[LTS 9.2] CVE-2023-5633

[pvts-mat]

[LTS 9.2]
CVE-2023-5633
VULN-8161

Problem

https://www.cve.org/CVERecord?id=CVE-2023-5633

The reference count changes made as part of the CVE-2023-33951 and CVE-2023-33952 fixes exposed a use-after-free flaw in the way memory objects were handled when they were being used to store a surface. When running inside a VMware guest with 3D acceleration enabled, a local, unprivileged user could potentially use this flaw to escalate their privileges.

Analysis and solution

Official fix

Following https://bugzilla.redhat.com/show_bug.cgi?id=2245663

Upstream patch & commit:
https://lists.freedesktop.org/archives/dri-devel/2023-September/424805.html
torvalds/linux@91398b4

the official solution for mainline kernel is contained in the 91398b4 commit.

Applicability analysis

The buggy commit 9ef8d83 being the source of CVE-2023-5633, fixed by 91398b4, was itself a fix of a buggy commit 8afa13a with associated additional CVE-2023-33951 and CVE-2023-33952. The following table summarizes the relations between all commits involved in the problem, hopefully clarifying the issue

Commit	Linux	Semantics	Fix for CVE	Comments
8afa13a	5.17	Issue chain init	-	-
9ef8d83	6.4	Original fix of 8afa13a	CVE-2023-33951, CVE-2023-33952	Identified as fix for CVE-2023-33951 in ZDI-CAN-20110, as fix for CVE-2023-33952 in ZDI-CAN-20292
a950b98	6.2	Backport of 9ef8d83	CVE-2023-33951, CVE-2023-33952	Formally not a backport, but "(cherry picked from commit 9ef8d83)" in the commit msg, so de facto a backport
0a127ac	6.1	Backport of 9ef8d83	CVE-2023-33951, CVE-2023-33952	Formally a backport of a950b98 (commit msg "commit a950b98 upstream."), but the original for a950b98 is 9ef8d83
91398b4	6.6	Original fix of a950b98	CVE-2023-5633	Identified as the fix for CVE-2023-5633 in Bugzilla 2245663
1474b39	6.5	Backport of 91398b4	CVE-2023-5633	Formal backport ("commit 91398b4 upstream." in commit msg)
104f956	6.1	Backport of 91398b4	CVE-2023-5633	Formal backport ("commit 91398b4 upstream." in commit msg)

The files associated with each of these commits, as would be listed by

git --no-pager log --pretty= --name-only -n 1 ‹hash›

can be gathered in the following table, defining the changes domain.

	8afa13a	9ef8d83	91398b4	104f956
		a950b98	1474b39
		0a127ac
drivers/gpu/drm/vmwgfx/Kconfig	yes	no	no	no
drivers/gpu/drm/vmwgfx/Makefile	yes	no	no	no
drivers/gpu/drm/vmwgfx/ttm_object.c	yes	no	no	no
drivers/gpu/drm/vmwgfx/ttm_object.h	yes	no	no	no
drivers/gpu/drm/vmwgfx/vmwgfx_bo.c	yes	yes	yes	yes
drivers/gpu/drm/vmwgfx/vmwgfx_bo.h	no	no	yes	no
drivers/gpu/drm/vmwgfx/vmwgfx_context.c	yes	no	no	no
drivers/gpu/drm/vmwgfx/vmwgfx_cotable.c	yes	no	yes	yes
drivers/gpu/drm/vmwgfx/vmwgfx_drv.c	yes	no	no	no
drivers/gpu/drm/vmwgfx/vmwgfx_drv.h	yes	no	yes	yes
drivers/gpu/drm/vmwgfx/vmwgfx_execbuf.c	yes	yes	yes	yes
drivers/gpu/drm/vmwgfx/vmwgfx_fb.c	yes	no	no	no
drivers/gpu/drm/vmwgfx/vmwgfx_fence.c	yes	no	no	no
drivers/gpu/drm/vmwgfx/vmwgfx_gem.c	yes	yes	yes	yes
drivers/gpu/drm/vmwgfx/vmwgfx_kms.c	yes	yes	yes	yes
drivers/gpu/drm/vmwgfx/vmwgfx_kms.h	yes	no	no	no
drivers/gpu/drm/vmwgfx/vmwgfx_overlay.c	yes	yes	yes	yes
drivers/gpu/drm/vmwgfx/vmwgfx_prime.c	yes	no	no	no
drivers/gpu/drm/vmwgfx/vmwgfx_resource.c	yes	no	yes	yes
drivers/gpu/drm/vmwgfx/vmwgfx_scrn.c	yes	no	no	no
drivers/gpu/drm/vmwgfx/vmwgfx_shader.c	yes	yes	yes	yes
drivers/gpu/drm/vmwgfx/vmwgfx_simple_resource.c	yes	no	no	no
drivers/gpu/drm/vmwgfx/vmwgfx_surface.c	yes	yes	yes	yes
drivers/gpu/drm/vmwgfx/vmwgfx_ttm_buffer.c	yes	no	no	no
drivers/gpu/drm/vmwgfx/vmwgfx_ttm_glue.c	yes	no	no	no
drivers/gpu/drm/vmwgfx/vmwgfx_va.c	yes	no	no	no

