[SRU][Focal][PATCH 0/3] CVE-2023-39198
Bethany Jamison
bethany.jamison at canonical.com
Thu Feb 22 22:50:46 UTC 2024
[Impact]
A race condition was found in the QXL driver in the Linux kernel. The
qxl_mode_dumb_create() function dereferences the qobj returned by the
qxl_gem_object_create_with_handle(), but the handle is the only one holding
a reference to it. This flaw allows an attacker to guess the returned
handle value and trigger a use-after-free issue, potentially leading to a
denial of service or privilege escalation.
[Fix]
2 prerequisite and 1 fix commit cherry-picked cleanly.
[Test Case]
Compile and boot tested.
[Regression Potential]
Issues could occur for users who use the qxl driver when creating a drm
gem object.
Emil Velikov (1):
drm/qxl: remove _unlocked suffix in drm_gem_object_put_unlocked
Gerd Hoffmann (1):
drm/qxl: allocate dumb buffers in ram
Wander Lairson Costa (1):
drm/qxl: fix UAF on handle creation
drivers/gpu/drm/qxl/qxl_cmd.c | 2 +-
drivers/gpu/drm/qxl/qxl_display.c | 6 +++---
drivers/gpu/drm/qxl/qxl_drv.h | 2 +-
drivers/gpu/drm/qxl/qxl_dumb.c | 9 ++++++---
drivers/gpu/drm/qxl/qxl_gem.c | 25 +++++++++++++++++--------
drivers/gpu/drm/qxl/qxl_ioctl.c | 10 ++++------
drivers/gpu/drm/qxl/qxl_object.c | 4 ++--
7 files changed, 34 insertions(+), 24 deletions(-)
--
2.34.1
More information about the kernel-team
mailing list