CVE-2024-50174: 
Linux Debian vulnerability analysis and mitigation

CVE-2024-50174 affects the Linux kernel's DRM (Direct Rendering Manager) Panthor driver. The vulnerability was discovered in the group handle to group object conversion process, where a race condition exists between retrieving a pointer from the XArray and incrementing its reference count. This issue affects Linux kernel versions from 6.10 up to (excluding) 6.10.14 and from 6.11 up to (excluding) 6.11.3, as well as version 6.12-rc1 (NVD).

The vulnerability stems from a synchronization issue in the DRM Panthor driver. While XArray provides its own internal lock to protect the array during simultaneous additions and removals, there remained a race condition between retrieving the pointer from the XArray and incrementing the reference count. This could lead to potential race conditions with xa_erase() calls. The issue was introduced in commit de8548813824 'drm/panthor: Add the scheduler logical block'. The vulnerability has been assigned a CVSS v3.1 Base Score of 4.7 (Medium) with vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H (NVD).

The race condition could potentially lead to memory corruption or system instability when handling group objects in the Panthor driver. The CVSS scoring indicates that while the vulnerability requires local access and is complex to exploit, it could result in high availability impact to the system (NVD).

The vulnerability has been patched by holding the internal XArray lock when incrementing the reference count, ensuring there cannot be a racing call to xa_erase(). Users should upgrade to Linux kernel versions 6.10.14, 6.11.3, or later versions that include the fix. The patch has been implemented in commit cac075706f298948898b1f63e81709df42afa75d (Kernel Patch).