Bug 2157270 (CVE-2023-0030)

Summary: CVE-2023-0030 kernel: Use after Free in nvkm_vmm_pfn_map
Product: [Other] Security Response Reporter: Alex <allarkin>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED NOTABUG QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: acaringi, adscvr, airlied, alciregi, ben, bhu, bskeggs, carolynquinn609, chwhite, crwood, ddepaula, debarbos, dfreiber, dhoward, dvlasenk, ezulian, hdegoede, hkrzesin, hpa, jarod, jarodwilson, jburrell, jfaracco, jferlan, jforbes, jglisse, jlelli, joe.lawrence, josef, jpazdziora, jshortt, jstancek, jwyatt, kcarcia, kernel-maint, kernel-mgr, lgoncalv, linville, lleshchi, lzampier, masami256, mchehab, nmurray, ptalbert, qzhao, rogbas, rvrbovsk, scweaver, steve.beattie, steved, tyberry, vkumar, walters, williams
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Linux kernel 5.0-rc1 Doc Type: If docs needed, set a value
Doc Text:
A use-after-free flaw was found in the Linux kernel’s nouveau driver in how a user triggers a memory overflow that causes the nvkm_vma_tail function to fail. This flaw allows a local user to crash or potentially escalate their privileges on the system.
Story Points: ---
Clone Of: Environment:
Last Closed: 2023-01-03 02:30:48 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2157041, 2157271, 2157272    
Bug Blocks: 2157079, 2175316    

Description Alex 2023-01-01 14:31:41 UTC
A vulnerability was found in kernel, where a use-after-frees in nouveau's nvkm_vmm_pfn_map() could happen.

Description of problem:
Here is a function call chain. 
nvkm_vmm_pfn_map->nvkm_vmm_pfn_split_merge->nvkm_vmm_node_split
If nvkm_vma_tail return NULL in nvkm_vmm_node_split, it will 
finally invoke nvkm_vmm_node_merge->nvkm_vmm_node_delete, which
will free the vma. However, nvkm_vmm_pfn_map didn't notice that.
It goes into next label and UAF happens

How reproducible:
This bug is hard to trigger. It requires nvkm_vma_tail return NULL,
which means kzalloc returns NULL.

Steps to Reproduce:
1.make a lot of memory allocation in Linux kernel so that to make 
kzalloc failed in nvkm_vma_tail 
2.UAF happens

Reference:
https://github.com/torvalds/linux/commit/729eba3355674f2d9524629b73683ba1d1cd3f10

Comment 1 Alex 2023-01-01 14:32:21 UTC
Created kernel tracking bugs for this issue:

Affects: fedora-36 [bug 2157272]
Affects: fedora-37 [bug 2157271]

Comment 5 Product Security DevOps Team 2023-01-03 02:30:43 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2023-0030

Comment 6 Justin M. Forbes 2023-01-03 15:16:08 UTC
Not sure if this was backported to a 4.20 kernel for Fedora, but even if not, it was in 5.0 several years ago.  All currently supported Fedora releases have never shipped with an impacted kernel.

Comment 7 Ben Hutchings 2023-07-02 18:48:31 UTC
Looking at the referenced commit:

commit 729eba3355674f2d9524629b73683ba1d1cd3f10
Author: Ben Skeggs <bskeggs>
Date:   Tue Dec 11 14:50:02 2018 +1000
 
    drm/nouveau/mmu: add more general vmm free/node handling functions

I see that this *introduces* some of the functions referred to by the
original report.  So this can't be the fix.

The bug seems to be in nvkm_vmm_pfn_map() which was introduced in 5.1 by:

commit a5ff307fe1f2dfe91253e3c19586643a77b6ce52
Author: Ben Skeggs <bskeggs>
Date:   Sat Jul 7 12:35:48 2018 +1000
 
    drm/nouveau/mmu: add a privileged method to directly manage PTEs

and I don't think it has ever been fixed (as none of the functions have
been changed).

Comment 11 yaniebogisish 2024-01-31 07:23:41 UTC Comment hidden (spam)
Comment 12 Annata Evan 2024-02-19 09:13:53 UTC Comment hidden (spam)
Comment 13 Warren Hunter 2024-02-22 04:19:56 UTC Comment hidden (spam)