Bug 1212778 (CVE-2023-3355)

Summary: VUL-0: CVE-2023-3355: kernel-source-azure,kernel-source-rt,kernel-source: NULL pointer dereference in submit_lookup_cmds() in drivers/gpu/drm/msm/msm_gem_submit.c
Product: [Novell Products] SUSE Security Incidents Reporter: Cathy Hu <cathy.hu>
Component: IncidentsAssignee: Kernel Bugs <kernel-bugs>
Status: RESOLVED INVALID QA Contact: Security Team bot <security-team>
Severity: Normal    
Priority: P5 - None CC: mhocko, patrik.jakobsson, security-team, tiwai
Version: unspecifiedFlags: mhocko: needinfo? (patrik.jakobsson)
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/370588/
Whiteboard:
Found By: Security Response Team Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description Cathy Hu 2023-06-27 14:51:50 UTC 
CVE-2023-3355

An issue was discovered in the Linux kernel through 6.1-rc8.
submit_lookup_cmds in drivers/gpu/drm/msm/msm_gem_submit.c lacks check of
the return value of kmalloc() and will cause the NULL Pointer Dereference.

Reference:
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=d839f0811a31322c087a859c2b181e2383daa7be

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-3355
https://bugzilla.redhat.com/show_bug.cgi?id=2217820
Comment 1 Cathy Hu 2023-06-27 14:54:06 UTC 
Fixing commit: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=d839f0811a31322c087a859c2b181e2383daa7be

Commit introducing the issue: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=20224d715a88


Not affected (already contain fixing commit):
- stable
- SLE15-SP5
- SLE15-SP5-AZURE
- SLE15-SP5-RT
- SLE15-SP4-AZURE
- SLE15-SP4-RT
- SLE15-SP4
- ALP-current

Not affected (does not contain introducing commit):
- SLE12-SP5
- cve/linux-3.0
- cve/linux-4.12
- cve/linux-4.4
- cve/linux-5.3

closing
Comment 2 Michal Hocko 2023-06-27 15:23:02 UTC 
I think there is a much bigger problem than the NULL ptr dereference. This will be mostly a crash of the calling process because nobody reasonable allows to map zero page. The CVE looks mostly inapplicable. But have a look at the fact that submit_cmd.nr_relocs is provided by the user space and that there is no actual bound check except for the overflow. This means that a user can control the allocation side and kmalloc is not really great at allocating larger blocks so this is effectively a way to deplete higher order physically contiguous memory. I do not have an insight into who is allowed to trigger this path and whether untrusted user can abuse it.

But the real thread is the kmalloc here. kvmalloc should be used instead. This is worth fixing. Takashi or Patrik, could any of you could have a look? I do not have a domain specific insight except for the above.
Comment 3 Takashi Iwai 2023-06-29 06:23:13 UTC 
Right, that's a slight concern.  Those commands seem to be via GEM, and user-space can compose freely.  But the allocated commands should be released soon after the execution, so the memory hog would be only for little period.

The use of kvmalloc() is ideal, but above all, the driver should have some sensible size limit for submit_cmd.nr_relocs.