A vulnerability was found in kernel, where a use-after-frees in nouveau's nvkm_vmm_pfn_map() could happen. Description of problem: Here is a function call chain. nvkm_vmm_pfn_map->nvkm_vmm_pfn_split_merge->nvkm_vmm_node_split If nvkm_vma_tail return NULL in nvkm_vmm_node_split, it will finally invoke nvkm_vmm_node_merge->nvkm_vmm_node_delete, which will free the vma. However, nvkm_vmm_pfn_map didn't notice that. It goes into next label and UAF happens How reproducible: This bug is hard to trigger. It requires nvkm_vma_tail return NULL, which means kzalloc returns NULL. Steps to Reproduce: 1.make a lot of memory allocation in Linux kernel so that to make kzalloc failed in nvkm_vma_tail 2.UAF happens Reference: https://github.com/torvalds/linux/commit/729eba3355674f2d9524629b73683ba1d1cd3f10
Created kernel tracking bugs for this issue: Affects: fedora-36 [bug 2157272] Affects: fedora-37 [bug 2157271]
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2023-0030
Not sure if this was backported to a 4.20 kernel for Fedora, but even if not, it was in 5.0 several years ago. All currently supported Fedora releases have never shipped with an impacted kernel.