There is a flaw reported in drivers/gpu/drm/nouveau/nouveau_sgdma.c in nouveau_sgdma_create_ttm in Nouveau DRM subsystem. The issue results from the lack of validating the existence of an object prior to performing operations on the object. An attacker with a local account with a root privilege, can leverage this vulnerability to escalate privileges and execute code in the context of the kernel.
This has been already addressed in the upstream commit 5de5b6ecf97a021f29403aa272cb4e03318ef586
Kernel with CONFIG_SLAB_FREELIST_HARDENED=y option enabled should not be affected with this flaw.
Created kernel tracking bugs for this issue:
Affects: fedora-all [bug 1939687]
Not really much to go on here, no CVE, no upstream reference?
So a CVE was gotten, but there are still absolutely no details here. Where in DRM? Is there an upstream patch, or even any upstream discussion?
This was fixed in this commit upstream: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=5de5b6ecf97a021f29403aa272cb4e03318ef586
Mitigation for this issue is either not available or the currently available options don't meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.
This was fixed for Fedora with the 5.7.16 stable kernel updates.
this analysis is bogus and makes no sense, where did someone get the idea for this fixing a double free in nouveau. the code before and after the patch is correct and operates the same.
Hi David, I got a chance to revisit the flaw, where Greg said exploiting this flaw need fault injection enabled (https://seclists.org/oss-sec/2020/q3/127), which is not enabled in any version of RHEL, so marking RHEL not affected.