CVE-2024-26657: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: drm/sched: fix null-ptr-deref in init entity The bug can be triggered by sending an amdgpu_cs_wait_ioctl to the AMDGPU DRM driver on any ASICs with valid context. The bug was reported by Joonkyo Jung <joonkyoj@yonsei.ac.kr>. For example the following code: static void Syzkaller2(int fd) { union drm_amdgpu_ctx arg1; union drm_amdgpu_wait_cs arg2; arg1.in.op = AMDGPU_CTX_OP_ALLOC_CTX; ret = drmIoctl(fd, 0x140106442 /* amdgpu_ctx_ioctl */, &arg1); arg2.in.handle = 0x0; arg2.in.timeout = 0x2000000000000; arg2.in.ip_type = AMD_IP_VPE /* 0x9 */; arg2->in.ip_instance = 0x0; arg2.in.ring = 0x0; arg2.in.ctx_id = arg1.out.alloc.ctx_id; drmIoctl(fd, 0xc0206449 /* AMDGPU_WAIT_CS * /, &arg2); } The ioctl AMDGPU_WAIT_CS without previously submitted job could be assumed that the error should be returned, but the following commit 1decbf6bb0b4dc56c9da6c5e57b994ebfc2be3aa modified the logic and allowed to have sched_rq equal to NULL. As a result when there is no job the ioctl AMDGPU_WAIT_CS returns success. The change fixes null-ptr-deref in init entity and the stack below demonstrates the error condition: [ +0.000007] BUG: kernel NULL pointer dereference, address: 0000000000000028 [ +0.007086] #PF: supervisor read access in kernel mode [ +0.005234] #PF: error_code(0x0000) - not-present page [ +0.005232] PGD 0 P4D 0 [ +0.002501] Oops: 0000 [#1] PREEMPT SMP KASAN NOPTI [ +0.005034] CPU: 10 PID: 9229 Comm: amd_basic Tainted: G B W L 6.7.0+ #4 [ +0.007797] Hardware name: ASUS System Product Name/ROG STRIX B550-F GAMING (WI-FI), BIOS 1401 12/03/2020 [ +0.009798] RIP: 0010:drm_sched_entity_init+0x2d3/0x420 [gpu_sched] [ +0.006426] Code: 80 00 00 00 00 00 00 00 e8 1a 81 82 e0 49 89 9c 24 c0 00 00 00 4c 89 ef e8 4a 80 82 e0 49 8b 5d 00 48 8d 7b 28 e8 3d 80 82 e0 <48> 83 7b 28 00 0f 84 28 01 00 00 4d 8d ac 24 98 00 00 00 49 8d 5c [ +0.019094] RSP: 0018:ffffc90014c1fa40 EFLAGS: 00010282 [ +0.005237] RAX: 0000000000000001 RBX: 0000000000000000 RCX: ffffffff8113f3fa [ +0.007326] RDX: fffffbfff0a7889d RSI: 0000000000000008 RDI: ffffffff853c44e0 [ +0.007264] RBP: ffffc90014c1fa80 R08: 0000000000000001 R09: fffffbfff0a7889c [ +0.007266] R10: ffffffff853c44e7 R11: 0000000000000001 R12: ffff8881a719b010 [ +0.007263] R13: ffff88810d412748 R14: 0000000000000002 R15: 0000000000000000 [ +0.007264] FS: 00007ffff7045540(0000) GS:ffff8883cc900000(0000) knlGS:0000000000000000 [ +0.008236] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ +0.005851] CR2: 0000000000000028 CR3: 000000011912e000 CR4: 0000000000350ef0 [ +0.007175] Call Trace: [ +0.002561] <TASK> [ +0.002141] ? show_regs+0x6a/0x80 [ +0.003473] ? __die+0x25/0x70 [ +0.003124] ? page_fault_oops+0x214/0x720 [ +0.004179] ? preempt_count_sub+0x18/0xc0 [ +0.004093] ? __pfx_page_fault_oops+0x10/0x10 [ +0.004590] ? srso_return_thunk+0x5/0x5f [ +0.004000] ? vprintk_default+0x1d/0x30 [ +0.004063] ? srso_return_thunk+0x5/0x5f [ +0.004087] ? vprintk+0x5c/0x90 [ +0.003296] ? drm_sched_entity_init+0x2d3/0x420 [gpu_sched] [ +0.005807] ? srso_return_thunk+0x5/0x5f [ +0.004090] ? _printk+0xb3/0xe0 [ +0.003293] ? __pfx__printk+0x10/0x10 [ +0.003735] ? asm_sysvec_apic_timer_interrupt+0x1b/0x20 [ +0.005482] ? do_user_addr_fault+0x345/0x770 [ +0.004361] ? exc_page_fault+0x64/0xf0 [ +0.003972] ? asm_exc_page_fault+0x27/0x30 [ +0.004271] ? add_taint+0x2a/0xa0 [ +0.003476] ? drm_sched_entity_init+0x2d3/0x420 [gpu_sched] [ +0.005812] amdgpu_ctx_get_entity+0x3f9/0x770 [amdgpu] [ +0.009530] ? finish_task_switch.isra.0+0x129/0x470 [ +0.005068] ? __pfx_amdgpu_ctx_get_entity+0x10/0x10 [amdgpu] [ +0.010063] ? __kasan_check_write+0x14/0x20 [ +0.004356] ? srso_return_thunk+0x5/0x5f [ +0.004001] ? mutex_unlock+0x81/0xd0 [ +0.003802] ? srso_return_thunk+0x5/0x5f [ +0.004096] amdgpu_cs_wait_ioctl+0xf6/0x270 [amdgpu] [ +0.009355] ? __pfx_ ---truncated---
AI Analysis
Technical Summary
