CVE-2024-26656 in Linuxinfo

Summary

by MITRE • 04/02/2024

In the Linux kernel, the following vulnerability has been resolved:

drm/amdgpu: fix use-after-free bug

The bug can be triggered by sending a single amdgpu_gem_userptr_ioctl to the AMDGPU DRM driver on any ASICs with an invalid address and size. The bug was reported by Joonkyo Jung . For example the following code:

static void Syzkaller1(int fd) {
struct drm_amdgpu_gem_userptr arg; int ret;

arg.addr = 0xffffffffffff0000; arg.size = 0x80000000; /*2 Gb*/ arg.flags = 0x7; ret = drmIoctl(fd, 0xc1186451/*amdgpu_gem_userptr_ioctl*/, &arg); }

Due to the address and size are not valid there is a failure in amdgpu_hmm_register->mmu_interval_notifier_insert->__mmu_interval_notifier_insert-> check_shl_overflow, but we even the amdgpu_hmm_register failure we still call amdgpu_hmm_unregister into amdgpu_gem_object_free which causes access to a bad address. The following stack is below when the issue is reproduced when Kazan is enabled:

[ +0.000014] Hardware name: ASUS System Product Name/ROG STRIX B550-F GAMING (WI-FI), BIOS 1401 12/03/2020
[ +0.000009] RIP: 0010:mmu_interval_notifier_remove+0x327/0x340
[ +0.000017] Code: ff ff 49 89 44 24 08 48 b8 00 01 00 00 00 00 ad de 4c 89 f7 49 89 47 40 48 83 c0 22 49 89 47 48 e8 ce d1 2d 01 e9 32 ff ff ff 0b e9 16 ff ff ff 4c 89 ef e8 fa 14 b3 ff e9 36 ff ff ff e8 80
[ +0.000014] RSP: 0018:ffffc90002657988 EFLAGS: 00010246
[ +0.000013] RAX: 0000000000000000 RBX: 1ffff920004caf35 RCX: ffffffff8160565b
[ +0.000011] RDX: dffffc0000000000 RSI: 0000000000000004 RDI: ffff8881a9f78260
[ +0.000010] RBP: ffffc90002657a70 R08: 0000000000000001 R09: fffff520004caf25
[ +0.000010] R10: 0000000000000003 R11: ffffffff8161d1d6 R12: ffff88810e988c00
[ +0.000010] R13: ffff888126fb5a00 R14: ffff88810e988c0c R15: ffff8881a9f78260
[ +0.000011] FS: 00007ff9ec848540(0000) GS:ffff8883cc880000(0000) knlGS:0000000000000000
[ +0.000012] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ +0.000010] CR2: 000055b3f7e14328 CR3: 00000001b5770000 CR4: 0000000000350ef0
[ +0.000010] Call Trace:
[ +0.000006]
[ +0.000007] ? show_regs+0x6a/0x80
[ +0.000018] ? __warn+0xa5/0x1b0
[ +0.000019] ? mmu_interval_notifier_remove+0x327/0x340
[ +0.000018] ? report_bug+0x24a/0x290
[ +0.000022] ? handle_bug+0x46/0x90
[ +0.000015] ? exc_invalid_op+0x19/0x50
[ +0.000016] ? asm_exc_invalid_op+0x1b/0x20
[ +0.000017] ? kasan_save_stack+0x26/0x50
[ +0.000017] ? mmu_interval_notifier_remove+0x23b/0x340
[ +0.000019] ? mmu_interval_notifier_remove+0x327/0x340
[ +0.000019] ? mmu_interval_notifier_remove+0x23b/0x340
[ +0.000020] ? __pfx_mmu_interval_notifier_remove+0x10/0x10
[ +0.000017] ? kasan_save_alloc_info+0x1e/0x30
[ +0.000018] ? srso_return_thunk+0x5/0x5f
[ +0.000014] ? __kasan_kmalloc+0xb1/0xc0
[ +0.000018] ? srso_return_thunk+0x5/0x5f
[ +0.000013] ? __kasan_check_read+0x11/0x20
[ +0.000020] amdgpu_hmm_unregister+0x34/0x50 [amdgpu]
[ +0.004695] amdgpu_gem_object_free+0x66/0xa0 [amdgpu]
[ +0.004534] ? __pfx_amdgpu_gem_object_free+0x10/0x10 [amdgpu]
[ +0.004291] ? do_syscall_64+0x5f/0xe0
[ +0.000023] ? srso_return_thunk+0x5/0x5f
[ +0.000017] drm_gem_object_free+0x3b/0x50 [drm]
[ +0.000489] amdgpu_gem_userptr_ioctl+0x306/0x500 [amdgpu]
[ +0.004295] ? __pfx_amdgpu_gem_userptr_ioctl+0x10/0x10 [amdgpu]
[ +0.004270] ? srso_return_thunk+0x5/0x5f
[ +0.000014] ? __this_cpu_preempt_check+0x13/0x20
[ +0.000015] ? srso_return_thunk+0x5/0x5f
[ +0.000013] ? sysvec_apic_timer_interrupt+0x57/0xc0
[ +0.000020] ? srso_return_thunk+0x5/0x5f
[ +0.000014] ? asm_sysvec_apic_timer_interrupt+0x1b/0x20
[ +0.000022] ? drm_ioctl_kernel+0x17b/0x1f0 [drm]
[ +0.000496] ? __pfx_amdgpu_gem_userptr_ioctl+0x10/0x10 [amdgpu]
[ +0.004272] ? drm_ioctl_kernel+0x190/0x1f0 [drm]
[ +0.000492] drm_ioctl_kernel+0x140/0x1f0 [drm]
[ +0.000497] ? __pfx_amdgpu_gem_userptr_ioctl+0x10/0x10 [amdgpu]
[ +0.004297] ? __pfx_drm_ioctl_kernel+0x10/0x10 [d
---truncated---

