A vulnerability has been identified and resolved in the Linux kernel, specifically in the drm/amd/display subsystem. The issue involves potential NULL pointer dereferences in the 'dcn10_set_output_transfer_func()' function. This post will provide an overview of the vulnerability, details about the code, references to the original sources, and information regarding the exploit and resolution of the issue.
Vulnerability Description
In the Linux kernel, the 'stream' pointer is used in the 'dcn10_set_output_transfer_func()' function before checking if the 'stream' pointer is NULL. This can potentially lead to NULL pointer dereferences which may crash the system or cause other disruptions.
The following is the snippet of the code with the issue
static void dcn10_set_output_transfer_func(struct pipe_ctx *pipe_ctx)
{
...
struct dcn10_hw_seq *hws = hwseq;
struct drr_params params = {};
struct drr_params *sclk_drr_params = ¶ms;
struct dcn10_pipe_ctx *pipe_ctx_old = &hws->request_state.pipe_ctx[pipe_ctx->stream_res.tg->inst];
...
if (stream)
dcn10_set_time_sync(pipe_ctx);
}
This code is part of the Linux kernel source tree, specifically in the driver code for AMD GPUs: drivers/gpu/drm/amd/display/dc/hwss/dcn10/dcn10_hwseq.c
Original References
The original commit that fixes this issue can be found here:
Linux Kernel Commit
The associated mailing list discussion can be found here
Exploit Details
The vulnerability can be exploited if an attacker manages to call the 'dcn10_set_output_transfer_func()' function with a NULL 'stream' pointer. This may result in a crash or other consequences, including potential information leakage or privilege escalation, depending on the attacker's knowledge and capabilities.
Resolution
The fix for this vulnerability involves ensuring that the 'stream' pointer is checked before it is used in the 'dcn10_set_output_transfer_func()' function. This ensures that NULL pointer dereferences do not occur and mitigates the possibility of system crashes or other disruptions.
static void dcn10_set_output_transfer_func(struct pipe_ctx *pipe_ctx)
{
...
struct dcn10_hw_seq *hws = hwseq;
struct drr_params params = {};
struct drr_params *sclk_drr_params = ¶ms;
struct dcn10_pipe_ctx *pipe_ctx_old = &hws->request_state.pipe_ctx[pipe_ctx->stream_res.tg->inst];
// Added NULL check for stream pointer
if (!stream)
return;
dcn10_set_time_sync(pipe_ctx);
}
Conclusion
The vulnerability (CVE-2024-27044) in the Linux kernel's drm/amd/display has been resolved by introducing a check for the 'stream' pointer before it is utilized inside 'dcn10_set_output_transfer_func()' function. This mitigates the risks associated with NULL pointer dereferences and ensures the stability and security of the system.
Timeline
Published on: 05/01/2024 13:15:49 UTC
Last modified on: 12/23/2024 14:12:17 UTC