Bug 2216386 (CVE-2023-3220) - CVE-2023-3220 kernel: NULL pointer dereference in dpu_crtc_atomic_check() in drivers/gpu/drm/msm/disp/dpu1/dpu_crtc.c
Summary: CVE-2023-3220 kernel: NULL pointer dereference in dpu_crtc_atomic_check() in ...
Keywords:
Status: CLOSED NOTABUG
Alias: CVE-2023-3220
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 2216403
Blocks: 2182007
TreeView+ depends on / blocked
 
Reported: 2023-06-21 05:37 UTC by TEJ RATHI
Modified: 2023-07-31 08:22 UTC (History)
42 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
A NULL pointer dereference flaw was found in the Linux kernel's drivers/gpu/drm/msm/disp/dpu1/dpu_crtc.c code in the dpu_crtc_atomic_check function, which fails because it lacks a check of the return value of kzalloc(). This issue could allow a local user to crash the system.
Clone Of:
Environment:
Last Closed: 2023-06-21 18:10:24 UTC
Embargoed:


Attachments (Terms of Use)

Description TEJ RATHI 2023-06-21 05:37:38 UTC
An issue was discovered in the Linux kernel through 6.1-rc8. dpu_crtc_atomic_check in drivers/gpu/drm/msm/disp/dpu1/dpu_crtc.c lacks check of the return value of kzalloc() and will cause the NULL Pointer Dereference.

https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=93340e10b9c5fc86730d149636e0aa8b47bb5a34

Comment 1 Alex 2023-06-21 07:54:00 UTC
Created kernel tracking bugs for this issue:

Affects: fedora-all [bug 2216403]

Comment 3 Justin M. Forbes 2023-06-21 14:50:13 UTC
This was fixed for Fedora with the 6.1.16 stable kernel updates.

Comment 4 Alex 2023-06-21 16:28:24 UTC
Memory allocations with the GFP_KERNEL should not be considered as CVE if alloc small amount of memory (based on
"
GFP_KERNEL - both background and direct reclaim are allowed and the default page allocator behavior is used. That means that not costly allocation requests are basically no-fail but there is no guarantee of that behavior so failures have to be checked properly by callers (e.g. OOM killer victim is allowed to fail currently).
",
and for more info see: https://lwn.net/Articles/627419/ ).

However, particular for this CVE I'm not sure if always small amount of memory request, so it is just in case as potential security issue.

Comment 5 Product Security DevOps Team 2023-06-21 18:10:20 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2023-3220

Comment 7 Jan Pazdziora 2023-07-26 13:53:35 UTC
Hello Alex,

while doing review of the Vulnerability Assessment report of RHEL 8.6 for the purpose of Common Criteria certification, we came across this CVE.

Could you update the CVE page https://access.redhat.com/security/cve/CVE-2023-3220 with some publicly facing statement why we consider all RHELs as not affected? Especially given the

  https://www.kernel.org/doc/html/next/core-api/memory-allocation.html

that you quoted in comment 4 says that "... but there is no guarantee of that behavior so failures have to be checked properly by callers".

Thank you, Jan

Comment 8 Alex 2023-07-30 13:04:09 UTC
In reply to comment #7:
> Hello Alex,
> 
> while doing review of the Vulnerability Assessment report of RHEL 8.6 for
> the purpose of Common Criteria certification, we came across this CVE.
> 
> Could you update the CVE page
> https://access.redhat.com/security/cve/CVE-2023-3220 with some publicly
> facing statement why we consider all RHELs as not affected? Especially given
> the
> 
>   https://www.kernel.org/doc/html/next/core-api/memory-allocation.html
> 
> that you quoted in comment 4 says that "... but there is no guarantee of
> that behavior so failures have to be checked properly by callers".
> 
> Thank you, Jan

Sure. Added statement: "The related Kernel config param CONFIG_DRM_MSM enabled for Fedora only, so all versions of the Red Hat Enterprise Linux not affected."

Comment 9 Jan Pazdziora 2023-07-31 08:22:10 UTC
Great, thanks.


Note You need to log in before you can comment on or make changes to this bug.