A vulnerability has been identified and resolved in the Linux kernel, specifically in the drm/amd/display subsystem. The issue involves potential NULL pointer dereferences in the 'dcn10_set_output_transfer_func()' function. This post will provide an overview of the vulnerability, details about the code, references to the original sources, and information regarding the exploit and resolution of the issue.

Vulnerability Description

In the Linux kernel, the 'stream' pointer is used in the 'dcn10_set_output_transfer_func()' function before checking if the 'stream' pointer is NULL. This can potentially lead to NULL pointer dereferences which may crash the system or cause other disruptions.

The following is the snippet of the code with the issue

static void dcn10_set_output_transfer_func(struct pipe_ctx *pipe_ctx)
{
...
	struct dcn10_hw_seq *hws = hwseq;
	struct drr_params params = {};
	struct drr_params *sclk_drr_params = &params;
	struct dcn10_pipe_ctx *pipe_ctx_old = &hws->request_state.pipe_ctx[pipe_ctx->stream_res.tg->inst];
...
	if (stream)
		dcn10_set_time_sync(pipe_ctx);
}

This code is part of the Linux kernel source tree, specifically in the driver code for AMD GPUs: drivers/gpu/drm/amd/display/dc/hwss/dcn10/dcn10_hwseq.c

Original References

The original commit that fixes this issue can be found here:
Linux Kernel Commit

The associated mailing list discussion can be found here

Linux Kernel Mailing List

Exploit Details

The vulnerability can be exploited if an attacker manages to call the 'dcn10_set_output_transfer_func()' function with a NULL 'stream' pointer. This may result in a crash or other consequences, including potential information leakage or privilege escalation, depending on the attacker's knowledge and capabilities.

Resolution

The fix for this vulnerability involves ensuring that the 'stream' pointer is checked before it is used in the 'dcn10_set_output_transfer_func()' function. This ensures that NULL pointer dereferences do not occur and mitigates the possibility of system crashes or other disruptions.

static void dcn10_set_output_transfer_func(struct pipe_ctx *pipe_ctx)
{
...
	struct dcn10_hw_seq *hws = hwseq;
	struct drr_params params = {};
	struct drr_params *sclk_drr_params = &params;
	struct dcn10_pipe_ctx *pipe_ctx_old = &hws->request_state.pipe_ctx[pipe_ctx->stream_res.tg->inst];
	
	// Added NULL check for stream pointer
	if (!stream)
		return;
	
	dcn10_set_time_sync(pipe_ctx);
}

Conclusion

The vulnerability (CVE-2024-27044) in the Linux kernel's drm/amd/display has been resolved by introducing a check for the 'stream' pointer before it is utilized inside 'dcn10_set_output_transfer_func()' function. This mitigates the risks associated with NULL pointer dereferences and ensures the stability and security of the system.

Timeline

Published on: 05/01/2024 13:15:49 UTC
Last modified on: 12/23/2024 14:12:17 UTC