If you want to get the best quality for vulnerability data then you always have to consider VulDB.

Analysis

by VulDB Data Team • 03/17/2025

The vulnerability CVE-2024-26656 represents a use-after-free flaw within the Linux kernel's AMDGPU Direct Rendering Manager (DRM) driver, specifically affecting the amdgpu_gem_userptr_ioctl function. This issue arises when a malformed user pointer is passed to the AMDGPU DRM driver, triggering an invalid memory access pattern that leads to a potential system crash or privilege escalation. The flaw is categorized under CWE-416, which denotes use-after-free conditions, and aligns with ATT&CK technique T1068, involving privilege escalation through kernel vulnerabilities. The vulnerability occurs during the processing of user-space memory mappings where the driver attempts to register and subsequently unregister memory notifiers without proper validation of the initial registration failure.

The technical mechanism of this vulnerability involves a sequence of function calls starting with amdgpu_gem_userptr_ioctl, which processes user-provided memory addresses and sizes. When invalid parameters are passed, such as an address of 0xffffffffffff0000 with a size of 0x80000000, the validation process fails in amdgpu_hmm_register, specifically within the mmu_interval_notifier_insert chain. The problematic code path executes check_shl_overflow and other validation checks, but despite the registration failure, the driver continues execution and calls amdgpu_hmm_unregister within the amdgpu_gem_object_free function. This improper flow leads to a double-free or use-after-free condition where the driver attempts to access memory that has already been freed or is otherwise invalid. The stack trace demonstrates that the error propagates through mmu_interval_notifier_remove, where the kernel attempts to access freed memory regions, resulting in a kernel oops or system crash.

The operational impact of this vulnerability extends beyond simple system instability, as it could potentially be exploited by malicious actors to escalate privileges or cause denial of service in systems running affected AMDGPU drivers. The vulnerability affects all AMDGPU ASICs when the Kazan graphics driver is enabled, making it particularly concerning for gaming systems, workstation environments, and server configurations that rely on AMD graphics hardware. The attack surface is limited to processes with access to the DRM device node, typically requiring either local user access or exploitation through a compromised application that can make DRM ioctls. The vulnerability is especially dangerous in containerized environments or systems where untrusted applications might interact with the graphics subsystem. The fix implemented addresses the core issue by ensuring that amdgpu_hmm_unregister is only called when amdgpu_hmm_register successfully completes, preventing the invalid memory access pattern that leads to the use-after-free condition.

Mitigation strategies should focus on applying the latest kernel updates that contain the patched version of the AMDGPU driver, which resolves the improper conditional logic in the memory management functions. System administrators should also consider implementing additional security controls such as restricting access to DRM device nodes, employing kernel lockdown features, and monitoring for suspicious ioctl activity patterns. The vulnerability highlights the importance of proper error handling in kernel modules, particularly when dealing with memory management operations that involve multiple function calls with potential failure points. Security teams should monitor for exploitation attempts targeting this specific vulnerability, especially in environments where AMDGPU drivers are actively used, and ensure that all systems are updated to versions containing the fix. The issue also underscores the need for comprehensive testing of kernel driver error paths, particularly in graphics subsystems where memory mapping operations are frequent and complex.

Reservation

02/19/2024

Disclosure

04/02/2024

Moderation

accepted

CPE

ready

EPSS

0.00225

KEV

no

Activities

very low

Sources

Interested in the pricing of exploits?

See the underground prices here!