CVE-2024-26657 is a vulnerability in the Linux kernel's AMDGPU Direct Rendering Manager (DRM) driver, specifically within the GPU scheduler component. The flaw arises from a null pointer dereference in the function drm_sched_entity_init, triggered by the ioctl AMDGPU_WAIT_CS call when issued without a previously submitted job. The vulnerability is rooted in a logic change introduced by commit 1decbf6bb0b4dc56c9da6c5e57b994ebfc2be3aa, which allowed the scheduler run queue (sched_rq) pointer to be NULL. When the ioctl AMDGPU_WAIT_CS is called with no job context, the driver erroneously returns success instead of an error, leading to a null pointer dereference and consequent kernel crash (kernel oops). This can cause a denial of service (DoS) by crashing the kernel and potentially destabilizing the system. The issue affects Linux kernel versions containing the vulnerable commit and AMD GPUs using the AMDGPU DRM driver. Exploitation requires the ability to invoke the AMDGPU_WAIT_CS ioctl, which typically requires local access and valid context creation. The vulnerability was responsibly disclosed by Joonkyo Jung and has been fixed in recent kernel updates. The provided kernel oops log demonstrates the crash details, including the call stack and register states, confirming the null pointer dereference in drm_sched_entity_init. No known exploits are reported in the wild as of the publication date.
Potential Impact
For European organizations, this vulnerability poses a risk primarily to systems running Linux kernels with the affected AMDGPU DRM driver, especially those utilizing AMD GPUs. The impact is mainly denial of service through kernel crashes, which can disrupt critical services, cause system downtime, and potentially lead to data loss if systems are not properly hardened or if kernel crashes occur during critical operations. Organizations relying on Linux servers for infrastructure, cloud services, or workstations with AMD GPUs could experience operational interruptions. While remote exploitation is unlikely due to the need for local ioctl invocation and valid context, insider threats or compromised local accounts could leverage this vulnerability to cause system instability. The disruption could affect sectors such as finance, manufacturing, research, and public services that depend on Linux-based AMD GPU accelerated workloads. Additionally, the vulnerability could be exploited in multi-tenant environments or virtualized setups where AMD GPU passthrough is used, increasing the attack surface. The lack of known exploits reduces immediate risk, but the presence of a kernel-level DoS vulnerability necessitates prompt mitigation to maintain system availability and reliability.
Mitigation Recommendations
1. Apply the latest Linux kernel updates that include the patch fixing CVE-2024-26657 as soon as they become available. Regularly monitor vendor advisories and Linux kernel mailing lists for updates. 2. Restrict access to the AMDGPU DRM driver ioctls by enforcing strict user permissions and limiting access to trusted users only. Use Linux security modules (e.g., SELinux, AppArmor) to confine processes that require GPU access. 3. In environments where AMD GPU usage is not critical, consider disabling the AMDGPU driver or blacklisting the module to eliminate the attack vector. 4. Implement system monitoring to detect abnormal kernel oops or crashes related to GPU operations, enabling rapid incident response. 5. For multi-tenant or virtualized environments, isolate GPU resources carefully and audit guest access to prevent unauthorized ioctl calls. 6. Conduct security audits and penetration testing focusing on local privilege escalation and DoS vectors involving GPU drivers. 7. Educate system administrators and security teams about this vulnerability to ensure awareness and timely patch management.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Finland, Poland, Italy, Spain