The recent history of the changes to these files is

git --no-pager log --decorate  --format="%h %cd %d %s" --date=short -n 11 ciqlts9_2 -- \
    drivers/gpu/drm/vmwgfx/Kconfig \
    drivers/gpu/drm/vmwgfx/Makefile \
    drivers/gpu/drm/vmwgfx/ttm_object.c \
    drivers/gpu/drm/vmwgfx/ttm_object.h \
    drivers/gpu/drm/vmwgfx/vmwgfx_bo.c \
    drivers/gpu/drm/vmwgfx/vmwgfx_bo.h \
    drivers/gpu/drm/vmwgfx/vmwgfx_context.c \
    drivers/gpu/drm/vmwgfx/vmwgfx_cotable.c \
    drivers/gpu/drm/vmwgfx/vmwgfx_drv.c \
    drivers/gpu/drm/vmwgfx/vmwgfx_drv.h \
    drivers/gpu/drm/vmwgfx/vmwgfx_execbuf.c \
    drivers/gpu/drm/vmwgfx/vmwgfx_fb.c \
    drivers/gpu/drm/vmwgfx/vmwgfx_fence.c \
    drivers/gpu/drm/vmwgfx/vmwgfx_gem.c \
    drivers/gpu/drm/vmwgfx/vmwgfx_kms.c \
    drivers/gpu/drm/vmwgfx/vmwgfx_kms.h \
    drivers/gpu/drm/vmwgfx/vmwgfx_overlay.c \
    drivers/gpu/drm/vmwgfx/vmwgfx_prime.c \
    drivers/gpu/drm/vmwgfx/vmwgfx_resource.c \
    drivers/gpu/drm/vmwgfx/vmwgfx_scrn.c \
    drivers/gpu/drm/vmwgfx/vmwgfx_shader.c \
    drivers/gpu/drm/vmwgfx/vmwgfx_simple_resource.c \
    drivers/gpu/drm/vmwgfx/vmwgfx_surface.c \
    drivers/gpu/drm/vmwgfx/vmwgfx_ttm_buffer.c \
    drivers/gpu/drm/vmwgfx/vmwgfx_ttm_glue.c \
    drivers/gpu/drm/vmwgfx/vmwgfx_va.c

7da1f53fe 2023-01-20  drm/vmwgfx: Validate the box size for the snooped cursor
55d637fd8 2023-01-20  drm/vmwgfx: Don't use screen objects when SEV is active
7a3deb5bc 2022-12-01  Merge DRM changes from upstream v5.19..v6.0
378bf4751 2022-12-01  Merge DRM changes from upstream v5.18..v5.19
959db9309 2022-10-25  fbdev: Track deferred-I/O pages in pageref struct
753ba0c52 2022-07-25  drm/vmwgfx: Fix an invalid read
a7ef314e5 2022-07-25  drm/vmwgfx: validate the screen formats
99fc716fc 2022-05-31  Merge DRM changes from upstream v5.17..v5.18
105d2d483 2022-05-31  Merge DRM changes from upstream v5.16..v5.17
75030c7ea 2022-05-31  Merge DRM changes from upstream v5.15..v5.16
495a018a8 2022-05-31  Merge DRM changes from upstream v5.14..v5.15

