CVE-2024-58018

r535gspcmdq_push() waits for the available page in the GSP cmdq buffer when handling a large RPC request. When it sees at least one available page in the cmdq, it quits the waiting with the amount of free buffer pages in the queue.

Unfortunately, it always takes the [write pointer, buf_size) as available buffer pages before rolling back and wrongly calculates the size of the data should be copied. Thus, it can overwrite the RPC request that GSP is currently reading, which causes GSP hang due to corrupted RPC request:

[ 549.209389] ------------[ cut here ]------------ [ 549.214010] WARNING: CPU: 8 PID: 6314 at drivers/gpu/drm/nouveau/nvkm/subdev/gsp/r535.c:116 r535gspmsgqwait+0xd0/0x190 [nvkm] [ 549.225678] Modules linked in: nvkm(E+) gsplog(E) sndseqdummy(E) sndhrtimer(E) sndseq(E) sndtimer(E) sndseqdevice(E) snd(E) soundcore(E) rfkill(E) qrtr(E) vfat(E) fat(E) ipmissif(E) amdatl(E) intelraplmsr(E) intelraplcommon(E) mlx5ib(E) amd64edac(E) edacmceamd(E) kvmamd(E) ibuverbs(E) kvm(E) ibcore(E) acpiipmi(E) ipmisi(E) mxmwmi(E) ipmidevintf(E) rapl(E) i2cpiix4(E) wmibmof(E) joydev(E) ptdma(E) acpicpufreq(E) k10temp(E) pcspkr(E) ipmimsghandler(E) xfs(E) libcrc32c(E) ast(E) i2calgobit(E) crct10difpclmul(E) drmshmemhelper(E) nvmetcp(E) crc32pclmul(E) ahci(E) drmkmshelper(E) libahci(E) nvmefabrics(E) crc32cintel(E) nvme(E) cdcether(E) mlx5core(E) nvmecore(E) usbnet(E) drm(E) libata(E) ccp(E) ghashclmulniintel(E) mii(E) t10pi(E) mlxfw(E) sp5100tco(E) psample(E) pcihypervintf(E) wmi(E) dmmultipath(E) sunrpc(E) dmmirror(E) dmregionhash(E) dmlog(E) dmmod(E) be2iscsi(E) bnx2i(E) cnic(E) uio(E) cxgb4i(E) cxgb4(E) tls(E) libcxgbi(E) libcxgb(E) qla4xxx(E) [ 549.225752] iscsibootsysfs(E) iscsitcp(E) libiscsitcp(E) libiscsi(E) scsitransportiscsi(E) fuse(E) [last unloaded: gsplog(E)] [ 549.326293] CPU: 8 PID: 6314 Comm: insmod Tainted: G E 6.9.0-rc6+ #1 [ 549.334039] Hardware name: ASRockRack 1U1G-MILAN/N/ROMED8-NL, BIOS L3.12E 09/06/2022 [ 549.341781] RIP: 0010:r535gspmsgqwait+0xd0/0x190 [nvkm] [ 549.347343] Code: 08 00 00 89 da c1 e2 0c 48 8d ac 11 00 10 00 00 48 8b 0c 24 48 85 c9 74 1f c1 e0 0c 4c 8d 6d 30 83 e8 30 89 01 e9 68 ff ff ff <0f> 0b 49 c7 c5 92 ff ff ff e9 5a ff ff ff ba ff ff ff ff be c0 0c [ 549.366090] RSP: 0018:ffffacbccaaeb7d0 EFLAGS: 00010246 [ 549.371315] RAX: 0000000000000000 RBX: 0000000000000012 RCX: 0000000000923e28 [ 549.378451] RDX: 0000000000000000 RSI: 0000000055555554 RDI: ffffacbccaaeb730 [ 549.385590] RBP: 0000000000000001 R08: ffff8bd14d235f70 R09: ffff8bd14d235f70 [ 549.392721] R10: 0000000000000002 R11: ffff8bd14d233864 R12: 0000000000000020 [ 549.399854] R13: ffffacbccaaeb818 R14: 0000000000000020 R15: ffff8bb298c67000 [ 549.406988] FS: 00007f5179244740(0000) GS:ffff8bd14d200000(0000) knlGS:0000000000000000 [ 549.415076] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 549.420829] CR2: 00007fa844000010 CR3: 00000001567dc005 CR4: 0000000000770ef0 [ 549.427963] PKRU: 55555554 [ 549.430672] Call Trace: [ 549.433126] <TASK> [ 549.435233] ? _warn+0x7f/0x130 [ 549.438473] ? r535gspmsgqwait+0xd0/0x190 [nvkm] [ 549.443426] ? reportbug+0x18a/0x1a0 [ 549.447098] ? handlebug+0x3c/0x70 [ 549.450589] ? excinvalidop+0x14/0x70 [ 549.454430] ? asmexcinvalidop+0x16/0x20 [ 549.458619] ? r535gspmsgqwait+0xd0/0x190 [nvkm] [ 549.463565] r535gspmsgrecv+0x46/0x230 [nvkm] [ 549.468257] r535gsprpcpush+0x106/0x160 [nvkm] [ 549.473033] r535gsprpcrmctrlpush+0x40/0x130 [nvkm] [ 549.478422] nvidiagridinitvgputypes+0xbc/0xe0 [nvkm] [ 549.483899] nvidiagridinit+0xb1/0xd0 [nvkm] [ 549.488420] ? srsoaliasreturnthunk+0x5/0xfbef5 [ 549.493213] nvkmdevicepciprobe+0x305/0x420 [nvkm] [ 549.498338] localpci_probe+0x46/ ---truncated---

