Linux Kernel Local Memory Translation Table Vulnerability in DRM/xe Component

A vulnerability exists in the Linux kernel's handling of Local Memory Translation Table (LMTT) pages within the Direct Rendering Manager (DRM) XE component. When allocating buffer objects in local memory (LMEM), the kernel does not clear the LMTT pages by default. During virtual function (VF) provisioning, LMTT Page Table Entries (PTEs) are only set up for the provisioned LMEM range. This oversight can leave stale data that may reference other VFs' allocations or even point to physical function (PF) pages. The vulnerability could be exploited by a malicious VF taking advantage of this unaddressed gap.

Impact

Failure to clear LMTT pages on allocation can lead to unauthorized access or manipulation of memory, potentially allowing a malicious VF to exploit stale data references.

Reproduction

The vulnerability can be reproduced by allocating LMEM buffer objects without the LMTT pages being cleared. During VF provisioning, only the LMTT PTEs for the provisioned LMEM range are set up, leaving the possibility of stale data being referenced.

Remediation

The vulnerability has been addressed in the Linux kernel by explicitly clearing all new LMTT pages on allocation. This update is available in the Linux kernel stable tree.