CVE-2024-41094

Source
https://nvd.nist.gov/vuln/detail/CVE-2024-41094
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-41094.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2024-41094
Related
Published
2024-07-29T16:15:04Z
Modified
2024-09-18T03:23:09.584483Z
Severity
  • 5.5 (Medium) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVSS Calculator
Summary
[none]
Details

In the Linux kernel, the following vulnerability has been resolved:

drm/fbdev-dma: Only set smem_start is enable per module option

Only export struct fbinfo.fix.smemstart if that is required by the user and the memory does not come from vmalloc().

Setting struct fbinfo.fix.smemstart breaks systems where DMA memory is backed by vmalloc address space. An example error is shown below.

[ 3.536043] ------------[ cut here ]------------ [ 3.540716] virttophys used for non-linear address: 000000007fc4f540 (0xffff800086001000) [ 3.552628] WARNING: CPU: 4 PID: 61 at arch/arm64/mm/physaddr.c:12 _virttophys+0x68/0x98 [ 3.565455] Modules linked in: [ 3.568525] CPU: 4 PID: 61 Comm: kworker/u12:5 Not tainted 6.6.23-06226-g4986cc3e1b75-dirty #250 [ 3.577310] Hardware name: NXP i.MX95 19X19 board (DT) [ 3.582452] Workqueue: eventsunbound deferredprobeworkfunc [ 3.588291] pstate: 60400009 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--) [ 3.595233] pc : _virttophys+0x68/0x98 [ 3.599246] lr : _virttophys+0x68/0x98 [ 3.603276] sp : ffff800083603990 [ 3.677939] Call trace: [ 3.680393] _virttophys+0x68/0x98 [ 3.684067] drmfbdevdmahelperfbprobe+0x138/0x238 [ 3.689214] _drmfbhelperinitialconfigandunlock+0x2b0/0x4c0 [ 3.695385] drmfbhelperinitialconfig+0x4c/0x68 [ 3.700264] drmfbdevdmaclienthotplug+0x8c/0xe0 [ 3.705161] drmclientregister+0x60/0xb0 [ 3.709269] drmfbdevdma_setup+0x94/0x148

Additionally, DMA memory is assumed to by contiguous in physical address space, which is not guaranteed by vmalloc().

Resolve this by checking the module flag drmleakfbdevsmem when DRM allocated the instance of struct fbinfo. Fbdev-dma then only sets smemstart only if required (via FBINFOHIDESMEMSTART). Also guarantee that the framebuffer is not located in vmalloc address space.

References

Affected packages

Debian:13 / linux

Package

Name
linux
Purl
pkg:deb/debian/linux?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
6.9.8-1

Affected versions

6.*

6.1.27-1
6.1.37-1
6.1.38-1
6.1.38-2~bpo11+1
6.1.38-2
6.1.38-3
6.1.38-4~bpo11+1
6.1.38-4
6.1.52-1
6.1.55-1~bpo11+1
6.1.55-1
6.1.64-1
6.1.66-1
6.1.67-1
6.1.69-1~bpo11+1
6.1.69-1
6.1.76-1~bpo11+1
6.1.76-1
6.1.82-1
6.1.85-1
6.1.90-1~bpo11+1
6.1.90-1
6.1.94-1~bpo11+1
6.1.94-1
6.1.98-1
6.1.99-1
6.1.106-1
6.1.106-2
6.1.106-3
6.3.1-1~exp1
6.3.2-1~exp1
6.3.4-1~exp1
6.3.5-1~exp1
6.3.7-1~bpo12+1
6.3.7-1
6.3.11-1
6.4~rc6-1~exp1
6.4~rc7-1~exp1
6.4.1-1~exp1
6.4.4-1~bpo12+1
6.4.4-1
6.4.4-2
6.4.4-3~bpo12+1
6.4.4-3
6.4.11-1
6.4.13-1
6.5~rc4-1~exp1
6.5~rc6-1~exp1
6.5~rc7-1~exp1
6.5.1-1~exp1
6.5.3-1~bpo12+1
6.5.3-1
6.5.6-1
6.5.8-1
6.5.10-1~bpo12+1
6.5.10-1
6.5.13-1
6.6.3-1~exp1
6.6.4-1~exp1
6.6.7-1~exp1
6.6.8-1
6.6.9-1
6.6.11-1
6.6.13-1~bpo12+1
6.6.13-1
6.6.15-1
6.6.15-2
6.7-1~exp1
6.7.1-1~exp1
6.7.4-1~exp1
6.7.7-1
6.7.9-1
6.7.9-2
6.7.12-1~bpo12+1
6.7.12-1
6.8.9-1
6.8.11-1
6.8.12-1~bpo12+1
6.8.12-1
6.9.2-1~exp1
6.9.7-1~bpo12+1
6.9.7-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}