Linux Kernel Out-of-Bounds Read Vulnerability in DRM/xe via MADVISE IOCTL

A vulnerability in the Linux kernel's Direct Rendering Manager (DRM) for Intel's Xe graphics can lead to an out-of-bounds read in the kernel. This issue arises when a user provides an invalid 'pat_index' value through the 'madvise' IOCTL. The 'xe_pat_index_get_coh_mode()' function accesses an array without proper bounds checking, allowing for unauthorized reading of memory from the 'xe->pat.table' array. The flaw exists because the 'madvise_args_are_sane()' function calls 'xe_pat_index_get_coh_mode()' with the 'pat_index' value without first verifying if it falls within the valid range. While there is a warning in debug builds to catch this error, the vulnerability persists in production kernels.

Impact

Exploitation of this vulnerability allows for arbitrary out-of-bounds reads from the kernel memory, which could potentially be used to read sensitive information or manipulate program execution.

Reproduction

To reproduce this vulnerability, send a 'madvise' IOCTL request with an invalid 'pat_index' value that exceeds the bounds of the 'xe->pat.table' array. The 'xe_pat_index_get_coh_mode()' function will then perform an unsafe array access, leading to an out-of-bounds read.

Remediation

Users can upgrade to the latest version of the Linux kernel where this vulnerability has been patched. The patch is included in the official Linux Git repository.