DEBIAN-CVE-2024-26657

In the Linux kernel, the following vulnerability has been resolved: drm/sched: fix null-ptr-deref in init entity The bug can be triggered by sending an amdgpucswaitioctl to the AMDGPU DRM driver on any ASICs with valid context. The bug was reported by Joonkyo Jung joonkyoj@yonsei.ac.kr. For example the following code: static void Syzkaller2(int fd) { union drmamdgpuctx arg1; union drmamdgpuwaitcs arg2; arg1.in.op = AMDGPUCTXOPALLOCCTX; ret = drmIoctl(fd, 0x140106442 /* amdgpuctxioctl /, &arg1); arg2.in.handle = 0x0; arg2.in.timeout = 0x2000000000000; arg2.in.ip_type = AMD_IP_VPE / 0x9 /; arg2->in.ip_instance = 0x0; arg2.in.ring = 0x0; arg2.in.ctx_id = arg1.out.alloc.ctx_id; drmIoctl(fd, 0xc0206449 / AMDGPUWAITCS * /, &arg2); } The ioctl AMDGPUWAITCS without previously submitted job could be assumed that the error should be returned, but the following commit 1decbf6bb0b4dc56c9da6c5e57b994ebfc2be3aa modified the logic and allowed to have schedrq equal to NULL. As a result when there is no job the ioctl AMDGPUWAITCS returns success. The change fixes null-ptr-deref in init entity and the stack below demonstrates the error condition: [ +0.000007] BUG: kernel NULL pointer dereference, address: 0000000000000028 [ +0.007086] #PF: supervisor read access in kernel mode [ +0.005234] #PF: errorcode(0x0000) - not-present page [ +0.005232] PGD 0 P4D 0 [ +0.002501] Oops: 0000 [#1] PREEMPT SMP KASAN NOPTI [ +0.005034] CPU: 10 PID: 9229 Comm: amdbasic Tainted: G B W L 6.7.0+ #4 [ +0.007797] Hardware name: ASUS System Product Name/ROG STRIX B550-F GAMING (WI-FI), BIOS 1401 12/03/2020 [ +0.009798] RIP: 0010:drmschedentityinit+0x2d3/0x420 [gpusched] [ +0.006426] Code: 80 00 00 00 00 00 00 00 e8 1a 81 82 e0 49 89 9c 24 c0 00 00 00 4c 89 ef e8 4a 80 82 e0 49 8b 5d 00 48 8d 7b 28 e8 3d 80 82 e0 <48> 83 7b 28 00 0f 84 28 01 00 00 4d 8d ac 24 98 00 00 00 49 8d 5c [ +0.019094] RSP: 0018:ffffc90014c1fa40 EFLAGS: 00010282 [ +0.005237] RAX: 0000000000000001 RBX: 0000000000000000 RCX: ffffffff8113f3fa [ +0.007326] RDX: fffffbfff0a7889d RSI: 0000000000000008 RDI: ffffffff853c44e0 [ +0.007264] RBP: ffffc90014c1fa80 R08: 0000000000000001 R09: fffffbfff0a7889c [ +0.007266] R10: ffffffff853c44e7 R11: 0000000000000001 R12: ffff8881a719b010 [ +0.007263] R13: ffff88810d412748 R14: 0000000000000002 R15: 0000000000000000 [ +0.007264] FS: 00007ffff7045540(0000) GS:ffff8883cc900000(0000) knlGS:0000000000000000 [ +0.008236] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ +0.005851] CR2: 0000000000000028 CR3: 000000011912e000 CR4: 0000000000350ef0 [ +0.007175] Call Trace: [ +0.002561] <TASK> [ +0.002141] ? showregs+0x6a/0x80 [ +0.003473] ? die+0x25/0x70 [ +0.003124] ? pagefaultoops+0x214/0x720 [ +0.004179] ? preemptcountsub+0x18/0xc0 [ +0.004093] ? _pfxpagefaultoops+0x10/0x10 [ +0.004590] ? srsoreturnthunk+0x5/0x5f [ +0.004000] ? vprintkdefault+0x1d/0x30 [ +0.004063] ? srsoreturnthunk+0x5/0x5f [ +0.004087] ? vprintk+0x5c/0x90 [ +0.003296] ? drmschedentityinit+0x2d3/0x420 [gpusched] [ +0.005807] ? srsoreturnthunk+0x5/0x5f [ +0.004090] ? _printk+0xb3/0xe0 [ +0.003293] ? _pfxprintk+0x10/0x10 [ +0.003735] ? asmsysvecapictimerinterrupt+0x1b/0x20 [ +0.005482] ? douseraddrfault+0x345/0x770 [ +0.004361] ? excpagefault+0x64/0xf0 [ +0.003972] ? asmexcpagefault+0x27/0x30 [ +0.004271] ? addtaint+0x2a/0xa0 [ +0.003476] ? drmschedentityinit+0x2d3/0x420 [gpusched] [ +0.005812] amdgpuctxgetentity+0x3f9/0x770 [amdgpu] [ +0.009530] ? finishtaskswitch.isra.0+0x129/0x470 [ +0.005068] ? _pfxamdgpuctxgetentity+0x10/0x10 [amdgpu] [ +0.010063] ? _kasancheckwrite+0x14/0x20 [ +0.004356] ? srsoreturnthunk+0x5/0x5f [ +0.004001] ? mutexunlock+0x81/0xd0 [ +0.003802] ? srsoreturnthunk+0x5/0x5f [ +0.004096] amdgpucswaitioctl+0xf6/0x270 [amdgpu] [ +0.009355] ? _pfx ---truncated---