ACK: [SRU][Focal][PATCH 0/3] CVE-2023-39198
Tim Gardner
tim.gardner at canonical.com
Fri Feb 23 15:35:36 UTC 2024
On 2/22/24 3:50 PM, Bethany Jamison wrote:
> [Impact]
>
> A race condition was found in the QXL driver in the Linux kernel. The
> qxl_mode_dumb_create() function dereferences the qobj returned by the
> qxl_gem_object_create_with_handle(), but the handle is the only one holding
> a reference to it. This flaw allows an attacker to guess the returned
> handle value and trigger a use-after-free issue, potentially leading to a
> denial of service or privilege escalation.
>
> [Fix]
>
> 2 prerequisite and 1 fix commit cherry-picked cleanly.
>
> [Test Case]
>
> Compile and boot tested.
>
> [Regression Potential]
>
> Issues could occur for users who use the qxl driver when creating a drm
> gem object.
>
> Emil Velikov (1):
> drm/qxl: remove _unlocked suffix in drm_gem_object_put_unlocked
>
> Gerd Hoffmann (1):
> drm/qxl: allocate dumb buffers in ram
>
> Wander Lairson Costa (1):
> drm/qxl: fix UAF on handle creation
>
> drivers/gpu/drm/qxl/qxl_cmd.c | 2 +-
> drivers/gpu/drm/qxl/qxl_display.c | 6 +++---
> drivers/gpu/drm/qxl/qxl_drv.h | 2 +-
> drivers/gpu/drm/qxl/qxl_dumb.c | 9 ++++++---
> drivers/gpu/drm/qxl/qxl_gem.c | 25 +++++++++++++++++--------
> drivers/gpu/drm/qxl/qxl_ioctl.c | 10 ++++------
> drivers/gpu/drm/qxl/qxl_object.c | 4 ++--
> 7 files changed, 34 insertions(+), 24 deletions(-)
>
Acked-by: Tim Gardner <tim.gardner at canonical.com>
--
-----------
Tim Gardner
Canonical, Inc
More information about the kernel-team
mailing list