Description
In the Linux kernel, the following vulnerability has been resolved: drm/xe: Add bounds check on pat_index to prevent OOB kernel read in madvise When user provides a bogus pat_index value through the madvise IOCTL, the xe_pat_index_get_coh_mode() function performs an array access without validating bounds. This allows a malicious user to trigger an out-of-bounds kernel read from the xe->pat.table array. The vulnerability exists because the validation in madvise_args_are_sane() directly calls xe_pat_index_get_coh_mode(xe, args->pat_index.val) without first checking if pat_index is within [0, xe->pat.n_entries). Although xe_pat_index_get_coh_mode() has a WARN_ON to catch this in debug builds, it still performs the unsafe array access in production kernels. v2(Matthew Auld) - Using array_index_nospec() to mitigate spectre attacks when the value is used v3(Matthew Auld) - Put the declarations at the start of the block (cherry picked from commit 944a3329b05510d55c69c2ef455136e2fc02de29)
Product status
ada7486c5668db542a7d361268df931aca5b726a (git) before ffba51100ff61792fefbae11ca38ac1987a818dd
ada7486c5668db542a7d361268df931aca5b726a (git) before 79f52655567a6471ff3d0d6325ede91bb14461f4
ada7486c5668db542a7d361268df931aca5b726a (git) before fbbe32618e97eff81577a01eb7d9adcd64a216d7
6.18
Any version before 6.18
6.18.16 (semver)
6.19.6 (semver)
7.0 (original_commit_for_fix)
References
git.kernel.org/...c/ffba51100ff61792fefbae11ca38ac1987a818dd
git.kernel.org/...c/79f52655567a6471ff3d0d6325ede91bb14461f4
git.kernel.org/...c/fbbe32618e97eff81577a01eb7d9adcd64a216d7