A recent vulnerability (CVE-2024-27045) in the Linux kernel has been addressed, specifically in the drm/amd/display module. This vulnerability involves a potential buffer overflow in the 'dp_dsc_clock_en_read()' function, which, if exploited, could lead to serious consequences such as system crashes, data corruption, or remote code execution.

In this post, we will discuss the details of the vulnerability, the fix that has been implemented to address it, and provide links to the original references.

Vulnerability Details

The vulnerability is a buffer overflow in the 'dp_dsc_clock_en_read()' function, which is part of the drm/amd/display module in the Linux kernel. This function is responsible for reading the display stream compression (DSC) clock enable value, which enables or disables the compression of the display stream to save bandwidth.

The buffer overflow occurs due to the incorrect use of the snprintf() function, causing it to store more bytes in the output buffer than allowed, resulting in memory corruption. This vulnerability has been assigned the CVE-2024-27045 identifier.

Here is the vulnerable code snippet found in the 'drivers/gpu/drm/amd/amdgpu/../display/amdgpu_dm/amdgpu_dm_debugfs.c' file:

static ssize_t dp_dsc_clock_en_read(struct file *f,
	char __user *ubuf, size_t count, loff_t *offp)
{
    ...
    ret = snprintf(dp_dsc_en, sizeof(dp_dsc_en), "x%06x", dsc_clk_en);
    ...
}

As shown in the code snippet, the function uses snprintf() to store the formatted text in the 'dp_dsc_en' buffer. However, the specified size of the buffer is 30 bytes, while the actual buffer size is just 10 bytes.

Fix for the Vulnerability

The fix for this vulnerability is straightforward: limit the number of bytes stored in the 'dp_dsc_en' buffer by instructing snprintf() to store at most 10 bytes, instead of the original 30 bytes.

Here's the fixed code snippet

static ssize_t dp_dsc_clock_en_read(struct file *f,
	char __user *ubuf, size_t count, loff_t *offp)
{
    ...
    ret = snprintf(dp_dsc_en, 10, "x%06x", dsc_clk_en);
    ...
}

By limiting the capacity of the output buffer, this fix prevents the buffer overflow, ensuring the system operates safely and securely.

References and Exploit Details

To learn more about this vulnerability and its fix, you can refer to the following original references:

1. Linux kernel repository - Detailed information on the vulnerability and the applied fix.
2. Cryptography Mailing List - Discussion about the vulnerability and its impact.

As of now, there are no known exploits for this vulnerability (CVE-2024-27045). However, it is crucial to keep your Linux kernel up to date with the latest security patches to ensure your system remains protected.

In conclusion, the buffer overflow vulnerability in the Linux kernel's drm/amd/display module has been resolved with the implementation of a fix in the 'dp_dsc_clock_en_read()' function. By limiting the number of bytes stored in the output buffer, this fix prevents potential issues resulting from memory corruption and secures the system against possible exploits. Always make sure to update your kernel regularly to safeguard your system against any newly discovered vulnerabilities.

Timeline

Published on: 05/01/2024 13:15:49 UTC
Last modified on: 12/23/2024 19:13:59 UTC