CVE-2024-26940 in Linux
Summary
by MITRE • 05/01/2024
In the Linux kernel, the following vulnerability has been resolved:
drm/vmwgfx: Create debugfs ttm_resource_manager entry only if needed
The driver creates /sys/kernel/debug/dri/0/mob_ttm even when the corresponding ttm_resource_manager is not allocated. This leads to a crash when trying to read from this file.
Add a check to create mob_ttm, system_mob_ttm, and gmr_ttm debug file only when the corresponding ttm_resource_manager is allocated.
crash> bt PID: 3133409 TASK: ffff8fe4834a5000 CPU: 3 COMMAND: "grep" #0 [ffffb954506b3b20] machine_kexec at ffffffffb2a6bec3
#1 [ffffb954506b3b78] __crash_kexec at ffffffffb2bb598a
#2 [ffffb954506b3c38] crash_kexec at ffffffffb2bb68c1
#3 [ffffb954506b3c50] oops_end at ffffffffb2a2a9b1
#4 [ffffb954506b3c70] no_context at ffffffffb2a7e913
#5 [ffffb954506b3cc8] __bad_area_nosemaphore at ffffffffb2a7ec8c
#6 [ffffb954506b3d10] do_page_fault at ffffffffb2a7f887
#7 [ffffb954506b3d40] page_fault at ffffffffb360116e
[exception RIP: ttm_resource_manager_debug+0x11]
RIP: ffffffffc04afd11 RSP: ffffb954506b3df0 RFLAGS: 00010246 RAX: ffff8fe41a6d1200 RBX: 0000000000000000 RCX: 0000000000000940 RDX: 0000000000000000 RSI: ffffffffc04b4338 RDI: 0000000000000000 RBP: ffffb954506b3e08 R8: ffff8fee3ffad000 R9: 0000000000000000 R10: ffff8fe41a76a000 R11: 0000000000000001 R12: 00000000ffffffff R13: 0000000000000001 R14: ffff8fe5bb6f3900 R15: ffff8fe41a6d1200 ORIG_RAX: ffffffffffffffff CS: 0010 SS: 0018 #8 [ffffb954506b3e00] ttm_resource_manager_show at ffffffffc04afde7 [ttm]
#9 [ffffb954506b3e30] seq_read at ffffffffb2d8f9f3
RIP: 00007f4c4eda8985 RSP: 00007ffdbba9e9f8 RFLAGS: 00000246 RAX: ffffffffffffffda RBX: 000000000037e000 RCX: 00007f4c4eda8985 RDX: 000000000037e000 RSI: 00007f4c41573000 RDI: 0000000000000003 RBP: 000000000037e000 R8: 0000000000000000 R9: 000000000037fe30 R10: 0000000000000000 R11: 0000000000000246 R12: 00007f4c41573000 R13: 0000000000000003 R14: 00007f4c41572010 R15: 0000000000000003 ORIG_RAX: 0000000000000000 CS: 0033 SS: 002b
Be aware that VulDB is the high quality source for vulnerability data.
Analysis
by VulDB Data Team • 01/26/2026
The vulnerability identified as CVE-2024-26940 affects the Linux kernel's vmwgfx driver within the direct rendering manager subsystem, specifically concerning the management of debug filesystem entries. This issue stems from improper initialization of debugfs entries for ttm resource managers, creating a potential for system crashes when attempting to read from uninitialized or non-existent debug files. The flaw manifests in the drm/vmwgfx component where debugfs entries are created regardless of whether the underlying ttm_resource_manager structures have been properly allocated, leading to memory access violations when these entries are subsequently accessed. The crash occurs during a page fault exception when the ttm_resource_manager_debug function attempts to read from an uninitialized memory location, specifically in the ttm_resource_manager_show function that handles debug file reads.
The technical implementation flaw involves the driver's failure to perform proper validation checks before creating debugfs entries in the /sys/kernel/debug/dri/0/ directory. The affected entries include mob_ttm, system_mob_ttm, and gmr_ttm which are created without verifying if their corresponding ttm_resource_manager structures exist. This violates the principle of defensive programming and proper resource management. When user-space processes attempt to read from these debug files, the kernel's page fault handler triggers and leads to an immediate system crash, as evidenced by the stack trace showing execution paths through machine_kexec, __crash_kexec, and ultimately to the page_fault handler. The crash occurs at RIP: ttm_resource_manager_debug+0x11 in the kernel's ttm module, indicating a direct memory access violation when attempting to dereference a null or invalid pointer.
This vulnerability presents a significant operational impact as it can cause system instability and potential denial of service conditions in environments utilizing VMware graphics drivers. The crash occurs during normal system operation when debug file reads are performed, making it particularly dangerous in production environments where system reliability is paramount. The vulnerability aligns with CWE-476 which describes null pointer dereference conditions, and it represents a classic case of improper resource management that could be exploited by malicious actors to cause system crashes or potentially escalate privileges. The ATT&CK framework categorizes this under privilege escalation through kernel exploitation techniques, as the vulnerability could potentially be leveraged to gain unauthorized access to system resources or cause persistent system instability.
The recommended mitigation strategy involves implementing proper conditional checks before creating debugfs entries in the vmwgfx driver. The fix requires adding validation logic that verifies the existence of ttm_resource_manager structures before creating corresponding debugfs entries. This approach aligns with the principle of least privilege and defensive programming, ensuring that debug interfaces are only exposed when the underlying resources are properly initialized. System administrators should apply the kernel patch that implements this validation check, which typically involves modifying the driver initialization code to conditionally create debugfs entries based on resource allocation status. Additionally, monitoring systems should be enhanced to detect abnormal debug file access patterns that might indicate exploitation attempts, and regular kernel updates should be implemented to ensure all known vulnerabilities are addressed. The fix essentially prevents the creation of invalid debugfs entries, thereby eliminating the null pointer dereference condition that leads to system crashes.