CVE-2024-56542

Source
https://nvd.nist.gov/vuln/detail/CVE-2024-56542
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-56542.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2024-56542
Related
Published
2024-12-27T14:15:33Z
Modified
2025-01-14T17:47:05.471751Z
Severity
  • 5.5 (Medium) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVSS Calculator
Summary
[none]
Details

In the Linux kernel, the following vulnerability has been resolved:

drm/amd/display: fix a memleak issue when driver is removed

Running "modprobe amdgpu" the second time (followed by a modprobe -r amdgpu) causes a call trace like:

[ 845.212163] Memory manager not clean during takedown. [ 845.212170] WARNING: CPU: 4 PID: 2481 at drivers/gpu/drm/drmmm.c:999 drmmmtakedown+0x2b/0x40 [ 845.212177] Modules linked in: amdgpu(OE-) amddrmttmhelper(OE) amddrmbuddy(OE) amdxcp(OE) amdsched(OE) drmexec drmsuballochelper drmdisplayhelper i2calgobit amdttm(OE) amdkcl(OE) cec rccore sunrpc qrtr intelraplmsr intelraplcommon sndhdacodechdmi edacmceamd sndhdaintel sndinteldspcfg sndintelsdwacpi sndusbaudio sndhdacodec sndusbmidilib kvmamd sndhdacore sndump mc sndhwdep kvm sndpcm sndseqmidi sndseqmidievent irqbypass crct10difpclmul sndrawmidi polyvalclmulni polyvalgeneric ghashclmulniintel sha256ssse3 sha1ssse3 sndseq aesniintel cryptosimd sndseqdevice cryptd sndtimer mfdaaeon asusnbwmi eeepcwmi joydev asuswmi snd ledtrigaudio sparsekeymap ccp wmibmof inputleds k10temp i2cpiix4 platformprofile rapl soundcore gpioamdpt machid binfmtmisc msr parportpc ppdev lp parport efipstore nfnetlink dmisysfs iptables xtables autofs4 hidlogitechhidpp hidlogitechdj hidgeneric usbhid hid ahci xhcipci igc crc32pclmul libahci xhcipcirenesas video [ 845.212284] wmi [last unloaded: amddrmttmhelper(OE)] [ 845.212290] CPU: 4 PID: 2481 Comm: modprobe Tainted: G W OE 6.8.0-31-generic #31-Ubuntu [ 845.212296] RIP: 0010:drmmmtakedown+0x2b/0x40 [ 845.212300] Code: 1f 44 00 00 48 8b 47 38 48 83 c7 38 48 39 f8 75 09 31 c0 31 ff e9 90 2e 86 00 55 48 c7 c7 d0 f6 8e 8a 48 89 e5 e8 f5 db 45 ff <0f> 0b 5d 31 c0 31 ff e9 74 2e 86 00 66 0f 1f 84 00 00 00 00 00 90 [ 845.212302] RSP: 0018:ffffb11302127ae0 EFLAGS: 00010246 [ 845.212305] RAX: 0000000000000000 RBX: ffff92aa5020fc08 RCX: 0000000000000000 [ 845.212307] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000 [ 845.212309] RBP: ffffb11302127ae0 R08: 0000000000000000 R09: 0000000000000000 [ 845.212310] R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000004 [ 845.212312] R13: ffff92aa50200000 R14: ffff92aa5020fb10 R15: ffff92aa5020faa0 [ 845.212313] FS: 0000707dd7c7c080(0000) GS:ffff92b93de00000(0000) knlGS:0000000000000000 [ 845.212316] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 845.212318] CR2: 00007d48b0aee200 CR3: 0000000115a58000 CR4: 0000000000f50ef0 [ 845.212320] PKRU: 55555554 [ 845.212321] Call Trace: [ 845.212323] <TASK> [ 845.212328] ? showregs+0x6d/0x80 [ 845.212333] ? _warn+0x89/0x160 [ 845.212339] ? drmmmtakedown+0x2b/0x40 [ 845.212344] ? reportbug+0x17e/0x1b0 [ 845.212350] ? handlebug+0x51/0xa0 [ 845.212355] ? excinvalidop+0x18/0x80 [ 845.212359] ? asmexcinvalidop+0x1b/0x20 [ 845.212366] ? drmmmtakedown+0x2b/0x40 [ 845.212371] amdgpugttmgrfini+0xa9/0x130 [amdgpu] [ 845.212645] amdgputtmfini+0x264/0x340 [amdgpu] [ 845.212770] amdgpubofini+0x2e/0xc0 [amdgpu] [ 845.212894] gmcv120swfini+0x2a/0x40 [amdgpu] [ 845.213036] amdgpudevicefinisw+0x11a/0x590 [amdgpu] [ 845.213159] amdgpudriverreleasekms+0x16/0x40 [amdgpu] [ 845.213302] devmdrmdevinitrelease+0x5e/0x90 [ 845.213305] devmactionrelease+0x12/0x30 [ 845.213308] releasenodes+0x42/0xd0 [ 845.213311] devresreleaseall+0x97/0xe0 [ 845.213314] deviceunbindcleanup+0x12/0x80 [ 845.213317] devicereleasedriverinternal+0x230/0x270 [ 845.213319] ? srsoaliasreturn_thunk+0x5/0xfbef5