CVE-2024-26657: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: drm/sched: fix null-ptr-deref in init entity The bug can be triggered by sending an amdgpu_cs_wait_ioctl to the AMDGPU DRM driver on any ASICs with valid context. The bug was reported by Joonkyo Jung <joonkyoj@yonsei.ac.kr>. For example the following code: static void Syzkaller2(int fd) { union drm_amdgpu_ctx arg1; union drm_amdgpu_wait_cs arg2; arg1.in.op = AMDGPU_CTX_OP_ALLOC_CTX; ret = drmIoctl(fd, 0x140106442 /* amdgpu_ctx_ioctl */, &arg1); arg2.in.handle = 0x0; arg2.in.timeout = 0x2000000000000; arg2.in.ip_type = AMD_IP_VPE /* 0x9 */; arg2->in.ip_instance = 0x0; arg2.in.ring = 0x0; arg2.in.ctx_id = arg1.out.alloc.ctx_id; drmIoctl(fd, 0xc0206449 /* AMDGPU_WAIT_CS * /, &arg2); } The ioctl AMDGPU_WAIT_CS without previously submitted job could be assumed that the error should be returned, but the following commit 1decbf6bb0b4dc56c9da6c5e57b994ebfc2be3aa modified the logic and allowed to have sched_rq equal to NULL. As a result when there is no job the ioctl AMDGPU_WAIT_CS returns success. The change fixes null-ptr-deref in init entity and the stack below demonstrates the error condition: [ +0.000007] BUG: kernel NULL pointer dereference, address: 0000000000000028 [ +0.007086] #PF: supervisor read access in kernel mode [ +0.005234] #PF: error_code(0x0000) - not-present page [ +0.005232] PGD 0 P4D 0 [ +0.002501] Oops: 0000 [#1] PREEMPT SMP KASAN NOPTI [ +0.005034] CPU: 10 PID: 9229 Comm: amd_basic Tainted: G B W L 6.7.0+ #4 [ +0.007797] Hardware name: ASUS System Product Name/ROG STRIX B550-F GAMING (WI-FI), BIOS 1401 12/03/2020 [ +0.009798] RIP: 0010:drm_sched_entity_init+0x2d3/0x420 [gpu_sched] [ +0.006426] Code: 80 00 00 00 00 00 00 00 e8 1a 81 82 e0 49 89 9c 24 c0 00 00 00 4c 89 ef e8 4a 80 82 e0 49 8b 5d 00 48 8d 7b 28 e8 3d 80 82 e0 <48> 83 7b 28 00 0f 84 28 01 00 00 4d 8d ac 24 98 00 00 00 49 8d 5c [ +0.019094] RSP: 0018:ffffc90014c1fa40 EFLAGS: 00010282 [ +0.005237] RAX: 0000000000000001 RBX: 0000000000000000 RCX: ffffffff8113f3fa [ +0.007326] RDX: fffffbfff0a7889d RSI: 0000000000000008 RDI: ffffffff853c44e0 [ +0.007264] RBP: ffffc90014c1fa80 R08: 0000000000000001 R09: fffffbfff0a7889c [ +0.007266] R10: ffffffff853c44e7 R11: 0000000000000001 R12: ffff8881a719b010 [ +0.007263] R13: ffff88810d412748 R14: 0000000000000002 R15: 0000000000000000 [ +0.007264] FS: 00007ffff7045540(0000) GS:ffff8883cc900000(0000) knlGS:0000000000000000 [ +0.008236] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ +0.005851] CR2: 0000000000000028 CR3: 000000011912e000 CR4: 0000000000350ef0 [ +0.007175] Call Trace: [ +0.002561] <TASK> [ +0.002141] ? show_regs+0x6a/0x80 [ +0.003473] ? __die+0x25/0x70 [ +0.003124] ? page_fault_oops+0x214/0x720 [ +0.004179] ? preempt_count_sub+0x18/0xc0 [ +0.004093] ? __pfx_page_fault_oops+0x10/0x10 [ +0.004590] ? srso_return_thunk+0x5/0x5f [ +0.004000] ? vprintk_default+0x1d/0x30 [ +0.004063] ? srso_return_thunk+0x5/0x5f [ +0.004087] ? vprintk+0x5c/0x90 [ +0.003296] ? drm_sched_entity_init+0x2d3/0x420 [gpu_sched] [ +0.005807] ? srso_return_thunk+0x5/0x5f [ +0.004090] ? _printk+0xb3/0xe0 [ +0.003293] ? __pfx__printk+0x10/0x10 [ +0.003735] ? asm_sysvec_apic_timer_interrupt+0x1b/0x20 [ +0.005482] ? do_user_addr_fault+0x345/0x770 [ +0.004361] ? exc_page_fault+0x64/0xf0 [ +0.003972] ? asm_exc_page_fault+0x27/0x30 [ +0.004271] ? add_taint+0x2a/0xa0 [ +0.003476] ? drm_sched_entity_init+0x2d3/0x420 [gpu_sched] [ +0.005812] amdgpu_ctx_get_entity+0x3f9/0x770 [amdgpu] [ +0.009530] ? finish_task_switch.isra.0+0x129/0x470 [ +0.005068] ? __pfx_amdgpu_ctx_get_entity+0x10/0x10 [amdgpu] [ +0.010063] ? __kasan_check_write+0x14/0x20 [ +0.004356] ? srso_return_thunk+0x5/0x5f [ +0.004001] ? mutex_unlock+0x81/0xd0 [ +0.003802] ? srso_return_thunk+0x5/0x5f [ +0.004096] amdgpu_cs_wait_ioctl+0xf6/0x270 [amdgpu] [ +0.009355] ? __pfx_ ---truncated---
AI-Powered Analysis
Technical Analysis
CVE-2024-26657 is a vulnerability in the Linux kernel's AMDGPU Direct Rendering Manager (DRM) driver, specifically within the GPU scheduler component. The flaw arises from a null pointer dereference in the function drm_sched_entity_init, triggered by the ioctl AMDGPU_WAIT_CS call when issued without a previously submitted job. The vulnerability is rooted in a logic change introduced by commit 1decbf6bb0b4dc56c9da6c5e57b994ebfc2be3aa, which allowed the scheduler run queue (sched_rq) pointer to be NULL. When the ioctl AMDGPU_WAIT_CS is called with no job context, the driver erroneously returns success instead of an error, leading to a null pointer dereference and