Linux Kernel Memory Management Vulnerability in DRM Property Blob Allocation

A vulnerability in the Linux kernel's Direct Rendering Manager (DRM) component allows unprivileged users to allocate arbitrary-sized property blobs using the DRM_IOCTL_MODE_CREATEPROPBLOB command. These blobs are backed by kernel memory, but the memory allocation is not properly accounted for in the process's memory control group (memcg). This oversight can lead to unbounded kernel memory consumption, potentially causing a system-wide out-of-memory condition. The vulnerability has been addressed by modifying the allocation method to include memory accounting, ensuring that the existing cgroup memory limits are enforced and preventing uncontrolled growth of kernel memory.

Impact

Exploitation of this vulnerability could result in excessive kernel memory usage, leading to a system-wide out-of-memory condition.

Reproduction

The vulnerability can be reproduced by using the DRM_IOCTL_MODE_CREATEPROPBLOB command to allocate property blobs. Unprivileged users can trigger this allocation, which will consume kernel memory without proper accounting to their memory control group. This can be done repeatedly to exhaust available system memory, causing an out-of-memory condition.

Remediation

Users should update to the patched version of the Linux kernel where this vulnerability has been addressed. Instructions for downloading the latest stable kernel can be found on the official Linux kernel website.