CVE-2023-52648

CVE Details

Release Date:2024-05-01

Description


In the Linux kernel, the following vulnerability has been resolved:\ndrm/vmwgfx: Unmap the surface before resetting it on a plane state\nSwitch to a new plane state requires unreferencing of all held surfaces.\nIn the work required for mob cursors the mapped surfaces started being\ncached but the variable indicating whether the surface is currently\nmapped was not being reset. This leads to crashes as the duplicated\nstate, incorrectly, indicates the that surface is mapped even when\nno surface is present. That's because after unreferencing the surface\nit's perfectly possible for the plane to be backed by a bo instead of a\nsurface.\nReset the surface mapped flag when unreferencing the plane state surface\nto fix null derefs in cleanup. Fixes crashes in KDE KWin 6.0 on Wayland:\nOops: 0000 [#1] PREEMPT SMP PTI\nCPU: 4 PID: 2533 Comm: kwin_wayland Not tainted 6.7.0-rc3-vmwgfx #2\nHardware name: VMware, Inc. VMware Virtual Platform/440BX Desktop Reference Platform, BIOS 6.00 11/12/2020\nRIP: 0010:vmw_du_cursor_plane_cleanup_fb+0x124/0x140 [vmwgfx]\nCode: 00 00 00 75 3a 48 83 c4 10 5b 5d c3 cc cc cc cc 48 8b b3 a8 00 00 00 48 c7 c7 99 90 43 c0 e8 93 c5 db ca 48 8b 83 a8 00 00 00 <48> 8b 78 28 e8 e3 f>\nRSP: 0018:ffffb6b98216fa80 EFLAGS: 00010246\nRAX: 0000000000000000 RBX: ffff969d84cdcb00 RCX: 0000000000000027\nRDX: 0000000000000000 RSI: 0000000000000001 RDI: ffff969e75f21600\nRBP: ffff969d4143dc50 R08: 0000000000000000 R09: ffffb6b98216f920\nR10: 0000000000000003 R11: ffff969e7feb3b10 R12: 0000000000000000\nR13: 0000000000000000 R14: 000000000000027b R15: ffff969d49c9fc00\nFS: 00007f1e8f1b4180(0000) GS:ffff969e75f00000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 0000000000000028 CR3: 0000000104006004 CR4: 00000000003706f0\nCall Trace:\n\n? __die+0x23/0x70\n? page_fault_oops+0x171/0x4e0\n? exc_page_fault+0x7f/0x180\n? asm_exc_page_fault+0x26/0x30\n? vmw_du_cursor_plane_cleanup_fb+0x124/0x140 [vmwgfx]\ndrm_atomic_helper_cleanup_planes+0x9b/0xc0\ncommit_tail+0xd1/0x130\ndrm_atomic_helper_commit+0x11a/0x140\ndrm_atomic_commit+0x97/0xd0\n? __pfx___drm_printfn_info+0x10/0x10\ndrm_atomic_helper_update_plane+0xf5/0x160\ndrm_mode_cursor_universal+0x10e/0x270\ndrm_mode_cursor_common+0x102/0x230\n? __pfx_drm_mode_cursor2_ioctl+0x10/0x10\ndrm_ioctl_kernel+0xb2/0x110\ndrm_ioctl+0x26d/0x4b0\n? __pfx_drm_mode_cursor2_ioctl+0x10/0x10\n? __pfx_drm_ioctl+0x10/0x10\nvmw_generic_ioctl+0xa4/0x110 [vmwgfx]\n__x64_sys_ioctl+0x94/0xd0\ndo_syscall_64+0x61/0xe0\n? __x64_sys_ioctl+0xaf/0xd0\n? syscall_exit_to_user_mode+0x2b/0x40\n? do_syscall_64+0x70/0xe0\n? __x64_sys_ioctl+0xaf/0xd0\n? syscall_exit_to_user_mode+0x2b/0x40\n? do_syscall_64+0x70/0xe0\n? exc_page_fault+0x7f/0x180\nentry_SYSCALL_64_after_hwframe+0x6e/0x76\nRIP: 0033:0x7f1e93f279ed\nCode: 04 25 28 00 00 00 48 89 45 c8 31 c0 48 8d 45 10 c7 45 b0 10 00 00 00 48 89 45 b8 48 8d 45 d0 48 89 45 c0 b8 10 00 00 00 0f 05 <89> c2 3d 00 f0 ff f>\nRSP: 002b:00007ffca0faf600 EFLAGS: 00000246 ORIG_RAX: 0000000000000010\nRAX: ffffffffffffffda RBX: 000055db876ed2c0 RCX: 00007f1e93f279ed\nRDX: 00007ffca0faf6c0 RSI: 00000000c02464bb RDI: 0000000000000015\nRBP: 00007ffca0faf650 R08: 000055db87184010 R09: 0000000000000007\nR10: 000055db886471a0 R11: 0000000000000246 R12: 00007ffca0faf6c0\nR13: 00000000c02464bb R14: 0000000000000015 R15: 00007ffca0faf790\n\nModules linked in: snd_seq_dummy snd_hrtimer nf_conntrack_netbios_ns nf_conntrack_broadcast nft_fib_inet nft_fib_ipv4 nft_fib_ipv6 nft_fib nft_reject_ine>\nCR2: 0000000000000028\n---[ end trace 0000000000000000 ]---\nRIP: 0010:vmw_du_cursor_plane_cleanup_fb+0x124/0x140 [vmwgfx]\nCode: 00 00 00 75 3a 48 83 c4 10 5b 5d c3 cc cc cc cc 48 8b b3 a8 00 00 00 48 c7 c7 99 90 43 c0 e8 93 c5 db ca 48 8b 83 a8 00 00 00 <48> 8b 78 28 e8 e3 f>\nRSP: 0018:ffffb6b98216fa80 EFLAGS: 00010246\nRAX: 0000000000000000 RBX: ffff969d84cdcb00 RCX: 0000000000000027\nRDX: 0000000000000000 RSI: 0000000000000001 RDI: ffff969e75f21600\nRBP: ffff969d4143\n---truncated---

See more information about CVE-2023-52648 from MITRE CVE dictionary and NIST NVD


CVSS Scoring


NOTE: The following CVSS v3.1 metrics and score provided are preliminary and subject to review.

Base Score: 5.5 CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Attack Vector: Local network Attack Complexity: Low
Privileges Required: Low User Interaction: None
Scope: Unchanged Confidentiality Impact: None
Integrity Impact: None Availability Impact: High

Errata information


PlatformErrataRelease Date
Oracle Linux version 8 (kernel)ELSA-2024-51012024-08-08
Oracle Linux version 9 (kernel)ELSA-2024-93152024-11-14


This page is generated automatically and has not been checked for errors or omissions. For clarification or corrections:

software.hardware.complete