CVE-2024-26949 - A Detailed Look at the Linux Kernel Vulnerability Fix, 'drm/amdgpu/pm: Fix NULL pointer dereference when get power limit'

One of the most recent vulnerabilities discovered in the Linux kernel is CVE-2024-26949. The bug lies in an area responsible for the 'Direct Rendering Manager' (DRM) subsystem, particularly pertaining to the AMDGPU Power Management code. This vulnerability left the kernel exposed to a potential NULL pointer dereference, which could have inevitably led to system crashes and instability.

In this extended post, we will dive into the specifics of the vulnerability, its resolution, and provide an example code snippet that highlights the implemented fix. We shall also list original references to the patch and share insights on exploiting the bug.

The Vulnerability: NULL Pointer Dereference

The affected area of the Linux kernel code is found in this file: drivers/gpu/drm/amd/amdgpu/amdgpu_pm.c

The file in question deals with the functionality that is intrinsic to AMD GPUs, such as power management and temperature monitoring. The vulnerability arises from the lack of initialization of the powerplay_table variable in certain cases, specifically when using the Single Root I/O Virtualization (SR-IOV) feature. This results in a NULL pointer dereference when attempting to set the power limit.

The Fix: Proper Initialization and Value Checking

To address this vulnerability, the following patch was proposed to the Linux kernel to ensure that the powerplay_table would be initialized, even in cases where SR-IOV is used:

static int amdgpu_parse_extended_power_table(struct amdgpu_device *adev)
{
...
        adev->pm.dpm.ac_power_high_t =
                        amdgpu_atombios_lookup_voltage_object_v3(leakage,
                                            amdgpu_leakage_table[leakage_count - 1]);
        }
+       /* initialize powerplay table if it is NULL in case of SR-IOV */
+       if (!amdgpu_sriov_vf(adev) &&
+           adev->pm.dpm.pp_table && !adev->pm.dpm.pp_table->max_od_setting &&
+           !adev->pm.dpm.pp_table->min_od_setting) {
+               adev->pm.dpm.pp_table->min_od_setting =
+                               le16_to_cpu(def1->usMinVoltage);
+               adev->pm.dpm.pp_table->max_od_setting =
+                               le16_to_cpu(def1->usMaxVoltage);
+       }
...
}

The patch checks whether the powerplay_table variable is NULL and, if so, initializes the table with default lower and upper OverDrive (OD) values. This additional condition to check for NULL pointers prevents NULL pointer dereferences and ensures that the power limit functionality remains operational even in SR-IOV scenarios.

References

For more information on this vulnerability and the exact steps taken to resolve the issue, you can refer to the following original references:

- Linux Kernel Mailing List
- Patchwork
- Official Git commit

Exploiting the Vulnerability

While the vulnerability may have led to system crashes and instability, its exploitation required very specific conditions: the use of SR-IOV combined with the affected AMD GPU components. Exploiting this vulnerability in practice would not have been trivial, and yet, it does underscore the importance of proactive kernel bug identification and patching to maintain system stability. As always, users are encouraged to keep their systems updated with the latest kernel patches.

In summary, CVE-2024-26949 was an interesting vulnerability that affected the Linux kernel's Direct Rendering Manager subsystem. The NULL pointer dereference vulnerability arose due to the uninitialized powerplay_table variable in certain circumstances. The proposed patch checked for these cases and initialized the variables accordingly, thereby resolving the issue. It's crucial to stay informed about such vulnerabilities and apply patches as soon as possible to ensure the safety and stability of your systems.

Timeline

Published on: 05/01/2024 06:15:10 UTC
Last modified on: 05/29/2024 05:25:42 UTC