CVE-2024-26656

In the Linux kernel, the following vulnerability has been resolved:

drm/amdgpu: fix use-after-free bug

The bug can be triggered by sending a single amdgpugemuserptr_ioctl to the AMDGPU DRM driver on any ASICs with an invalid address and size. The bug was reported by Joonkyo Jung joonkyoj@yonsei.ac.kr. For example the following code:

static void Syzkaller1(int fd) { struct drmamdgpugem_userptr arg; int ret;

arg.addr = 0xffffffffffff0000;
arg.size = 0x80000000; /*2 Gb*/
arg.flags = 0x7;
ret = drmIoctl(fd, 0xc1186451/*amdgpu_gem_userptr_ioctl*/, &arg);

}

Due to the address and size are not valid there is a failure in amdgpuhmmregister->mmuintervalnotifier_insert->__mmuintervalnotifierinsert-> checkshloverflow, but we even the amdgpuhmmregister failure we still call amdgpuhmmunregister into amdgpugemobjectfree which causes access to a bad address. The following stack is below when the issue is reproduced when Kazan is enabled:

[ +0.000014] Hardware name: ASUS System Product Name/ROG STRIX B550-F GAMING (WI-FI), BIOS 1401 12/03/2020 [ +0.000009] RIP: 0010:mmuintervalnotifierremove+0x327/0x340 [ +0.000017] Code: ff ff 49 89 44 24 08 48 b8 00 01 00 00 00 00 ad de 4c 89 f7 49 89 47 40 48 83 c0 22 49 89 47 48 e8 ce d1 2d 01 e9 32 ff ff ff <0f> 0b e9 16 ff ff ff 4c 89 ef e8 fa 14 b3 ff e9 36 ff ff ff e8 80 [ +0.000014] RSP: 0018:ffffc90002657988 EFLAGS: 00010246 [ +0.000013] RAX: 0000000000000000 RBX: 1ffff920004caf35 RCX: ffffffff8160565b [ +0.000011] RDX: dffffc0000000000 RSI: 0000000000000004 RDI: ffff8881a9f78260 [ +0.000010] RBP: ffffc90002657a70 R08: 0000000000000001 R09: fffff520004caf25 [ +0.000010] R10: 0000000000000003 R11: ffffffff8161d1d6 R12: ffff88810e988c00 [ +0.000010] R13: ffff888126fb5a00 R14: ffff88810e988c0c R15: ffff8881a9f78260 [ +0.000011] FS: 00007ff9ec848540(0000) GS:ffff8883cc880000(0000) knlGS:0000000000000000 [ +0.000012] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ +0.000010] CR2: 000055b3f7e14328 CR3: 00000001b5770000 CR4: 0000000000350ef0 [ +0.000010] Call Trace: [ +0.000006] <TASK> [ +0.000007] ? showregs+0x6a/0x80 [ +0.000018] ? __warn+0xa5/0x1b0 [ +0.000019] ? mmuintervalnotifier_remove+0x327/0x340 [ +0.000018] ? reportbug+0x24a/0x290 [ +0.000022] ? handlebug+0x46/0x90 [ +0.000015] ? excinvalidop+0x19/0x50 [ +0.000016] ? asmexcinvalidop+0x1b/0x20 [ +0.000017] ? kasansavestack+0x26/0x50 [ +0.000017] ? mmuintervalnotifierremove+0x23b/0x340 [ +0.000019] ? mmuintervalnotifierremove+0x327/0x340 [ +0.000019] ? mmuintervalnotifierremove+0x23b/0x340 [ +0.000020] ? __pfxmmuinterval_notifierremove+0x10/0x10 [ +0.000017] ? kasansaveallocinfo+0x1e/0x30 [ +0.000018] ? srsoreturnthunk+0x5/0x5f [ +0.000014] ? __kasankmalloc+0xb1/0xc0 [ +0.000018] ? srsoreturn_thunk+0x5/0x5f [ +0.000013] ? __kasancheckread+0x11/0x20 [ +0.000020] amdgpu_hmmunregister+0x34/0x50 [amdgpu] [ +0.004695] amdgpugemobjectfree+0x66/0xa0 [amdgpu] [ +0.004534] ? __pfxamdgpugemobjectfree+0x10/0x10 [amdgpu] [ +0.004291] ? dosyscall64+0x5f/0xe0 [ +0.000023] ? srsoreturnthunk+0x5/0x5f [ +0.000017] drmgemobjectfree+0x3b/0x50 [drm] [ +0.000489] amdgpugemuserptrioctl+0x306/0x500 [amdgpu] [ +0.004295] ? __pfxamdgpugemuserptrioctl+0x10/0x10 [amdgpu] [ +0.004270] ? srsoreturnthunk+0x5/0x5f [ +0.000014] ? __thiscpupreemptcheck+0x13/0x20 [ +0.000015] ? srsoreturnthunk+0x5/0x5f [ +0.000013] ? sysvecapictimerinterrupt+0x57/0xc0 [ +0.000020] ? srsoreturnthunk+0x5/0x5f [ +0.000014] ? asmsysvecapictimerinterrupt+0x1b/0x20 [ +0.000022] ? drmioctlkernel+0x17b/0x1f0 [drm] [ +0.000496] ? __pfxamdgpugemuserptrioctl+0x10/0x10 [amdgpu] [ +0.004272] ? drmioctlkernel+0x190/0x1f0 [drm] [ +0.000492] drmioctlkernel+0x140/0x1f0 [drm] [ +0.000497] ? __pfxamdgpugemuserptrioctl+0x10/0x10 [amdgpu] [ +0.004297] ? _pfxdrmioctlkernel+0x10/0x10 [d ---truncated---