Linux Kernel PAT Index Validation Vulnerability in DRM/xe UAPI

A vulnerability exists in the Linux kernel's DRM/xe user API, specifically in the memory advice (madvise) handling. The issue arises from the acceptance of certain memory coherency modes that can lead to the leakage of sensitive data. When the kernel clears memory pages before they are reallocated, the cleared data can remain in the CPU cache. A GPU operating under the 'coh_none' mode can bypass the CPU cache and access this stale data directly from the DRAM. This could potentially expose information from previously freed memory pages of other processes. The vulnerability affects Linux kernel versions 6.18 and later.

Impact

Exploitation of this vulnerability could allow a GPU to read sensitive data from CPU cached memory, bypassing cache coherency and potentially leaking information from other processes.

Reproduction

The vulnerability can be reproduced by using the 'madvise' ioctl with a PAT index that has 'coh_none' coherency mode, applied to CPU cached memory on an integrated GPU. This can be done by selecting the appropriate PAT index and memory range that includes CPU cached buffers, which will then be processed by the 'xe_vm_madvise_ioctl' function without the necessary validation to reject the 'coh_none' index.

Remediation

Users can upgrade to the latest version of the Linux kernel, where this vulnerability has been addressed. Instructions for downloading the latest kernel version can be found on the official Linux kernel website.