{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-49876", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2024-10-21T12:17:06.020Z", "datePublished": "2024-10-21T18:01:16.098Z", "dateUpdated": "2024-11-05T09:50:33.826Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2024-11-05T09:50:33.826Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/xe: fix UAF around queue destruction\n\nWe currently do stuff like queuing the final destruction step on a\nrandom system wq, which will outlive the driver instance. With bad\ntiming we can teardown the driver with one or more work workqueue still\nbeing alive leading to various UAF splats. Add a fini step to ensure\nuser queues are properly torn down. At this point GuC should already be\nnuked so queue itself should no longer be referenced from hw pov.\n\nv2 (Matt B)\n - Looks much safer to use a waitqueue and then just wait for the\n xa_array to become empty before triggering the drain.\n\n(cherry picked from commit 861108666cc0e999cffeab6aff17b662e68774e3)"}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["drivers/gpu/drm/xe/xe_device.c", "drivers/gpu/drm/xe/xe_device_types.h", "drivers/gpu/drm/xe/xe_guc_submit.c", "drivers/gpu/drm/xe/xe_guc_types.h"], "versions": [{"version": "dd08ebf6c352", "lessThan": "272b0e788745", "status": "affected", "versionType": "git"}, {"version": "dd08ebf6c352", "lessThan": "421c74670b0f", "status": "affected", "versionType": "git"}, {"version": "dd08ebf6c352", "lessThan": "2d2be279f1ca", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["drivers/gpu/drm/xe/xe_device.c", "drivers/gpu/drm/xe/xe_device_types.h", "drivers/gpu/drm/xe/xe_guc_submit.c", "drivers/gpu/drm/xe/xe_guc_types.h"], "versions": [{"version": "6.8", "status": "affected"}, {"version": "0", "lessThan": "6.8", "status": "unaffected", "versionType": "semver"}, {"version": "6.10.14", "lessThanOrEqual": "6.10.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.11.3", "lessThanOrEqual": "6.11.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.12-rc2", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "references": [{"url": "https://git.kernel.org/stable/c/272b0e78874586d6ccae04079d75b27b47705544"}, {"url": "https://git.kernel.org/stable/c/421c74670b0f9d5c007f1276d3647aa58f407fde"}, {"url": "https://git.kernel.org/stable/c/2d2be279f1ca9e7288282d4214f16eea8a727cdb"}], "title": "drm/xe: fix UAF around queue destruction", "x_generator": {"engine": "bippy-9e1c9544281a"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-49876", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-10-22T13:46:17.394123Z"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-10-22T13:48:51.208Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-49876", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-10-22T13:46:17.394123Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-10-22T13:46:20.517Z"}}], "cna": {"title": "drm/xe: fix UAF around queue destruction", "affected": [{"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "product": "Linux", "versions": [{"status": "affected", "version": "dd08ebf6c352", "lessThan": "272b0e788745", "versionType": "git"}, {"status": "affected", "version": "dd08ebf6c352", "lessThan": "421c74670b0f", "versionType": "git"}, {"status": "affected", "version": "dd08ebf6c352", "lessThan": "2d2be279f1ca", "versionType": "git"}], "programFiles": ["drivers/gpu/drm/xe/xe_device.c", "drivers/gpu/drm/xe/xe_device_types.h", "drivers/gpu/drm/xe/xe_guc_submit.c", "drivers/gpu/drm/xe/xe_guc_types.h"], "defaultStatus": "unaffected"}, {"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "product": "Linux", "versions": [{"status": "affected", "version": "6.8"}, {"status": "unaffected", "version": "0", "lessThan": "6.8", "versionType": "semver"}, {"status": "unaffected", "version": "6.10.14", "versionType": "semver", "lessThanOrEqual": "6.10.*"}, {"status": "unaffected", "version": "6.11.3", "versionType": "semver", "lessThanOrEqual": "6.11.*"}, {"status": "unaffected", "version": "6.12-rc2", "versionType": "original_commit_for_fix", "lessThanOrEqual": "*"}], "programFiles": ["drivers/gpu/drm/xe/xe_device.c", "drivers/gpu/drm/xe/xe_device_types.h", "drivers/gpu/drm/xe/xe_guc_submit.c", "drivers/gpu/drm/xe/xe_guc_types.h"], "defaultStatus": "affected"}], "references": [{"url": "https://git.kernel.org/stable/c/272b0e78874586d6ccae04079d75b27b47705544"}, {"url": "https://git.kernel.org/stable/c/421c74670b0f9d5c007f1276d3647aa58f407fde"}, {"url": "https://git.kernel.org/stable/c/2d2be279f1ca9e7288282d4214f16eea8a727cdb"}], "x_generator": {"engine": "bippy-9e1c9544281a"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/xe: fix UAF around queue destruction\n\nWe currently do stuff like queuing the final destruction step on a\nrandom system wq, which will outlive the driver instance. With bad\ntiming we can teardown the driver with one or more work workqueue still\nbeing alive leading to various UAF splats. Add a fini step to ensure\nuser queues are properly torn down. At this point GuC should already be\nnuked so queue itself should no longer be referenced from hw pov.