Bug 1939686 (CVE-2021-20292)

Summary: CVE-2021-20292 kernel: DRM Memory Management Double Free Privilege Escalation Vulnerability
Product: [Other] Security Response Reporter: Dhananjay Arunesh <darunesh>
Component: vulnerabilityAssignee: Nobody <nobody>
Status: NEW --- QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: acaringi, adscvr, airlied, alciregi, bhu, blc, bmasney, carnil, chwhite, crwood, dvlasenk, hdegoede, hkrzesin, jarodwilson, jeremy, jforbes, jlelli, jonathan, josef, jshortt, jstancek, jwboyer, kcarcia, kernel-maint, kernel-mgr, lgoncalv, linville, masami256, mchehab, mlangsdo, nmurray, ptalbert, qzhao, rkeshri, rvrbovsk, steved, walters, williams
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Kernel 5.9 Doc Type: If docs needed, set a value
Doc Text:
There is a flaw reported in drivers/gpu/drm/nouveau/nouveau_sgdma.c in nouveau_sgdma_create_ttm in Nouveau DRM subsystem. The issue results from the lack of validating the existence of an object prior to performing operations on the object. An attacker with a local account with a root privilege, can leverage this vulnerability to escalate privileges and execute code in the context of the kernel.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1939687, 1941919, 1941920, 1941921, 1942108, 1942109    
Bug Blocks: 1919800    

Description Dhananjay Arunesh 2021-03-16 19:50:26 UTC 
There is a flaw reported in drivers/gpu/drm/nouveau/nouveau_sgdma.c in nouveau_sgdma_create_ttm  in Nouveau DRM subsystem. The issue results from the lack of validating the existence of an object prior to performing operations on the object. An attacker with a local account with a root privilege, can leverage this vulnerability to escalate privileges and execute code in the context of the kernel.

This has been already addressed in the upstream commit 5de5b6ecf97a021f29403aa272cb4e03318ef586
 
Note:
Kernel with CONFIG_SLAB_FREELIST_HARDENED=y option enabled should not be affected with this flaw.
Comment 1 Dhananjay Arunesh 2021-03-16 19:51:06 UTC 
Created kernel tracking bugs for this issue:

Affects: fedora-all [bug 1939687]
Comment 2 Justin M. Forbes 2021-03-17 16:16:23 UTC 
Not really much to go on here, no CVE, no upstream reference?
Comment 4 Justin M. Forbes 2021-03-22 22:43:24 UTC 
So a CVE was gotten, but there are still absolutely no details here. Where in DRM? Is there an upstream patch, or even any upstream discussion?
Comment 12 Wade Mealing 2021-03-24 05:25:56 UTC 
This was fixed in this commit upstream: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=5de5b6ecf97a021f29403aa272cb4e03318ef586
Comment 13 Rohit Keshri 2021-03-24 05:37:55 UTC 
Mitigation:

Mitigation for this issue is either not available or the currently available options don't meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.
Comment 14 Justin M. Forbes 2021-04-13 16:11:10 UTC 
This was fixed for Fedora with the 5.7.16 stable kernel updates.
Comment 26 Dave Airlie 2021-06-09 19:29:39 UTC 
this analysis is bogus and makes no sense, where did someone get the idea for this fixing a double free in nouveau. the code before and after the patch is correct and operates the same.
Comment 28 Rohit Keshri 2021-06-24 07:25:01 UTC 
Hi David, I got a chance to revisit the flaw, where Greg said exploiting this flaw need fault injection enabled (https://seclists.org/oss-sec/2020/q3/127), which is not enabled in any version of RHEL, so marking RHEL not affected.