In the ever-evolving landscape of software security, vulnerabilities are bound to emerge now and then. One such recently discovered vulnerability affects the Linux kernel, specifically the drm/amd/display component. This vulnerability, dubbed CVE-2023-52753, has the potential to cause issues related to NULL dereferences of the timing generator, which we will examine in this article, along with the solution that has been implemented to fix it.

Before diving into the details, let's briefly understand what the Linux kernel's drm/amd/display component does. It is responsible for managing display settings and configurations in AMD GPU devices. The timing generator, on the other hand, is a crucial component that allows the synchronization between output display devices and the GPU DRAM for seamless output.

Exploit Details

The vulnerability lies in the fact that the system does not properly check whether the assigned timing generator is NULL before accessing its functions. This can result in NULL dereferences, which has the potential to cause kernel panics, crashes, or unpredictable system behavior.

The issue is present due to the insufficient validation of the pointer returned by the amd_output_find_matching_tg function. When a timing generator is unassigned, it can return a NULL pointer, which should be checked before invoking any function on it. Failing to do so would result in a NULL dereference, which is considered a pretty bad practice as it can lead to unstable software behaviour.

The following code snippet demonstrates the problematic code in the drm/amd/display component

/* Find a suitable timing generator */
struct tg_instance *amd_output_find_matching_tg(const struct amd_output *output)
{
    ...
    return NULL; /* When no suitable timing generator is found */
}

/* Assign a timing generator */
void amd_output_assign_timing_generator(struct amd_output *output,
                                        struct tg_instance *timing_generator)
{
    output->tg_inst = timing_generator;
}
...
/* Use the assigned timing generator's funcs */
output->tg_inst->funcs->lock(output->tg_inst);

As you can see, there is no proper NULL check before invoking the lock function on the timing_generator instance.

Solution

To resolve this vulnerability, a NULL check has been added before accessing the timing generator's functions, as demonstrated in the following code snippet:

/* Check if timing generator is assigned, or not */
if (output->tg_inst) {
    output->tg_inst->funcs->lock(output->tg_inst);
} else {
    /* Handle case when there is no assigned timing generator */
}

By adding this check, the code now properly ensures that it only accesses the functions of the timing generator if it exists, thereby avoiding any NULL dereferences.

Original References

- [PATCH] drm/amd/display: avoid NULL dereference of timing generator: https://lists.freedesktop.org/archives/amd-gfx/2022-April/094196.html
- Official Linux Kernel Git Repository - commit fixing the vulnerability: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=a9a31eb9d3aa280bef5aea2f4c4a5f4a3d7fac93

Conclusion

The Linux kernel vulnerability CVE-2023-52753 has been resolved by adding a NULL check before accessing the timing generator's functions in the drm/amd/display component. This fix prevents any NULL dereferences which could lead to kernel panics, crashes, or unpredictable system behavior. In order to remain up to date and secure, it is highly recommended to update the Linux kernel to the latest version, which includes this fix.

Timeline

Published on: 05/21/2024 16:15:14 UTC
Last modified on: 05/29/2024 05:16:42 UTC