Bug 2157270 (CVE-2023-0030) - CVE-2023-0030 kernel: Use after Free in nvkm_vmm_pfn_map
Summary: CVE-2023-0030 kernel: Use after Free in nvkm_vmm_pfn_map
Keywords:
Status: CLOSED NOTABUG
Alias: CVE-2023-0030
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 2157041 2157271 2157272
Blocks: 2157079 2175316
TreeView+ depends on / blocked
 
Reported: 2023-01-01 14:31 UTC by Alex
Modified: 2024-02-22 04:19 UTC (History)
54 users (show)

Fixed In Version: Linux kernel 5.0-rc1
Doc Type: If docs needed, set a value
Doc Text:
A use-after-free flaw was found in the Linux kernel’s nouveau driver in how a user triggers a memory overflow that causes the nvkm_vma_tail function to fail. This flaw allows a local user to crash or potentially escalate their privileges on the system.
Clone Of:
Environment:
Last Closed: 2023-01-03 02:30:48 UTC
Embargoed:

Attachments (Terms of Use)

Description Alex 2023-01-01 14:31:41 UTC 
A vulnerability was found in kernel, where a use-after-frees in nouveau's nvkm_vmm_pfn_map() could happen.

Description of problem:
Here is a function call chain. 
nvkm_vmm_pfn_map->nvkm_vmm_pfn_split_merge->nvkm_vmm_node_split
If nvkm_vma_tail return NULL in nvkm_vmm_node_split, it will 
finally invoke nvkm_vmm_node_merge->nvkm_vmm_node_delete, which
will free the vma. However, nvkm_vmm_pfn_map didn't notice that.
It goes into next label and UAF happens

How reproducible:
This bug is hard to trigger. It requires nvkm_vma_tail return NULL,
which means kzalloc returns NULL.

Steps to Reproduce:
1.make a lot of memory allocation in Linux kernel so that to make 
kzalloc failed in nvkm_vma_tail 
2.UAF happens

Reference:
https://github.com/torvalds/linux/commit/729eba3355674f2d9524629b73683ba1d1cd3f10
Comment 1 Alex 2023-01-01 14:32:21 UTC 
Created kernel tracking bugs for this issue:

Affects: fedora-36 [bug 2157272]
Affects: fedora-37 [bug 2157271]
Comment 5 Product Security DevOps Team 2023-01-03 02:30:43 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2023-0030
Comment 6 Justin M. Forbes 2023-01-03 15:16:08 UTC 
Not sure if this was backported to a 4.20 kernel for Fedora, but even if not, it was in 5.0 several years ago.  All currently supported Fedora releases have never shipped with an impacted kernel.
Comment 7 Ben Hutchings 2023-07-02 18:48:31 UTC 
Looking at the referenced commit:

commit 729eba3355674f2d9524629b73683ba1d1cd3f10
Author: Ben Skeggs <bskeggs>
Date:   Tue Dec 11 14:50:02 2018 +1000
 
    drm/nouveau/mmu: add more general vmm free/node handling functions

I see that this *introduces* some of the functions referred to by the
original report.  So this can't be the fix.

The bug seems to be in nvkm_vmm_pfn_map() which was introduced in 5.1 by:

commit a5ff307fe1f2dfe91253e3c19586643a77b6ce52
Author: Ben Skeggs <bskeggs>
Date:   Sat Jul 7 12:35:48 2018 +1000
 
    drm/nouveau/mmu: add a privileged method to directly manage PTEs

and I don't think it has ever been fixed (as none of the functions have
been changed).
Comment 11 yaniebogisish 2024-01-31 07:23:41 UTC Comment hidden (spam)
Comment 12 Annata Evan 2024-02-19 09:13:53 UTC Comment hidden (spam)
Comment 13 Warren Hunter 2024-02-22 04:19:56 UTC Comment hidden (spam)
Note You need to log in before you can comment on or make changes to this bug.