\n\nv2 (Matt B)\n - Looks much safer to use a waitqueue and then just wait for the\n xa_array to become empty before triggering the drain.\n\n(cherry picked from commit 861108666cc0e999cffeab6aff17b662e68774e3)"}], "providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2024-11-05T09:50:33.826Z"}}}, "cveMetadata": {"cveId": "CVE-2024-49876", "state": "PUBLISHED", "dateUpdated": "2024-11-05T09:50:33.826Z", "dateReserved": "2024-10-21T12:17:06.020Z", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "datePublished": "2024-10-21T18:01:16.098Z", "assignerShortName": "Linux"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "0E3AE738-A62B-4806-9D9C-933998214C6A", "versionEndExcluding": "6.10.14", "versionStartIncluding": "6.8", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "54D9C704-D679-41A7-9C40-10A6B1E7FFE9", "versionEndExcluding": "6.11.3", "versionStartIncluding": "6.11", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.12:rc1:*:*:*:*:*:*", "matchCriteriaId": "7F361E1D-580F-4A2D-A509-7615F73167A1", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/xe: fix UAF around queue destruction\n\nWe currently do stuff like queuing the final destruction step on a\nrandom system wq, which will outlive the driver instance. With bad\ntiming we can teardown the driver with one or more work workqueue still\nbeing alive leading to various UAF splats. Add a fini step to ensure\nuser queues are properly torn down. At this point GuC should already be\nnuked so queue itself should no longer be referenced from hw pov.\n\nv2 (Matt B)\n - Looks much safer to use a waitqueue and then just wait for the\n xa_array to become empty before triggering the drain.\n\n(cherry picked from commit 861108666cc0e999cffeab6aff17b662e68774e3)"}, {"lang": "es", "value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: drm/xe: corregir UAF en torno a la destrucci\u00f3n de cola Actualmente hacemos cosas como poner en cola el paso de destrucci\u00f3n final en un wq de sistema aleatorio, que sobrevivir\u00e1 a la instancia del controlador. Con un mal momento, podemos desmantelar el controlador con una o m\u00e1s colas de trabajo de trabajo a\u00fan activas, lo que genera varios splats de UAF. Agregue un paso fini para garantizar que las colas de usuario se desmantelen correctamente. En este punto, GuC ya deber\u00eda estar destruido, por lo que la cola en s\u00ed ya no deber\u00eda ser referenciada desde el punto de vista del hardware. v2 (Matt B): parece mucho m\u00e1s seguro usar una cola de espera y luego simplemente esperar a que xa_array se vac\u00ede antes de activar el drenaje. (seleccionado de el commit 861108666cc0e999cffeab6aff17b662e68774e3)"}], "id": "CVE-2024-49876", "lastModified": "2024-10-24T19:57:06.843", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2024-10-21T18:15:09.450", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/272b0e78874586d6ccae04079d75b27b47705544"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/2d2be279f1ca9e7288282d4214f16eea8a727cdb"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/421c74670b0f9d5c007f1276d3647aa58f407fde"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-416"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"bugzilla": {"description": "kernel: drm/xe: fix UAF around queue destruction", "id": "2320528", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2320528"}, "csaw": false, "cvss3": {"cvss3_base_score": "5.5", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "draft"}, "details": ["In the Linux kernel, the following vulnerability has been resolved:\ndrm/xe: fix UAF around queue destruction\nWe currently do stuff like queuing the final destruction step on a\nrandom system wq, which will outlive the driver instance. With bad\ntiming we can teardown the driver with one or more work workqueue still\nbeing alive leading to various UAF splats. Add a fini step to ensure\nuser queues are properly torn down. At this point GuC should already be\nnuked so queue itself should no longer be referenced from hw pov.\nv2 (Matt B)\n- Looks much safer to use a waitqueue and then just wait for the\nxa_array to become empty before triggering the drain.\n(cherry picked from commit 861108666cc0e999cffeab6aff17b662e68774e3)"], "name": "CVE-2024-49876", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2024-10-21T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2024-49876\nhttps://nvd.nist.gov/vuln/detail/CVE-2024-49876\nhttps://lore.kernel.org/linux-cve-announce/2024102115-CVE-2024-49876-7fe2@gregkh/T"], "threat_severity": "Moderate"}