consequent kernel crash (kernel oops). This can cause a denial of service (DoS) by crashing the kernel and potentially destabilizing the system. The issue affects Linux kernel versions containing the vulnerable commit and AMD GPUs using the AMDGPU DRM driver. Exploitation requires the ability to invoke the AMDGPU_WAIT_CS ioctl, which typically requires local access and valid context creation. The vulnerability was responsibly disclosed by Joonkyo Jung and has been fixed in recent kernel updates. The provided kernel oops log demonstrates the crash details, including the call stack and register states, confirming the null pointer dereference in drm_sched_entity_init. No known exploits are reported in the wild as of the publication date.
Potential Impact
For European organizations, this vulnerability poses a risk primarily to systems running Linux kernels with the affected AMDGPU DRM driver, especially those utilizing AMD GPUs. The impact is mainly denial of service through kernel crashes, which can disrupt critical services, cause system downtime, and potentially lead to data loss if systems are not properly hardened or if kernel crashes occur during critical operations. Organizations relying on Linux servers for infrastructure, cloud services, or workstations with AMD GPUs could experience operational interruptions. While remote exploitation is unlikely due to the need for local ioctl invocation and valid context, insider threats or compromised local accounts could leverage this vulnerability to cause system instability. The disruption could affect sectors such as finance, manufacturing, research, and public services that depend on Linux-based AMD GPU accelerated workloads. Additionally, the vulnerability could be exploited in multi-tenant environments or virtualized setups where AMD GPU passthrough is used, increasing the attack surface. The lack of known exploits reduces immediate risk, but the presence of a kernel-level DoS vulnerability necessitates prompt mitigation to maintain system availability and reliability.
Mitigation Recommendations
1. Apply the latest Linux kernel updates that include the patch fixing CVE-2024-26657 as soon as they become available. Regularly monitor vendor advisories and Linux kernel mailing lists for updates. 2. Restrict access to the AMDGPU DRM driver ioctls by enforcing strict user permissions and limiting access to trusted users only. Use Linux security modules (e.g., SELinux, AppArmor) to confine processes that require GPU access. 3. In environments where AMD GPU usage is not critical, consider disabling the AMDGPU driver or blacklisting the module to eliminate the attack vector. 4. Implement system monitoring to detect abnormal kernel oops or crashes related to GPU operations, enabling rapid incident response. 5. For multi-tenant or virtualized environments, isolate GPU resources carefully and audit guest access to prevent unauthorized ioctl calls. 6. Conduct security audits and penetration testing focusing on local privilege escalation and DoS vectors involving GPU drivers. 7. Educate system administrators and security teams about this vulnerability to ensure awareness and timely patch management.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2024-02-19T14:20:24.145Z
- Cisa Enriched
- true
- Cvss Version
- null
- State
- PUBLISHED
Threat ID: 682d982bc4522896dcbe42b7
Added to database: 5/21/2025, 9:08:59 AM
Last enriched: 6/29/2025, 9:41:46 PM
Last updated: 8/11/2025, 6:12:29 PM
Views: 16
Related Threats
CVE-2025-26398: CWE-798 Use of Hard-coded Credentials in SolarWinds Database Performance Analyzer
MediumCVE-2025-41686: CWE-306 Missing Authentication for Critical Function in Phoenix Contact DaUM
HighCVE-2025-8874: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in litonice13 Master Addons – Elementor Addons with White Label, Free Widgets, Hover Effects, Conditions, & Animations
MediumCVE-2025-8767: CWE-1236 Improper Neutralization of Formula Elements in a CSV File in anwppro AnWP Football Leagues
MediumCVE-2025-8482: CWE-862 Missing Authorization in 10up Simple Local Avatars
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.