References

Affected packages

Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git

Affected ranges

Type: GIT
Repo: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events: Introduced

176fdcbddfd288408ce8571c1760ad618d962096

Fixed

56e6c7f6d2a6b4e0aae0528c502e56825bb40598

Type: GIT
Repo: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events: Introduced

176fdcbddfd288408ce8571c1760ad618d962096

Fixed

6b6b75728c86f60c1fc596f0d4542427d0e6065b

Type: GIT
Repo: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events: Introduced

176fdcbddfd288408ce8571c1760ad618d962096

Fixed

01ed662bdd6fce4f59c1804b334610d710d79fa0

Affected versions

v6.*

v6.10

v6.10-rc1

v6.10-rc2

v6.10-rc3

v6.10-rc4

v6.10-rc5

v6.10-rc6

v6.10-rc7

v6.11

v6.11-rc1

v6.11-rc2

v6.11-rc3

v6.11-rc4

v6.11-rc5

v6.11-rc6

v6.11-rc7

v6.12

v6.12-rc1

v6.12-rc2

v6.12-rc3

v6.12-rc4

v6.12-rc5

v6.12-rc6

v6.12-rc7

v6.12.1

v6.12.10

v6.12.11

v6.12.12

v6.12.13

v6.12.2

v6.12.3

v6.12.4

v6.12.5

v6.12.6

v6.12.7

v6.12.8

v6.12.9

v6.13

v6.13-rc1

v6.13-rc2

v6.13-rc3

v6.13-rc4

v6.13-rc5

v6.13-rc6

v6.13-rc7

v6.13.1

v6.13.2

v6.6

v6.7

v6.7-rc1

v6.7-rc2

v6.7-rc3

v6.7-rc4

v6.7-rc5

v6.7-rc6

v6.7-rc7

v6.7-rc8

v6.8

v6.8-rc1

v6.8-rc2

v6.8-rc3

v6.8-rc4

v6.8-rc5

v6.8-rc6

v6.8-rc7

v6.9

v6.9-rc1

v6.9-rc2

v6.9-rc3

v6.9-rc4

v6.9-rc5

v6.9-rc6

v6.9-rc7

Database specific

vanir_signatures

[
    {
        "signature_type": "Line",
        "id": "CVE-2024-58018-75bf1781",
        "target": {
            "file": "drivers/gpu/drm/nouveau/nvkm/subdev/gsp/r535.c"
        },
        "digest": {
            "line_hashes": [
                "257361453549018069888234796367749313467",
                "45913653077093325913151248931986173083",
                "212661654959546125706259840193710482821",
                "194134962611677741497942615972229728946",
                "11842675037239068980843873477942388347",
                "216093782789665176157295571126345151422",
                "332939250955355360452982711612424043574",
                "300356352877150548496612664178399384620"
            ],
            "threshold": 0.9
        },
        "signature_version": "v1",
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@6b6b75728c86f60c1fc596f0d4542427d0e6065b",
        "deprecated": false
    },
    {
        "signature_type": "Function",
        "id": "CVE-2024-58018-9586b464",
        "target": {
            "file": "drivers/gpu/drm/nouveau/nvkm/subdev/gsp/r535.c",
            "function": "r535_gsp_cmdq_push"
        },
        "digest": {
            "function_hash": "256606067486451858289393808635025398099",
            "length": 1468.0
        },
        "signature_version": "v1",
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@6b6b75728c86f60c1fc596f0d4542427d0e6065b",
        "deprecated": false
    },
    {
        "signature_type": "Line",
        "id": "CVE-2024-58018-c3db1eed",
        "target": {
