{"dataType":"CVE_RECORD","dataVersion":"5.1","cveMetadata":{"cveId":"CVE-2024-41094","assignerOrgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","state":"PUBLISHED","assignerShortName":"Linux","dateReserved":"2024-07-12T12:17:45.637Z","datePublished":"2024-07-29T15:48:07.508Z","dateUpdated":"2025-05-04T09:21:57.437Z"},"containers":{"cna":{"providerMetadata":{"orgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","shortName":"Linux","dateUpdated":"2025-05-04T09:21:57.437Z"},"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/fbdev-dma: Only set smem_start is enable per module option\n\nOnly export struct fb_info.fix.smem_start if that is required by the\nuser and the memory does not come from vmalloc().\n\nSetting struct fb_info.fix.smem_start breaks systems where DMA\nmemory is backed by vmalloc address space. An example error is\nshown below.\n\n[    3.536043] ------------[ cut here ]------------\n[    3.540716] virt_to_phys used for non-linear address: 000000007fc4f540 (0xffff800086001000)\n[    3.552628] WARNING: CPU: 4 PID: 61 at arch/arm64/mm/physaddr.c:12 __virt_to_phys+0x68/0x98\n[    3.565455] Modules linked in:\n[    3.568525] CPU: 4 PID: 61 Comm: kworker/u12:5 Not tainted 6.6.23-06226-g4986cc3e1b75-dirty #250\n[    3.577310] Hardware name: NXP i.MX95 19X19 board (DT)\n[    3.582452] Workqueue: events_unbound deferred_probe_work_func\n[    3.588291] pstate: 60400009 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)\n[    3.595233] pc : __virt_to_phys+0x68/0x98\n[    3.599246] lr : __virt_to_phys+0x68/0x98\n[    3.603276] sp : ffff800083603990\n[    3.677939] Call trace:\n[    3.680393]  __virt_to_phys+0x68/0x98\n[    3.684067]  drm_fbdev_dma_helper_fb_probe+0x138/0x238\n[    3.689214]  __drm_fb_helper_initial_config_and_unlock+0x2b0/0x4c0\n[    3.695385]  drm_fb_helper_initial_config+0x4c/0x68\n[    3.700264]  drm_fbdev_dma_client_hotplug+0x8c/0xe0\n[    3.705161]  drm_client_register+0x60/0xb0\n[    3.709269]  drm_fbdev_dma_setup+0x94/0x148\n\nAdditionally, DMA memory is assumed to by contiguous in physical\naddress space, which is not guaranteed by vmalloc().\n\nResolve this by checking the module flag drm_leak_fbdev_smem when\nDRM allocated the instance of struct fb_info. Fbdev-dma then only\nsets smem_start only if required (via FBINFO_HIDE_SMEM_START). Also\nguarantee that the framebuffer is not located in vmalloc address\nspace."}],"affected":[{"product":"Linux","vendor":"Linux","defaultStatus":"unaffected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["drivers/gpu/drm/drm_fb_helper.c","drivers/gpu/drm/drm_fbdev_dma.c"],"versions":[{"version":"a51c7663f144606a5f08e772fa3e1e4f2277a614","lessThan":"f29fcfbf6067c0d8c83f84a045da9276c08deac5","status":"affected","versionType":"git"},{"version":"a51c7663f144606a5f08e772fa3e1e4f2277a614","lessThan":"00702cfa8432ac67a72f56de5e1d278ddea2ebde","status":"affected","versionType":"git"},{"version":"a51c7663f144606a5f08e772fa3e1e4f2277a614","lessThan":"d92a7580392ad4681b1d4f9275d00b95375ebe01","status":"affected","versionType":"git"}]},{"product":"Linux","vendor":"Linux","defaultStatus":"affected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["drivers/gpu/drm/drm_fb_helper.c","drivers/gpu/drm/drm_fbdev_dma.c"],"versions":[{"version":"6.4","status":"affected"},{"version":"0","lessThan":"6.4","status":"unaffected","versionType":"semver"},{"version":"6.6.37","lessThanOrEqual":"6.6.*","status":"unaffected","versionType":"semver"},{"version":"6.9.8","lessThanOrEqual":"6.9.*","status":"unaffected","versionType":"semver"},{"version":"6.10","lessThanOrEqual":"*","status":"unaffected","versionType":"original_commit_for_fix"}]}],"cpeApplicability":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.4","versionEndExcluding":"6.6.37"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.4","versionEndExcluding":"6.9.8"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.4","versionEndExcluding":"6.10"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/f29fcfbf6067c0d8c83f84a045da9276c08deac5"},{"url":"https://git.kernel.org/stable/c/00702cfa8432ac67a72f56de5e1d278ddea2ebde"},{"url":"https://git.kernel.org/stable/c/d92a7580392ad4681b1d4f9275d00b95375ebe01"}],"title":"drm/fbdev-dma: Only set smem_start is enable per module option","x_generator":{"engine":"bippy-1.2.0"}},"adp":[{"providerMetadata":{"orgId":"af854a3a-2127-422b-91ae-364da2661108","shortName":"CVE","dateUpdated":"2024-08-02T04:46:52.465Z"},"title":"CVE Program Container","references":[{"url":"https://git.kernel.org/stable/c/f29fcfbf6067c0d8c83f84a045da9276c08deac5","tags":["x_transferred"]},{"url":"https://git.kernel.org/stable/c/00702cfa8432ac67a72f56de5e1d278ddea2ebde","tags":["x_transferred"]},{"url":"https://git.kernel.org/stable/c/d92a7580392ad4681b1d4f9275d00b95375ebe01","tags":["x_transferred"]}]},{"metrics":[{"other":{"type":"ssvc","content":{"id":"CVE-2024-41094","role":"CISA Coordinator","options":[{"Exploitation":"none"},{"Automatable":"no"},{"Technical Impact":"partial"}],"version":"2.0.3","timestamp":"2024-09-10T16:20:29.018042Z"}}}],"title":"CISA ADP Vulnrichment","providerMetadata":{"orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP","dateUpdated":"2024-09-11T17:33:09.433Z"}}]}}