cve-2024-50187
Vulnerability from cvelistv5
Published
2024-11-08 05:38
Modified
2024-12-19 09:35
Severity ?
Summary
In the Linux kernel, the following vulnerability has been resolved: drm/vc4: Stop the active perfmon before being destroyed Upon closing the file descriptor, the active performance monitor is not stopped. Although all perfmons are destroyed in `vc4_perfmon_close_file()`, the active performance monitor's pointer (`vc4->active_perfmon`) is still retained. If we open a new file descriptor and submit a few jobs with performance monitors, the driver will attempt to stop the active performance monitor using the stale pointer in `vc4->active_perfmon`. However, this pointer is no longer valid because the previous process has already terminated, and all performance monitors associated with it have been destroyed and freed. To fix this, when the active performance monitor belongs to a given process, explicitly stop it before destroying and freeing it.
Impacted products
Vendor Product Version
Linux Linux Version: 4.17
Show details on NVD website


{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/gpu/drm/vc4/vc4_perfmon.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "75452da51e2403e14be007df80d133e1443fc967",
              "status": "affected",
              "version": "65101d8c9108201118efa7e08f4e2c57f438deb9",
              "versionType": "git"
            },
            {
              "lessThan": "937943c042503dc6087438bf3557f9057a588ba0",
              "status": "affected",
              "version": "65101d8c9108201118efa7e08f4e2c57f438deb9",
              "versionType": "git"
            },
            {
              "lessThan": "c9adba739d5f7cdc47a7754df4a17b47b1ecf513",
              "status": "affected",
              "version": "65101d8c9108201118efa7e08f4e2c57f438deb9",
              "versionType": "git"
            },
            {
              "lessThan": "0b2ad4f6f2bec74a5287d96cb2325a5e11706f22",
              "status": "affected",
              "version": "65101d8c9108201118efa7e08f4e2c57f438deb9",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/gpu/drm/vc4/vc4_perfmon.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "4.17"
            },
            {
              "lessThan": "4.17",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.113",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.57",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.11.*",
              "status": "unaffected",
              "version": "6.11.4",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.12",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/vc4: Stop the active perfmon before being destroyed\n\nUpon closing the file descriptor, the active performance monitor is not\nstopped. Although all perfmons are destroyed in `vc4_perfmon_close_file()`,\nthe active performance monitor\u0027s pointer (`vc4-\u003eactive_perfmon`) is still\nretained.\n\nIf we open a new file descriptor and submit a few jobs with performance\nmonitors, the driver will attempt to stop the active performance monitor\nusing the stale pointer in `vc4-\u003eactive_perfmon`. However, this pointer\nis no longer valid because the previous process has already terminated,\nand all performance monitors associated with it have been destroyed and\nfreed.\n\nTo fix this, when the active performance monitor belongs to a given\nprocess, explicitly stop it before destroying and freeing it."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2024-12-19T09:35:03.715Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/75452da51e2403e14be007df80d133e1443fc967"
        },
        {
          "url": "https://git.kernel.org/stable/c/937943c042503dc6087438bf3557f9057a588ba0"
        },
        {
          "url": "https://git.kernel.org/stable/c/c9adba739d5f7cdc47a7754df4a17b47b1ecf513"
        },
        {
          "url": "https://git.kernel.org/stable/c/0b2ad4f6f2bec74a5287d96cb2325a5e11706f22"
        }
      ],
      "title": "drm/vc4: Stop the active perfmon before being destroyed",
      "x_generator": {
        "engine": "bippy-5f407fcff5a0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2024-50187",
    "datePublished": "2024-11-08T05:38:28.194Z",
    "dateReserved": "2024-10-21T19:36:19.967Z",
    "dateUpdated": "2024-12-19T09:35:03.715Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2024-50187\",\"sourceIdentifier\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"published\":\"2024-11-08T06:15:15.770\",\"lastModified\":\"2024-11-27T21:33:58.713\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"In the Linux kernel, the following vulnerability has been resolved:\\n\\ndrm/vc4: Stop the active perfmon before being destroyed\\n\\nUpon closing the file descriptor, the active performance monitor is not\\nstopped. Although all perfmons are destroyed in `vc4_perfmon_close_file()`,\\nthe active performance monitor\u0027s pointer (`vc4-\u003eactive_perfmon`) is still\\nretained.\\n\\nIf we open a new file descriptor and submit a few jobs with performance\\nmonitors, the driver will attempt to stop the active performance monitor\\nusing the stale pointer in `vc4-\u003eactive_perfmon`. However, this pointer\\nis no longer valid because the previous process has already terminated,\\nand all performance monitors associated with it have been destroyed and\\nfreed.\\n\\nTo fix this, when the active performance monitor belongs to a given\\nprocess, explicitly stop it before destroying and freeing it.\"},{\"lang\":\"es\",\"value\":\"En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: drm/vc4: Detener el monitor de rendimiento activo antes de ser destruido Al cerrar el descriptor de archivo, el monitor de rendimiento activo no se detiene. Aunque todos los monitores de rendimiento se destruyen en `vc4_perfmon_close_file()`, el puntero del monitor de rendimiento activo (`vc4-\u0026gt;active_perfmon`) a\u00fan se conserva. Si abrimos un nuevo descriptor de archivo y enviamos algunos trabajos con monitores de rendimiento, el controlador intentar\u00e1 detener el monitor de rendimiento activo utilizando el puntero obsoleto en `vc4-\u0026gt;active_perfmon`. Sin embargo, este puntero ya no es v\u00e1lido porque el proceso anterior ya ha finalizado y todos los monitores de rendimiento asociados con \u00e9l han sido destruidos y liberados. Para solucionar esto, cuando el monitor de rendimiento activo pertenece a un proceso determinado, det\u00e9ngalo expl\u00edcitamente antes de destruirlo y liberarlo.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H\",\"baseScore\":5.5,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"LOCAL\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":1.8,\"impactScore\":3.6}]},\"weaknesses\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"NVD-CWE-noinfo\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"4.17\",\"versionEndExcluding\":\"6.1.113\",\"matchCriteriaId\":\"557DC00A-88BF-484C-A2BA-83415A270B80\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"6.2\",\"versionEndExcluding\":\"6.6.57\",\"matchCriteriaId\":\"05D83DB8-7465-4F88-AFB2-980011992AC1\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"6.7\",\"versionEndExcluding\":\"6.11.4\",\"matchCriteriaId\":\"AA84D336-CE9A-4535-B901-1AD77EC17C34\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:6.12:rc1:*:*:*:*:*:*\",\"matchCriteriaId\":\"7F361E1D-580F-4A2D-A509-7615F73167A1\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:6.12:rc2:*:*:*:*:*:*\",\"matchCriteriaId\":\"925478D0-3E3D-4E6F-ACD5-09F28D5DF82C\"}]}]}],\"references\":[{\"url\":\"https://git.kernel.org/stable/c/0b2ad4f6f2bec74a5287d96cb2325a5e11706f22\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/75452da51e2403e14be007df80d133e1443fc967\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/937943c042503dc6087438bf3557f9057a588ba0\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/c9adba739d5f7cdc47a7754df4a17b47b1ecf513\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]}]}}"
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.


Loading…

Loading…

Loading…

Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.