26940-8401f3d9" }, { "signature_type": "Function", "target": { "function": "vmw_debugfs_resource_managers_init", "file": "drivers/gpu/drm/vmwgfx/vmwgfx_drv.c" }, "deprecated": false, "digest": { "function_hash": "84821328882704388192105418388753213297", "length": 511.0 }, "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@042ef0afc40fa1a22b3608f22915b91ce39d128f", "signature_version": "v1", "id": "CVE-2024-26940-87738c39" }, { "signature_type": "Line", "target": { "file": "drivers/gpu/drm/vmwgfx/vmwgfx_drv.c" }, "deprecated": false, "digest": { "threshold": 0.9, "line_hashes": [ "190955641525857901571056571948435356614", "146323459410009246250038498217183783379", "48246823370462054743022128936159282242", "317197852226856245077017107111608980482", "7050877699234941131549548698673853239", "67892384168171434578922429570050410478", "94984043687140918692049201632094505181", "157965191632864145528517097344376422138", "54422473991527432871282200900298292502" ] }, "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@eb08db0fc5354fa17b7ed66dab3c503332423451", "signature_version": "v1", "id": "CVE-2024-26940-8a0547e6" }, { "signature_type": "Function", "target": { "function": "vmw_debugfs_resource_managers_init", "file": "drivers/gpu/drm/vmwgfx/vmwgfx_drv.c" }, "deprecated": false, "digest": { "function_hash": "84821328882704388192105418388753213297", "length": 511.0 }, "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@eb08db0fc5354fa17b7ed66dab3c503332423451", "signature_version": "v1", "id": "CVE-2024-26940-8a420449" }, { "signature_type": "Line", "target": { "file": "drivers/gpu/drm/vmwgfx/vmwgfx_drv.c" }, "deprecated": false, "digest": { "threshold": 0.9, "line_hashes": [ "190955641525857901571056571948435356614", "146323459410009246250038498217183783379", "48246823370462054743022128936159282242", "317197852226856245077017107111608980482", "7050877699234941131549548698673853239", "67892384168171434578922429570050410478", "94984043687140918692049201632094505181", "157965191632864145528517097344376422138", "54422473991527432871282200900298292502" ] }, "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@042ef0afc40fa1a22b3608f22915b91ce39d128f", "signature_version": "v1", "id": "CVE-2024-26940-a31454ca" }, { "signature_type": "Line", "target": { "file": "drivers/gpu/drm/vmwgfx/vmwgfx_drv.c" }, "deprecated": false, "digest": { "threshold": 0.9, "line_hashes": [ "190955641525857901571056571948435356614", "146323459410009246250038498217183783379", "48246823370462054743022128936159282242", "317197852226856245077017107111608980482", "7050877699234941131549548698673853239", "67892384168171434578922429570050410478", "94984043687140918692049201632094505181", "157965191632864145528517097344376422138", "54422473991527432871282200900298292502" ] }, "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@25e3ce59c1200f1f0563e39de151f34962ab0fe1", "signature_version": "v1", "id": "CVE-2024-26940-b9d81511" } ]