ghsa-vjgg-3f8r-g7rm
Vulnerability from github
Published
2025-01-11 15:30
Modified
2025-09-23 18:30
Severity ?
5.5 (Medium) - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Details

In the Linux kernel, the following vulnerability has been resolved:

drm/amdgpu: don't access invalid sched

Since 2320c9e6a768 ("drm/sched: memset() 'job' in drm_sched_job_init()") accessing job->base.sched can produce unexpected results as the initialisation of (*job)->base.sched done in amdgpu_job_alloc is overwritten by the memset.

This commit fixes an issue when a CS would fail validation and would be rejected after job->num_ibs is incremented. In this case, amdgpu_ib_free(ring->adev, ...) will be called, which would crash the machine because the ring value is bogus.

To fix this, pass a NULL pointer to amdgpu_ib_free(): we can do this because the device is actually not used in this function.

The next commit will remove the ring argument completely.

(cherry picked from commit 2ae520cb12831d264ceb97c61f72c59d33c0dbd7)

Show details on source website

To clipboard 

{
  "affected": [],
  "aliases": [
    "CVE-2024-46896"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-476"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-01-11T13:15:21Z",
    "severity": "MODERATE"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amdgpu: don\u0027t access invalid sched\n\nSince 2320c9e6a768 (\"drm/sched: memset() \u0027job\u0027 in drm_sched_job_init()\")\naccessing job-\u003ebase.sched can produce unexpected results as the initialisation\nof (*job)-\u003ebase.sched done in amdgpu_job_alloc is overwritten by the\nmemset.\n\nThis commit fixes an issue when a CS would fail validation and would\nbe rejected after job-\u003enum_ibs is incremented. In this case,\namdgpu_ib_free(ring-\u003eadev, ...) will be called, which would crash the\nmachine because the ring value is bogus.\n\nTo fix this, pass a NULL pointer to amdgpu_ib_free(): we can do this\nbecause the device is actually not used in this function.\n\nThe next commit will remove the ring argument completely.\n\n(cherry picked from commit 2ae520cb12831d264ceb97c61f72c59d33c0dbd7)",
  "id": "GHSA-vjgg-3f8r-g7rm",
  "modified": "2025-09-23T18:30:20Z",
  "published": "2025-01-11T15:30:27Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-46896"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/65501a4fd84ecdc0af863dbb37759242aab9f2dd"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/67291d601f2b032062b1b2f60ffef1b63e10094c"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/a93b1020eb9386d7da11608477121b10079c076a"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/da6b2c626ae73c303378ce9eaf6e3eaf16c9925a"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.