Linux Kernel BATTLEMAGE DRM/xe Copy Size Overflow Vulnerability

A vulnerability in the Linux kernel's handling of non-page aligned memory copies in the DRM/xe subsystem can lead to an assertion failure. This issue arises because the copy dimensions can exceed the S16_MAX limit of the copy command, causing a copy size overflow. The vulnerability is present in the Linux kernel stable tree, specifically in versions that include the upstream commit 4126cb327a2e3273c81fcef1c594c5b7b645c44c.

Impact

Exploitation of this vulnerability causes a copy size overflow, leading to an assertion failure in the DRM/xe subsystem.

Reproduction

The vulnerability can be reproduced by performing a non-page aligned memory copy in the DRM/xe subsystem of a BATTLEMAGE platform. The copy size should be close to the maximum limit of approximately 8MB, while using a 4-byte aligned pitch. This combination will trigger the assertion failure by exceeding the S16_MAX limit of the copy command.

Remediation

Users can apply the patch available in the Linux kernel stable tree commit 4126cb327a2e3273c81fcef1c594c5b7b645c44c to address this vulnerability.