CVE-2023-53095

The LRU mechanism may look up a resource in the process of being removed from an object. The locking rules here are a bit unclear but it looks currently like res->bo assignment is protected by the LRU lock, whereas bo->resource is protected by the object lock, while clearing of bo->resource is also protected by the LRU lock. This means that if we check that bo->resource points to the LRU resource under the LRU lock we should be safe. So perform that check before deciding to swap out a bo. That avoids dereferencing a NULL bo->resource in ttmboswapout().

References

Affected packages

Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git

Affected ranges

Type: GIT
Repo: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events: Introduced

6a9b028994025f5033f10d1da30b29dfdc713384

Fixed

9ba1720f6c4a0f13c3f3cb5c28132ee75555d04f

Type: GIT
Repo: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events: Introduced

6a9b028994025f5033f10d1da30b29dfdc713384

Fixed

9d9b1f9f7a72d83ebf173534e76b246349f32374

Type: GIT
Repo: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events: Introduced

6a9b028994025f5033f10d1da30b29dfdc713384

Fixed

9a9a8fe26751334b7739193a94eba741073b8a55

Affected versions

v5.*

v5.17

v5.17-rc3

v5.17-rc4

v5.17-rc5

v5.17-rc6

v5.17-rc7

v5.17-rc8

v5.18

v5.18-rc1

v5.18-rc2

v5.18-rc3

v5.18-rc4

v5.18-rc5

v5.18-rc6

v5.18-rc7

v5.19

v5.19-rc1

v5.19-rc2

v5.19-rc3

v5.19-rc4

v5.19-rc5

v5.19-rc6

v5.19-rc7

v5.19-rc8

v6.*

v6.0

v6.0-rc1

v6.0-rc2

v6.0-rc3

v6.0-rc4

v6.0-rc5

v6.0-rc6

v6.0-rc7

v6.1

v6.1-rc1

v6.1-rc2

v6.1-rc3

v6.1-rc4

v6.1-rc5

v6.1-rc6

v6.1-rc7

v6.1-rc8

v6.1.1

v6.1.10

v6.1.11

v6.1.12

v6.1.13

v6.1.14

v6.1.15

v6.1.16

v6.1.17

v6.1.18

v6.1.19

v6.1.2

v6.1.20

v6.1.3

v6.1.4

v6.1.5

v6.1.6

v6.1.7

v6.1.8

v6.1.9

v6.2

v6.2-rc1

v6.2-rc2

v6.2-rc3

v6.2-rc4

v6.2-rc5

v6.2-rc6

v6.2-rc7

v6.2-rc8

v6.2.1

v6.2.2

v6.2.3

v6.2.4

v6.2.5

v6.2.6

v6.2.7

Database specific

vanir_signatures

[
    {
        "digest": {
            "function_hash": "140084496422162175422505187381239009412",
            "length": 628.0
        },
        "target": {
            "file": "drivers/gpu/drm/ttm/ttm_device.c",
            "function": "ttm_device_swapout"
        },
        "signature_type": "Function",
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@9d9b1f9f7a72d83ebf173534e76b246349f32374",
        "signature_version": "v1",
        "deprecated": false,
        "id": "CVE-2023-53095-103fa7c4"
    },
    {
        "digest": {
            "function_hash": "140084496422162175422505187381239009412",
            "length": 628.0
        },
        "target": {
            "file": "drivers/gpu/drm/ttm/ttm_device.c",
            "function": "ttm_device_swapout"
        },
        "signature_type": "Function",
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@9a9a8fe26751334b7739193a94eba741073b8a55",
        "signature_version": "v1",
        "deprecated": false,
        "id": "CVE-2023-53095-40d2ca9e"
    },
    {
        "digest": {
            "threshold": 0.9,
            "line_hashes": [
                "40577106796010479298761670804754430436",
                "161237019893515947389530738644575445860",
                "70159554559263439239529504643495287254",
                "246276920374544185915809691918711962049"
            ]
        },
        "target": {
            "file": "drivers/gpu/drm/ttm/ttm_device.c"
        },
        "signature_type": "Line",
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@9a9a8fe26751334b7739193a94eba741073b8a55",
        "signature_version": "v1",
        "deprecated": false,
        "id": "CVE-2023-53095-8fbb536a"
    },
    {
        "digest": {
            "function_hash": "140084496422162175422505187381239009412",
            "length": 628.0
        },
        "target": {
            "file": "drivers/gpu/drm/ttm/ttm_device.c",
            "function": "ttm_device_swapout"
        },
        "signature_type": "Function",
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@9ba1720f6c4a0f13c3f3cb5c28132ee75555d04f",
        "signature_version": "v1",
        "deprecated": false,
        "id": "CVE-2023-53095-97c10d6d"
    },
    {
        "digest": {
            "threshold": 0.9,
            "line_hashes": [
                "40577106796010479298761670804754430436",
                "161237019893515947389530738644575445860",
                "70159554559263439239529504643495287254",
                "246276920374544185915809691918711962049"
            ]
        },
        "target": {
            "file": "drivers/gpu/drm/ttm/ttm_device.c"
        },
        "signature_type": "Line",
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@9ba1720f6c4a0f13c3f3cb5c28132ee75555d04f",
        "signature_version": "v1",
        "deprecated": false,
        "id": "CVE-2023-53095-a0875313"
    },
    {
        "digest": {
            "threshold": 0.9,
            "line_hashes": [
                "40577106796010479298761670804754430436",
                "161237019893515947389530738644575445860",
                "70159554559263439239529504643495287254",
                "246276920374544185915809691918711962049"
            ]
        },
        "target": {
            "file": "drivers/gpu/drm/ttm/ttm_device.c"
        },
        "signature_type": "Line",
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@9d9b1f9f7a72d83ebf173534e76b246349f32374",
        "signature_version": "v1",
        "deprecated": false,
        "id": "CVE-2023-53095-d2f07b6f"
    }
]

Linux / Kernel

Package

Name: Kernel

Affected ranges

Type: ECOSYSTEM
Events: Introduced

5.19.0

Fixed

6.1.21

Type: ECOSYSTEM
Events: Introduced

6.2.0

Fixed

6.2.8