This is caused by lost memory during early init phase. First time driver is removed, memory is freed but when second time the driver is inserted, VBIOS dmub is not active, since the PSP policy is to retain the driver loaded version on subsequent warm boots. Hence, communication with VBIOS DMUB fails.

Fix this by aborting further comm ---truncated---

References

Affected packages

Debian:13 / linux

Package

Name
linux
Purl
pkg:deb/debian/linux?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
6.12.3-1

Affected versions

6.*

6.1.27-1
6.1.37-1
6.1.38-1
6.1.38-2~bpo11+1
6.1.38-2
6.1.38-3
6.1.38-4~bpo11+1
6.1.38-4
6.1.52-1
6.1.55-1~bpo11+1
6.1.55-1
6.1.64-1
6.1.66-1
6.1.67-1
6.1.69-1~bpo11+1
6.1.69-1
6.1.76-1~bpo11+1
6.1.76-1
6.1.82-1
6.1.85-1
6.1.90-1~bpo11+1
6.1.90-1
6.1.94-1~bpo11+1
6.1.94-1
6.1.98-1
6.1.99-1
6.1.106-1
6.1.106-2
6.1.106-3
6.1.112-1
6.1.115-1
6.1.119-1
6.1.123-1
6.1.124-1
6.3.1-1~exp1
6.3.2-1~exp1
6.3.4-1~exp1
6.3.5-1~exp1
6.3.7-1~bpo12+1
6.3.7-1
6.3.11-1
6.4~rc6-1~exp1
6.4~rc7-1~exp1
6.4.1-1~exp1
6.4.4-1~bpo12+1
6.4.4-1
6.4.4-2
6.4.4-3~bpo12+1
6.4.4-3
6.4.11-1
6.4.13-1
6.5~rc4-1~exp1
6.5~rc6-1~exp1
6.5~rc7-1~exp1
6.5.1-1~exp1
6.5.3-1~bpo12+1
6.5.3-1
6.5.6-1
6.5.8-1
6.5.10-1~bpo12+1
6.5.10-1
6.5.13-1
6.6.3-1~exp1
6.6.4-1~exp1
6.6.7-1~exp1
6.6.8-1
6.6.9-1
6.6.11-1
6.6.13-1~bpo12+1
6.6.13-1
6.6.15-1
6.6.15-2
6.7-1~exp1
6.7.1-1~exp1
6.7.4-1~exp1
6.7.7-1
6.7.9-1
6.7.9-2
6.7.12-1~bpo12+1
6.7.12-1
6.8.9-1
6.8.11-1
6.8.12-1~bpo12+1
6.8.12-1
6.9.2-1~exp1
6.9.7-1~bpo12+1
6.9.7-1
6.9.8-1
6.9.9-1
6.9.10-1~bpo12+1
6.9.10-1
6.9.11-1
6.9.12-1
6.10-1~exp1
6.10.1-1~exp1
6.10.3-1
6.10.4-1
6.10.6-1~bpo12+1
6.10.6-1
6.10.7-1
6.10.9-1
6.10.11-1~bpo12+1
6.10.11-1
6.10.12-1
6.11~rc4-1~exp1
6.11~rc5-1~exp1
6.11-1~exp1
6.11.2-1
6.11.4-1
6.11.5-1~bpo12+1
6.11.5-1
6.11.6-1
6.11.7-1
6.11.9-1
6.11.10-1~bpo12+1
6.11.10-1
6.12~rc6-1~exp1

Ecosystem specific

{
    "urgency": "not yet assigned"
}