CVE-2024-50096
Vulnerability from cvelistv5
Published
2024-11-05 17:04
Modified
2024-12-19 09:33
Severity ?
Summary
In the Linux kernel, the following vulnerability has been resolved: nouveau/dmem: Fix vulnerability in migrate_to_ram upon copy error The `nouveau_dmem_copy_one` function ensures that the copy push command is sent to the device firmware but does not track whether it was executed successfully. In the case of a copy error (e.g., firmware or hardware failure), the copy push command will be sent via the firmware channel, and `nouveau_dmem_copy_one` will likely report success, leading to the `migrate_to_ram` function returning a dirty HIGH_USER page to the user. This can result in a security vulnerability, as a HIGH_USER page that may contain sensitive or corrupted data could be returned to the user. To prevent this vulnerability, we allocate a zero page. Thus, in case of an error, a non-dirty (zero) page will be returned to the user.
Impacted products
Vendor Product Version
Linux Linux Version: 5.1
Show details on NVD website


{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/gpu/drm/nouveau/nouveau_dmem.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "fd9bb7e996bab9b9049fffe3f3d3b50dee191d27",
              "status": "affected",
              "version": "5be73b690875f7eb2d2defb54ccd7f2f12074984",
              "versionType": "git"
            },
            {
              "lessThan": "73f75d2b5aee5a735cf64b8ab4543d5c20dbbdd9",
              "status": "affected",
              "version": "5be73b690875f7eb2d2defb54ccd7f2f12074984",
              "versionType": "git"
            },
            {
              "lessThan": "8c3de9282dde21ce3c1bf1bde3166a4510547aa9",
              "status": "affected",
              "version": "5be73b690875f7eb2d2defb54ccd7f2f12074984",
              "versionType": "git"
            },
            {
              "lessThan": "614bfb2050982d23d53d0d51c4079dba0437c883",
              "status": "affected",
              "version": "5be73b690875f7eb2d2defb54ccd7f2f12074984",
              "versionType": "git"
            },
            {
              "lessThan": "697e3ddcf1f8b68bd531fc34eead27c000bdf3e1",
              "status": "affected",
              "version": "5be73b690875f7eb2d2defb54ccd7f2f12074984",
              "versionType": "git"
            },
            {
              "lessThan": "ab4d113b6718b076046018292f821d5aa4b844f8",
              "status": "affected",
              "version": "5be73b690875f7eb2d2defb54ccd7f2f12074984",
              "versionType": "git"
            },
            {
              "lessThan": "835745a377a4519decd1a36d6b926e369b3033e2",
              "status": "affected",
              "version": "5be73b690875f7eb2d2defb54ccd7f2f12074984",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/gpu/drm/nouveau/nouveau_dmem.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "5.1"
            },
            {
              "lessThan": "5.1",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.4.*",
              "status": "unaffected",
              "version": "5.4.285",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.227",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.168",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.113",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.57",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.11.*",
              "status": "unaffected",
              "version": "6.11.4",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.12",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnouveau/dmem: Fix vulnerability in migrate_to_ram upon copy error\n\nThe `nouveau_dmem_copy_one` function ensures that the copy push command is\nsent to the device firmware but does not track whether it was executed\nsuccessfully.\n\nIn the case of a copy error (e.g., firmware or hardware failure), the\ncopy push command will be sent via the firmware channel, and\n`nouveau_dmem_copy_one` will likely report success, leading to the\n`migrate_to_ram` function returning a dirty HIGH_USER page to the user.\n\nThis can result in a security vulnerability, as a HIGH_USER page that may\ncontain sensitive or corrupted data could be returned to the user.\n\nTo prevent this vulnerability, we allocate a zero page. Thus, in case of\nan error, a non-dirty (zero) page will be returned to the user."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2024-12-19T09:33:00.903Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/fd9bb7e996bab9b9049fffe3f3d3b50dee191d27"
        },
        {
          "url": "https://git.kernel.org/stable/c/73f75d2b5aee5a735cf64b8ab4543d5c20dbbdd9"
        },
        {
          "url": "https://git.kernel.org/stable/c/8c3de9282dde21ce3c1bf1bde3166a4510547aa9"
        },
        {
          "url": "https://git.kernel.org/stable/c/614bfb2050982d23d53d0d51c4079dba0437c883"
        },
        {
          "url": "https://git.kernel.org/stable/c/697e3ddcf1f8b68bd531fc34eead27c000bdf3e1"
        },
        {
          "url": "https://git.kernel.org/stable/c/ab4d113b6718b076046018292f821d5aa4b844f8"
