Linux Kernel IVPU Acceleration Page Fault Vulnerability

A vulnerability in the Linux kernel's IVPU acceleration component has been addressed. The issue arose because the function 'ivpu_gem_create_object' was improperly managing buffer objects (BOs) during creation. When 'drm_gem_shmem_create' failed, it left a deleted BO on the list, causing a page fault when 'ivpu_bo_unbind_all_bos_from_context' was called. The vulnerability affected several versions of the Linux kernel.

Impact

The vulnerability could lead to a page fault, causing a denial of service by crashing the system or application that uses the affected IVPU acceleration component.

Reproduction

The vulnerability can be reproduced by creating a buffer object using the 'ivpu_gem_create_object' function. If the 'drm_gem_shmem_create' function fails during this process, the buffer object will not be fully created, and the 'ivpu_gem_bo_free' callback will not be triggered. This failure leaves a deleted buffer object on the list, which can then cause a page fault when 'ivpu_bo_unbind_all_bos_from_context' is called, unbinding all buffer objects from the context and leading to a crash.

Remediation

Users can upgrade to the latest version of the Linux kernel where this vulnerability has been fixed. Instructions for downloading the latest kernel version can be found on the official Linux kernel website.