Linux Kernel GEM Handle Reference Vulnerability in Framebuffers

A vulnerability exists in the Linux kernel's Graphics Execution Manager (GEM) handling, specifically related to buffer objects attached to Direct Rendering Manager (DRM) framebuffers. When a GEM handle is released while the associated buffer object is still linked to a framebuffer, it can cause the release of the dma-buf that backs the buffer object, if one exists. This mismanagement leads to a segmentation fault when the framebuffer is used in subsequent mode-setting operations. The issue is particularly pronounced with drivers that employ shadow planes to map the dma-buf during a page flip, such as certain graphics drivers. The vulnerability arises from an underlying problem with reference counting, allowing GEM handles to be improperly managed and leading to crashes when the system attempts to access the unmapped memory.

Impact

Exploitation of this vulnerability causes a segmentation fault, leading to a crash of the graphics subsystem and potentially disrupting any active graphical applications or processes.

Reproduction

The vulnerability can be reproduced by creating a GEM buffer object and attaching it to a DRM framebuffer. Once the framebuffer is in use, release the GEM handle without properly managing the reference count. This can be done through a driver that uses shadow planes, which will vmap the dma-buf during a page flip. The resulting segmentation fault can be observed in the system logs, where the crash is traced back to the improper handling of the dma-buf vmap operation.

Remediation

The vulnerability has been addressed by modifying the GEM handling functions to properly acquire and release references on the GEM handles associated with framebuffers. Users should update to the latest version of the Linux kernel where this fix has been applied.