CVE-2023-53112 Information

Description

In the Linux kernel the following vulnerability has been resolved:

drm/i915/sseu: fix max_subslices array-index-out-of-bounds access

It seems that commit bc3c5e0809ae (\drm/i915/sseu: Don’t try to store EU mask internally in UAPI format) exposed a potential out-of-bounds access reported by UBSAN as following on a laptop with a gen 11 i915 card:

UBSAN: array-index-out-of-bounds in drivers/gpu/drm/i915/gt/intel_sseu.c:65:27 index 6 is out of range for type ‘u16 [6]’ CPU: 2 PID: 165 Comm: systemd-udevd Not tainted 6.2.0-9-generic 9-Ubuntu Hardware name: Dell Inc. XPS 13 9300/077Y9N BIOS 1.11.0 03/22/2022 Call Trace: show_stack+0x4e/0x61 dump_stack_lvl+0x4a/0x6f dump_stack+0x10/0x18 ubsan_epilogue+0x9/0x3a __ubsan_handle_out_of_bounds.cold+0x42/0x47 gen11_compute_sseu_info+0x121/0x130 [i915] intel_sseu_info_init+0x15d/0x2b0 [i915] intel_gt_init_mmio+0x23/0x40 [i915] i915_driver_mmio_probe+0x129/0x400 [i915] ? intel_gt_probe_all+0x91/0x2e0 [i915] i915_driver_probe+0xe1/0x3f0 [i915] ? drm_privacy_screen_get+0x16d/0x190 [drm] ? acpi_dev_found+0x64/0x80 i915_pci_probe+0xac/0x1b0 [i915] …

According to the definition of sseu_dev_info eu_mask->hsw is limited to a maximum of GEN_MAX_SS_PER_HSW_SLICE (6) sub-slices but gen11_sseu_info_init() can potentially set 8 sub-slices in the !IS_JSL_EHL(gt->i915) case.

Fix this by reserving up to 8 slots for max_subslices in the eu_mask struct.

(cherry picked from commit 3cba09a6ac86ea1d456909626eb2685596c07822)

Reference

https://git.kernel.org/stable/c/193c41926d152761764894f46e23b53c00186a82 https://git.kernel.org/stable/c/1a1682abf7399318ac074b1f2ac6a8c992b5b3da https://git.kernel.org/stable/c/36b076ab6247cf0d2135b2ad6bb337617c3b5a1b