CVE-2024-46866 in Linuxinfo

Summary

by MITRE • 09/27/2024

In the Linux kernel, the following vulnerability has been resolved:

drm/xe/client: add missing bo locking in show_meminfo()

bo_meminfo() wants to inspect bo state like tt and the ttm resource, however this state can change at any point leading to stuff like NPD and UAF, if the bo lock is not held. Grab the bo lock when calling bo_meminfo(), ensuring we drop any spinlocks first. In the case of object_idr we now also need to hold a ref.

v2 (MattB) - Also add xe_bo_assert_held()

(cherry picked from commit 4f63d712fa104c3ebefcb289d1e733e86d8698c7)

Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.

Analysis

by VulDB Data Team • 04/05/2026

The vulnerability identified as CVE-2024-46866 resides within the Linux kernel's graphics subsystem, specifically affecting the drm/xe/client component. This flaw manifests in the show_meminfo() function where improper locking mechanisms lead to potential race conditions and memory corruption issues. The vulnerability stems from the bo_meminfo() function attempting to inspect buffer object state information including translation table and ttm resource details without proper synchronization. When buffer object state changes concurrently during inspection, it creates dangerous scenarios that can result in null pointer dereferences and use-after-free conditions, fundamentally compromising system stability and security.

The technical implementation flaw occurs when bo_meminfo() accesses buffer object state information without acquiring the necessary bo lock. This oversight creates a race condition where concurrent modifications to buffer object state can occur while the function is inspecting these values. The buffer object's translation table and ttm resource structures are particularly vulnerable as they can undergo state transitions at any moment, leading to inconsistent data access patterns. The vulnerability specifically affects the graphics driver's memory management subsystem where buffer objects are tracked and managed through object_idr structures, making it critical for graphics-intensive applications and systems relying on proper memory management.

The operational impact of this vulnerability extends beyond simple system instability to potential security exploitation. When null pointer dereferences and use-after-free conditions occur, attackers could potentially leverage these memory corruption issues to execute arbitrary code or cause denial of service conditions. The vulnerability affects systems using the Intel graphics driver implementation within the Linux kernel, particularly those utilizing the xe graphics driver framework. The risk is elevated in multi-threaded environments where concurrent buffer object operations increase the likelihood of race conditions occurring during memory information retrieval.

Mitigation strategies for CVE-2024-46866 require implementing proper locking mechanisms throughout the affected code path. The fix involves acquiring the bo lock before calling bo_meminfo() and ensuring all spinlocks are properly dropped before the function execution. Additionally, the solution includes holding proper references when accessing object_idr structures to prevent premature object deallocation. This approach aligns with established security practices for concurrent programming and memory management, addressing the underlying race condition through proper synchronization mechanisms. The fix also incorporates xe_bo_assert_held() to validate lock acquisition, providing additional verification that the proper locking protocol is maintained throughout the buffer object lifecycle.

This vulnerability maps to CWE-362, which specifically addresses race conditions in concurrent programming, and relates to ATT&CK technique T1059.007 for privilege escalation through kernel exploits. The fix demonstrates proper adherence to kernel security best practices by implementing appropriate locking semantics and ensuring proper reference counting mechanisms. The solution represents a defensive programming approach that prevents data races through explicit synchronization, protecting against both accidental corruption and potential exploitation by malicious actors. The vulnerability highlights the importance of careful lock management in kernel space code where memory corruption can lead to complete system compromise.

Responsible

Linux

Reservation

09/11/2024

Disclosure

09/27/2024

Moderation

accepted

CPE

ready

EPSS

0.00140

KEV

no

Activities

very low

Sources

Might our Artificial Intelligence support you?

Check our Alexa App!