Linux Kernel Nouveau DRM Use-After-Free Vulnerability

A use-after-free vulnerability has been identified in the Linux kernel's Nouveau Direct Rendering Manager (DRM) component. The issue arises in the 'nouveau_gem_prime_import_sg_table()' function, where 'nouveau_bo_init()' relies on 'ttm_bo_init()' to initialize a buffer object. If 'nouveau_bo_init()' fails, the memory is freed, but the GEM object has already been released. Consequently, a subsequent call to 'nouveau_bo_ref()' attempts to access the freed memory, leading to a use-after-free condition. This vulnerability affects several versions of the Linux kernel.

Impact

Exploitation of this vulnerability causes a use-after-free condition, which can lead to memory corruption and potentially allow for arbitrary code execution.

Reproduction

The vulnerability can be reproduced by invoking the 'nouveau_gem_prime_import_sg_table()' function with parameters that trigger a failure in 'nouveau_bo_init()'. This can be done by simulating a scenario where the initialization process encounters an error, causing the function to free the memory before it can be properly referenced. This sequence of events creates the use-after-free condition by attempting to access a memory location that has already been released.

Remediation

The vulnerability has been addressed in the Linux kernel. Users should upgrade to the latest version where this issue has been fixed.