Bug 1222085 (CVE-2023-52625) - VUL-0: CVE-2023-52625: kernel: drm/amd/display: Refactor DMCUB enter/exit idle interface
Summary: VUL-0: CVE-2023-52625: kernel: drm/amd/display: Refactor DMCUB enter/exit idl...
Status: RESOLVED FIXED
Alias: CVE-2023-52625
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents (show other bugs)
Version: unspecified
Hardware: Other Other
: P3 - Medium : Normal
Target Milestone: ---
Assignee: Security Team bot
QA Contact: Security Team bot
URL: https://smash.suse.de/issue/399009/
Whiteboard: CVSSv3.1:SUSE:CVE-2023-52625:5.5:(AV:...
Keywords:
Depends on:
Blocks:
 
Reported: 2024-03-27 16:16 UTC by SMASH SMASH
Modified: 2024-06-25 18:23 UTC (History)
2 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description SMASH SMASH 2024-03-27 16:16:04 UTC 
In the Linux kernel, the following vulnerability has been resolved:

drm/amd/display: Refactor DMCUB enter/exit idle interface

[Why]
We can hang in place trying to send commands when the DMCUB isn't
powered on.

[How]
We need to exit out of the idle state prior to sending a command,
but the process that performs the exit also invokes a command itself.

Fixing this issue involves the following:

1. Using a software state to track whether or not we need to start
   the process to exit idle or notify idle.

It's possible for the hardware to have exited an idle state without
driver knowledge, but entering one is always restricted to a driver
allow - which makes the SW state vs HW state mismatch issue purely one
of optimization, which should seldomly be hit, if at all.

2. Refactor any instances of exit/notify idle to use a single wrapper
   that maintains this SW state.

This works simialr to dc_allow_idle_optimizations, but works at the
DMCUB level and makes sure the state is marked prior to any notify/exit
idle so we don't enter an infinite loop.

3. Make sure we exit out of idle prior to sending any commands or
   waiting for DMCUB idle.

This patch takes care of 1/2. A future patch will take care of wrapping
DMCUB command submission with calls to this new interface.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-52625
https://www.cve.org/CVERecord?id=CVE-2023-52625
https://git.kernel.org/stable/c/820c3870c491946a78950cdf961bf40e28c1025f
https://git.kernel.org/stable/c/8e57c06bf4b0f51a4d6958e15e1a99c9520d00fa
https://bugzilla.redhat.com/show_bug.cgi?id=2271682
Comment 1 Andrea Mattiazzo 2024-03-27 16:22:12 UTC 
Fixing commit (820c3870c491) found in:
 - ALP-current
 - SLE15-SP6
 - SLE15-SP6-GA
 - stable

Other codestreams lack of 0710-drm-amd-display-Add-DCN35-DM-Support.patch and so not affected.
Comment 4 Oscar Salvador 2024-04-17 03:39:15 UTC 
@Patrik: Can you please have a look

./scripts/check-kernel-fix CVE-2023-52625
8e57c06bf4b0 ("drm/amd/display: Refactor DMCUB enter/exit idle interface") merged v6.8-rc1~111^2~1^2~86
Security fix for CVE-2023-52625 bsc#1222085 with CVSS 5.5
..............................
ACTION NEEDED!
SLE15-SP5: MANUAL: might need backport of 8e57c06bf4b0f51a4d6958e15e1a99c9520d00fa ()
SLE12-SP5: MANUAL: might need backport of 8e57c06bf4b0f51a4d6958e15e1a99c9520d00fa ()
SLE12-SP3-TD: MANUAL: might need backport of 8e57c06bf4b0f51a4d6958e15e1a99c9520d00fa ()
Comment 5 Patrik Jakobsson 2024-04-17 06:38:21 UTC 
(In reply to Andrea Mattiazzo from comment #1)
> Fixing commit (820c3870c491) found in:
>  - ALP-current
>  - SLE15-SP6
>  - SLE15-SP6-GA
>  - stable
> 
> Other codestreams lack of 0710-drm-amd-display-Add-DCN35-DM-Support.patch
> and so not affected.

Yes, this is a fix that is only relevant to DCN35 and newer versions of the display controller. DCN35 was introduced in [1] which is not available in SLE15-SP5, SLE12-SP5 or SLE12-SP3-TD.

No further action is needed. Reassigning.

[1] 65138eb72e1fc687be49932b9a45325598ffa01c