1974827 – (CVE-2021-0606) CVE-2021-0606 kernel: struct drm_syncobj object leak which can be triggered with DRM_IOCTL_SYNCOBJ_HANDLE_TO_FD

Bug 1974827 (CVE-2021-0606) - CVE-2021-0606 kernel: struct drm_syncobj object leak which can be triggered with DRM_IOCTL_SYNCOBJ_HANDLE_TO_FD

Summary: CVE-2021-0606 kernel: struct drm_syncobj object leak which can be triggered w...

Keywords:
Status:	CLOSED NOTABUG
Alias:	CVE-2021-0606
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	1974828
Blocks:	1974829
TreeView+	depends on / blocked

Reported:	2021-06-22 15:51 UTC by Pedro Sampaio
Modified:	2021-07-14 15:02 UTC (History)
CC List:	45 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:	A flaw was found in the Linux kernel. The function drm_syncobj_handle_to_fd first calls drm_syncobj_find which increments the refcount of the object on success. In all of the drm_syncobj_handle_to_fd error paths, the refcount is decremented, but in the success path the refcount should remain at +1 as the struct drm_syncobj now belongs to the newly opened file. Instead, the refcount was incremented again to +2.
Clone Of:
Environment:
Last Closed:	2021-07-12 12:42:32 UTC
Embargoed:

Attachments	(Terms of Use)

Description Pedro Sampaio 2021-06-22 15:51:16 UTC

ommit 5fb252cad61f20ae5d5a8b199f6cc4faf6f418e1, a cherry-pick of
upstream commit e7cdf5c82f1773c3386b93bbcf13b9bfff29fa31, introduced a
refcount imbalance and thus a struct drm_syncobj object leak which can
be triggered with DRM_IOCTL_SYNCOBJ_HANDLE_TO_FD.

The function drm_syncobj_handle_to_fd first calls drm_syncobj_find
which increments the refcount of the object on success. In all of the
drm_syncobj_handle_to_fd error paths, the refcount is decremented, but
in the success path the refcount should remain at +1 as the struct
drm_syncobj now belongs to the newly opened file. Instead, the
refcount was incremented again to +2.

References:

https://source.android.com/security/bulletin/pixel/2021-06-01
https://android.googlesource.com/kernel/common/+/328ec6286a78a71500b74255448e8f3c83d2b2c4

Comment 1 Pedro Sampaio 2021-06-22 15:53:47 UTC

Created kernel tracking bugs for this issue:

Affects: fedora-all [bug 1974828]

Comment 2 Justin M. Forbes 2021-06-29 16:04:22 UTC

This is related to a bad cherry-pick of an upstream commit from 2017 into the android tree, it does not impact upstream, or any Fedora kernel.

Note You need to log in before you can comment on or make changes to this bug.

acaringi
adscvr
airlied
alciregi
bdettelb
bhu
blc
brdeoliv
bskeggs
chwhite
crwood
dhoward
dvlasenk
fhrbata
fpacheco
hdegoede
hkrzesin
jarod
jarodwilson
jeremy
jforbes
jglisse
jlelli
jonathan
josef
jshortt
jstancek
jwboyer
kcarcia
kernel-maint
kernel-mgr
lgoncalv
linville
masami256
mchehab
mlangsdo
nmurray
ptalbert
qzhao
rvrbovsk
steved
tomckay
walters
wcosta
williams