A vulnerability was found in kernel, where a use-after-frees in nouveau's nvkm_vmm_pfn_map() could happen.
Description of problem:
Here is a function call chain.
If nvkm_vma_tail return NULL in nvkm_vmm_node_split, it will
finally invoke nvkm_vmm_node_merge->nvkm_vmm_node_delete, which
will free the vma. However, nvkm_vmm_pfn_map didn't notice that.
It goes into next label and UAF happens
This bug is hard to trigger. It requires nvkm_vma_tail return NULL,
which means kzalloc returns NULL.
Steps to Reproduce:
1.make a lot of memory allocation in Linux kernel so that to make
kzalloc failed in nvkm_vma_tail
Created kernel tracking bugs for this issue:
Affects: fedora-36 [bug 2157272]
Affects: fedora-37 [bug 2157271]
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):
Not sure if this was backported to a 4.20 kernel for Fedora, but even if not, it was in 5.0 several years ago. All currently supported Fedora releases have never shipped with an impacted kernel.