            "file": "drivers/gpu/drm/nouveau/nvkm/subdev/gsp/r535.c"
        },
        "digest": {
            "line_hashes": [
                "257361453549018069888234796367749313467",
                "45913653077093325913151248931986173083",
                "212661654959546125706259840193710482821",
                "194134962611677741497942615972229728946",
                "11842675037239068980843873477942388347",
                "216093782789665176157295571126345151422",
                "332939250955355360452982711612424043574",
                "300356352877150548496612664178399384620"
            ],
            "threshold": 0.9
        },
        "signature_version": "v1",
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@56e6c7f6d2a6b4e0aae0528c502e56825bb40598",
        "deprecated": false
    },
    {
        "signature_type": "Function",
        "id": "CVE-2024-58018-c8290358",
        "target": {
            "file": "drivers/gpu/drm/nouveau/nvkm/subdev/gsp/r535.c",
            "function": "r535_gsp_cmdq_push"
        },
        "digest": {
            "function_hash": "256606067486451858289393808635025398099",
            "length": 1468.0
        },
        "signature_version": "v1",
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@01ed662bdd6fce4f59c1804b334610d710d79fa0",
        "deprecated": false
    },
    {
        "signature_type": "Line",
        "id": "CVE-2024-58018-c85d25af",
        "target": {
            "file": "drivers/gpu/drm/nouveau/nvkm/subdev/gsp/r535.c"
        },
        "digest": {
            "line_hashes": [
                "257361453549018069888234796367749313467",
                "45913653077093325913151248931986173083",
                "212661654959546125706259840193710482821",
                "194134962611677741497942615972229728946",
                "11842675037239068980843873477942388347",
                "216093782789665176157295571126345151422",
                "332939250955355360452982711612424043574",
                "300356352877150548496612664178399384620"
            ],
            "threshold": 0.9
        },
        "signature_version": "v1",
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@01ed662bdd6fce4f59c1804b334610d710d79fa0",
        "deprecated": false
    },
    {
        "signature_type": "Function",
        "id": "CVE-2024-58018-d9326eb5",
        "target": {
            "file": "drivers/gpu/drm/nouveau/nvkm/subdev/gsp/r535.c",
            "function": "r535_gsp_cmdq_push"
        },
        "digest": {
            "function_hash": "256606067486451858289393808635025398099",
            "length": 1468.0
        },
        "signature_version": "v1",
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@56e6c7f6d2a6b4e0aae0528c502e56825bb40598",
        "deprecated": false
    }
]

Linux / Kernel

Package

Name: Kernel

Affected ranges

Type: ECOSYSTEM
Events: Introduced

6.7.0

Fixed

6.12.14

Type: ECOSYSTEM
Events: Introduced

6.13.0

Fixed

6.13.3