Bug 2157270 (CVE-2023-0030)
Summary: | CVE-2023-0030 kernel: Use after Free in nvkm_vmm_pfn_map | ||
---|---|---|---|
Product: | [Other] Security Response | Reporter: | Alex <allarkin> |
Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
Status: | CLOSED NOTABUG | QA Contact: | |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | unspecified | CC: | acaringi, adscvr, airlied, alciregi, ben, bhu, bskeggs, carolynquinn609, chwhite, crwood, ddepaula, debarbos, dfreiber, dhoward, dvlasenk, ezulian, hdegoede, hkrzesin, hpa, jarod, jarodwilson, jburrell, jfaracco, jferlan, jforbes, jglisse, jlelli, joe.lawrence, josef, jpazdziora, jshortt, jstancek, jwyatt, kcarcia, kernel-maint, kernel-mgr, lgoncalv, linville, lleshchi, lzampier, masami256, mchehab, nmurray, ptalbert, qzhao, rogbas, rvrbovsk, scweaver, steve.beattie, steved, tyberry, vkumar, walters, williams |
Target Milestone: | --- | Keywords: | Security |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | Linux kernel 5.0-rc1 | Doc Type: | If docs needed, set a value |
Doc Text: |
A use-after-free flaw was found in the Linux kernel’s nouveau driver in how a user triggers a memory overflow that causes the nvkm_vma_tail function to fail. This flaw allows a local user to crash or potentially escalate their privileges on the system.
|
Story Points: | --- |
Clone Of: | Environment: | ||
Last Closed: | 2023-01-03 02:30:48 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | 2157041, 2157271, 2157272 | ||
Bug Blocks: | 2157079, 2175316 |
Description
Alex
2023-01-01 14:31:41 UTC
Created kernel tracking bugs for this issue: Affects: fedora-36 [bug 2157272] Affects: fedora-37 [bug 2157271] This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2023-0030 Not sure if this was backported to a 4.20 kernel for Fedora, but even if not, it was in 5.0 several years ago. All currently supported Fedora releases have never shipped with an impacted kernel. Looking at the referenced commit: commit 729eba3355674f2d9524629b73683ba1d1cd3f10 Author: Ben Skeggs <bskeggs> Date: Tue Dec 11 14:50:02 2018 +1000 drm/nouveau/mmu: add more general vmm free/node handling functions I see that this *introduces* some of the functions referred to by the original report. So this can't be the fix. The bug seems to be in nvkm_vmm_pfn_map() which was introduced in 5.1 by: commit a5ff307fe1f2dfe91253e3c19586643a77b6ce52 Author: Ben Skeggs <bskeggs> Date: Sat Jul 7 12:35:48 2018 +1000 drm/nouveau/mmu: add a privileged method to directly manage PTEs and I don't think it has ever been fixed (as none of the functions have been changed). This comment was flagged a spam, view the edit history to see the original text if required. This comment was flagged a spam, view the edit history to see the original text if required. A use-after-free flaw was found in the Linux kernel's nouveau driver in how a user triggers a memory overflow that causes the nvkm_vma_tail function to fail. https://dinosaur-game.io |