Consider the history of the same files in the ciqlts9_4 version

git --no-pager log --decorate  --format="%h %cd %d %s" --date=short -n 23 ciqlts9_4 -- \
    drivers/gpu/drm/vmwgfx/Kconfig \
    drivers/gpu/drm/vmwgfx/Makefile \
    drivers/gpu/drm/vmwgfx/ttm_object.c \
    drivers/gpu/drm/vmwgfx/ttm_object.h \
    drivers/gpu/drm/vmwgfx/vmwgfx_bo.c \
    drivers/gpu/drm/vmwgfx/vmwgfx_bo.h \
    drivers/gpu/drm/vmwgfx/vmwgfx_context.c \
    drivers/gpu/drm/vmwgfx/vmwgfx_cotable.c \
    drivers/gpu/drm/vmwgfx/vmwgfx_drv.c \
    drivers/gpu/drm/vmwgfx/vmwgfx_drv.h \
    drivers/gpu/drm/vmwgfx/vmwgfx_execbuf.c \
    drivers/gpu/drm/vmwgfx/vmwgfx_fb.c \
    drivers/gpu/drm/vmwgfx/vmwgfx_fence.c \
    drivers/gpu/drm/vmwgfx/vmwgfx_gem.c \
    drivers/gpu/drm/vmwgfx/vmwgfx_kms.c \
    drivers/gpu/drm/vmwgfx/vmwgfx_kms.h \
    drivers/gpu/drm/vmwgfx/vmwgfx_overlay.c \
    drivers/gpu/drm/vmwgfx/vmwgfx_prime.c \
    drivers/gpu/drm/vmwgfx/vmwgfx_resource.c \
    drivers/gpu/drm/vmwgfx/vmwgfx_scrn.c \
    drivers/gpu/drm/vmwgfx/vmwgfx_shader.c \
    drivers/gpu/drm/vmwgfx/vmwgfx_simple_resource.c \
    drivers/gpu/drm/vmwgfx/vmwgfx_surface.c \
    drivers/gpu/drm/vmwgfx/vmwgfx_ttm_buffer.c \
    drivers/gpu/drm/vmwgfx/vmwgfx_ttm_glue.c \
    drivers/gpu/drm/vmwgfx/vmwgfx_va.c

7dccc9633 2024-02-15  Merge: DRM Stable Backport 9.4 from v6.6.15
8186e461f 2024-02-02  drm/vmwgfx: Fix possible null pointer derefence with invalid contexts
9d79a103e 2024-02-01  drm: Disable the cursor plane on atomic contexts with virtualized drivers
a0b1e6061 2024-02-01  drm: Update file owner during use
b8df8e7b4 2023-12-09  Merge DRM changes from upstream v6.5..v6.6
26418f1a3 2023-12-09  Merge DRM changes from upstream v6.4..v6.5
22ac03e5c 2023-12-09  Merge DRM changes from upstream v6.3..v6.4
60c359319 2023-06-19  drm/vmwgfx: Fix Legacy Display Unit atomic drm support
9cfbbaba6 2023-06-19  Partial revert of "mm: replace vma->vm_flags direct modifications with modifier calls"
eaba25cc8 2023-06-19  Merge DRM changes from upstream v6.2..v6.3
6d713afb6 2023-06-19  Merge DRM changes from upstream v6.1..v6.2
4cb818386 2023-06-16  Merge DRM changes from upstream v6.0.8..v6.1
7da1f53fe 2023-01-20  drm/vmwgfx: Validate the box size for the snooped cursor
55d637fd8 2023-01-20  drm/vmwgfx: Don't use screen objects when SEV is active
7a3deb5bc 2022-12-01  Merge DRM changes from upstream v5.19..v6.0
378bf4751 2022-12-01  Merge DRM changes from upstream v5.18..v5.19
959db9309 2022-10-25  fbdev: Track deferred-I/O pages in pageref struct
753ba0c52 2022-07-25  drm/vmwgfx: Fix an invalid read
a7ef314e5 2022-07-25  drm/vmwgfx: validate the screen formats
99fc716fc 2022-05-31  Merge DRM changes from upstream v5.17..v5.18
105d2d483 2022-05-31  Merge DRM changes from upstream v5.16..v5.17
75030c7ea 2022-05-31  Merge DRM changes from upstream v5.15..v5.16
495a018a8 2022-05-31  Merge DRM changes from upstream v5.14..v5.15

