Bug 1939686 (CVE-2021-20292) - CVE-2021-20292 kernel: DRM Memory Management Double Free Privilege Escalation Vulnerability
Summary: CVE-2021-20292 kernel: DRM Memory Management Double Free Privilege Escalation...
Keywords:
Status: NEW
Alias: CVE-2021-20292
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1942108 1942109 1939687 1941919 1941920 1941921
Blocks: 1919800
TreeView+ depends on / blocked
 
Reported: 2021-03-16 19:50 UTC by Dhananjay Arunesh
Modified: 2022-07-16 03:21 UTC (History)
41 users (show)

Fixed In Version: Kernel 5.9
Doc Type: If docs needed, set a value
Doc Text:
There is a flaw reported in drivers/gpu/drm/nouveau/nouveau_sgdma.c in nouveau_sgdma_create_ttm in Nouveau DRM subsystem. The issue results from the lack of validating the existence of an object prior to performing operations on the object. An attacker with a local account with a root privilege, can leverage this vulnerability to escalate privileges and execute code in the context of the kernel.
Clone Of:
Environment:
Last Closed:


Attachments (Terms of Use)

Description Dhananjay Arunesh 2021-03-16 19:50:26 UTC
There is a flaw reported in drivers/gpu/drm/nouveau/nouveau_sgdma.c in nouveau_sgdma_create_ttm  in Nouveau DRM subsystem. The issue results from the lack of validating the existence of an object prior to performing operations on the object. An attacker with a local account with a root privilege, can leverage this vulnerability to escalate privileges and execute code in the context of the kernel.

This has been already addressed in the upstream commit 5de5b6ecf97a021f29403aa272cb4e03318ef586
 
Note:
Kernel with CONFIG_SLAB_FREELIST_HARDENED=y option enabled should not be affected with this flaw.

Comment 1 Dhananjay Arunesh 2021-03-16 19:51:06 UTC
Created kernel tracking bugs for this issue:

Affects: fedora-all [bug 1939687]

Comment 2 Justin M. Forbes 2021-03-17 16:16:23 UTC
Not really much to go on here, no CVE, no upstream reference?

Comment 4 Justin M. Forbes 2021-03-22 22:43:24 UTC
So a CVE was gotten, but there are still absolutely no details here. Where in DRM? Is there an upstream patch, or even any upstream discussion?

Comment 13 Rohit Keshri 2021-03-24 05:37:55 UTC
Mitigation:

Mitigation for this issue is either not available or the currently available options don't meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.

Comment 14 Justin M. Forbes 2021-04-13 16:11:10 UTC
This was fixed for Fedora with the 5.7.16 stable kernel updates.

Comment 26 Dave Airlie 2021-06-09 19:29:39 UTC
this analysis is bogus and makes no sense, where did someone get the idea for this fixing a double free in nouveau. the code before and after the patch is correct and operates the same.

Comment 28 Rohit Keshri 2021-06-24 07:25:01 UTC
Hi David, I got a chance to revisit the flaw, where Greg said exploiting this flaw need fault injection enabled (https://seclists.org/oss-sec/2020/q3/127), which is not enabled in any version of RHEL, so marking RHEL not affected.


Note You need to log in before you can comment on or make changes to this bug.