        },
        {
          "url": "https://git.kernel.org/stable/c/835745a377a4519decd1a36d6b926e369b3033e2"
        }
      ],
      "title": "nouveau/dmem: Fix vulnerability in migrate_to_ram upon copy error",
      "x_generator": {
        "engine": "bippy-5f407fcff5a0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2024-50096",
    "datePublished": "2024-11-05T17:04:58.689Z",
    "dateReserved": "2024-10-21T19:36:19.944Z",
    "dateUpdated": "2024-12-19T09:33:00.903Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2024-50096\",\"sourceIdentifier\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"published\":\"2024-11-05T17:15:06.870\",\"lastModified\":\"2024-11-12T16:16:33.703\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"In the Linux kernel, the following vulnerability has been resolved:\\n\\nnouveau/dmem: Fix vulnerability in migrate_to_ram upon copy error\\n\\nThe `nouveau_dmem_copy_one` function ensures that the copy push command is\\nsent to the device firmware but does not track whether it was executed\\nsuccessfully.\\n\\nIn the case of a copy error (e.g., firmware or hardware failure), the\\ncopy push command will be sent via the firmware channel, and\\n`nouveau_dmem_copy_one` will likely report success, leading to the\\n`migrate_to_ram` function returning a dirty HIGH_USER page to the user.\\n\\nThis can result in a security vulnerability, as a HIGH_USER page that may\\ncontain sensitive or corrupted data could be returned to the user.\\n\\nTo prevent this vulnerability, we allocate a zero page. Thus, in case of\\nan error, a non-dirty (zero) page will be returned to the user.\"},{\"lang\":\"es\",\"value\":\"En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: nouveau/dmem: Se corrige la vulnerabilidad en migrants_to_ram tras un error de copia. La funci\u00f3n `nouveau_dmem_copy_one` garantiza que el comando de copia push se env\u00ede al firmware del dispositivo, pero no rastrea si se ejecut\u00f3 correctamente. En el caso de un error de copia (por ejemplo, fallo del firmware o hardware), el comando de copia push se enviar\u00e1 a trav\u00e9s del canal de firmware y `nouveau_dmem_copy_one` probablemente informar\u00e1 el \u00e9xito, lo que llevar\u00e1 a la funci\u00f3n `migrate_to_ram` a devolver una p\u00e1gina HIGH_USER sucia al usuario. Esto puede resultar en una vulnerabilidad de seguridad, ya que una p\u00e1gina HIGH_USER que puede contener datos confidenciales o da\u00f1ados podr\u00eda devolverse al usuario. Para evitar esta vulnerabilidad, asignamos una p\u00e1gina cero. Por lo tanto, en caso de un error, se devolver\u00e1 al usuario una p\u00e1gina no sucia (cero).\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N\",\"baseScore\":5.5,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"LOCAL\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":1.8,\"impactScore\":3.6}]},\"weaknesses\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"NVD-CWE-noinfo\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"5.1\",\"versionEndExcluding\":\"5.4.285\",\"matchCriteriaId\":\"1182B577-D9D7-4DC8-AAA4-C3BCAC9E115C\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"5.5\",\"versionEndExcluding\":\"5.10.227\",\"matchCriteriaId\":\"795A3EE6-0CAB-4409-A903-151C94ACECC0\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"5.11\",\"versionEndExcluding\":\"5.15.168\",\"matchCriteriaId\":\"4D51C05D-455B-4D8D-89E7-A58E140B864C\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"5.16\",\"versionEndExcluding\":\"6.1.113\",\"matchCriteriaId\":\"D01BD22E-ACD1-4618-9D01-6116570BE1EE\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"6.2\",\"versionEndExcluding\":\"6.6.57\",\"matchCriteriaId\":\"05D83DB8-7465-4F88-AFB2-980011992AC1\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"6.7\",\"versionEndExcluding\":\"6.11.4\",\"matchCriteriaId\":\"AA84D336-CE9A-4535-B901-1AD77EC17C34\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:6.12:rc1:*:*:*:*:*:*\",\"matchCriteriaId\":\"7F361E1D-580F-4A2D-A509-7615F73167A1\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:6.12:rc2:*:*:*:*:*:*\",\"matchCriteriaId\":\"925478D0-3E3D-4E6F-ACD5-09F28D5DF82C\"}]}]}],\"references\":[{\"url\":\"https://git.kernel.org/stable/c/614bfb2050982d23d53d0d51c4079dba0437c883\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/697e3ddcf1f8b68bd531fc34eead27c000bdf3e1\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/73f75d2b5aee5a735cf64b8ab4543d5c20dbbdd9\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/835745a377a4519decd1a36d6b926e369b3033e2\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/8c3de9282dde21ce3c1bf1bde3166a4510547aa9\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/ab4d113b6718b076046018292f821d5aa4b844f8\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/fd9bb7e996bab9b9049fffe3f3d3b50dee191d27\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]}]}}"
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.


Loading…

Loading…

Loading…

Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.