The chronology of ciqlts9_4 fully contains that of ciqlts9_2, at the same time containing all three of the commits in the problem chain (or their backport equivalents):

                                                            _
7dccc9633  Merge: DRM Stable Backport 9.4 from v6.6.15      |9.4
8186e461f  drm/vmwgfx: Fix possible null pointer derefenc   |
9d79a103e  drm: Disable the cursor plane on atomic contex   |
a0b1e6061  drm: Update file owner during use                |
b8df8e7b4  Merge DRM changes from upstream v6.5..v6.6       |     <-- CVE-2023-5633 fix commit 91398b41
26418f1a3  Merge DRM changes from upstream v6.4..v6.5       |         contained in the merge bulk
22ac03e5c  Merge DRM changes from upstream v6.3..v6.4       |
60c359319  drm/vmwgfx: Fix Legacy Display Unit atomic drm   |
9cfbbaba6  Partial revert of "mm: replace vma->vm_flags d   |
eaba25cc8  Merge DRM changes from upstream v6.2..v6.3       |
6d713afb6  Merge DRM changes from upstream v6.1..v6.2       |     <-- CVE-2023-33951 & CVE-2023-33952
4cb818386  Merge DRM changes from upstream v6.0.8..v6.1     |  _      fix commit a950b989
7da1f53fe  drm/vmwgfx: Validate the box size for the snoo   |  |9.2   contained in the merge bulk
55d637fd8  drm/vmwgfx: Don't use screen objects when SEV    |  |
7a3deb5bc  Merge DRM changes from upstream v5.19..v6.0      |  |
378bf4751  Merge DRM changes from upstream v5.18..v5.19     |  |
959db9309  fbdev: Track deferred-I/O pages in pageref str   |  |
753ba0c52  drm/vmwgfx: Fix an invalid read                  |  |
a7ef314e5  drm/vmwgfx: validate the screen formats          |  |
99fc716fc  Merge DRM changes from upstream v5.17..v5.18     |  |
105d2d483  Merge DRM changes from upstream v5.16..v5.17     |  |  <-- Issues chain init commit 8afa13a0
75030c7ea  Merge DRM changes from upstream v5.15..v5.16     |  |      contained in the merge bulk
495a018a8  Merge DRM changes from upstream v5.14..v5.15     |  |

Summary and discussion

The fix for CVE-2023-5633 is contained in the commit which is not even present in the Rocky version 9.2. This may or may not mean that the vulnerability doesn't apply.

• The mainline fix commit's classification as fixing a950b98 suggest the bug was introduced by a commit missing from 9.2 history, therefore not applicable.
• The wording "The reference count changes made as part of [commit a950b98 changes] exposed a use-after-free flaw" in https://bugzilla.redhat.com/show_bug.cgi?id=2245663 comment suggests the bug was there before the a950b98 commit, possibly on the 9.2 version's timeline, therefore the CVE is applicable.

At the same time the investigation found CVE-2023-33951 and CVE-2023-33952 which definitely are applicable to Rocky 9.2, and the potential fix for CVE-2023-5633 would have to include the fix for them anyway, suggesting the broadening of scope for the vulnerability remedition. On the other hand the amount of changes is high and the commits don't seem to isolate specific problems well, risking the broadening of scope even further, to the point of equalizing the drivers/gpu/drm/vmwgfx driver's version with that contained in Rocky 9.4. The difficulty of testing changes in this driver should also be considered.