Bug 1974827 (CVE-2021-0606) - CVE-2021-0606 kernel: struct drm_syncobj object leak which can be triggered with DRM_IOCTL_SYNCOBJ_HANDLE_TO_FD
Summary: CVE-2021-0606 kernel: struct drm_syncobj object leak which can be triggered w...
Keywords:
Status: CLOSED NOTABUG
Alias: CVE-2021-0606
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1974828
Blocks: Embargoed1974829
TreeView+ depends on / blocked
 
Reported: 2021-06-22 15:51 UTC by Pedro Sampaio
Modified: 2021-07-14 15:02 UTC (History)
45 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in the Linux kernel. The function drm_syncobj_handle_to_fd first calls drm_syncobj_find which increments the refcount of the object on success. In all of the drm_syncobj_handle_to_fd error paths, the refcount is decremented, but in the success path the refcount should remain at +1 as the struct drm_syncobj now belongs to the newly opened file. Instead, the refcount was incremented again to +2.
Clone Of:
Environment:
Last Closed: 2021-07-12 12:42:32 UTC

Attachments (Terms of Use)

Description Pedro Sampaio 2021-06-22 15:51:16 UTC 
ommit 5fb252cad61f20ae5d5a8b199f6cc4faf6f418e1, a cherry-pick of
upstream commit e7cdf5c82f1773c3386b93bbcf13b9bfff29fa31, introduced a
refcount imbalance and thus a struct drm_syncobj object leak which can
be triggered with DRM_IOCTL_SYNCOBJ_HANDLE_TO_FD.

The function drm_syncobj_handle_to_fd first calls drm_syncobj_find
which increments the refcount of the object on success. In all of the
drm_syncobj_handle_to_fd error paths, the refcount is decremented, but
in the success path the refcount should remain at +1 as the struct
drm_syncobj now belongs to the newly opened file. Instead, the
refcount was incremented again to +2.

References:

https://source.android.com/security/bulletin/pixel/2021-06-01
https://android.googlesource.com/kernel/common/+/328ec6286a78a71500b74255448e8f3c83d2b2c4
Comment 1 Pedro Sampaio 2021-06-22 15:53:47 UTC 
Created kernel tracking bugs for this issue:

Affects: fedora-all [bug 1974828]
Comment 2 Justin M. Forbes 2021-06-29 16:04:22 UTC 
This is related to a bad cherry-pick of an upstream commit from 2017 into the android tree, it does not impact upstream, or any Fedora kernel.
Note You need to log in before you can comment on or make changes to this bug.