CVE-2024-43901 - Linux Kernel Vulnerability: Fixing NULL Pointer Dereference in drm/amd/display for DTN Log in DCN401

The Linux kernel is known for its robustness and reliability. However, even the Linux kernel is not immune to vulnerabilities, and the security team behind it continuously addresses these issues. One such vulnerability has been resolved recently in the Linux kernel related to the drm/amd/display module. In this post, we'll look at the issue in detail and discuss the solution that has been implemented to address the problem.

The Vulnerability

The vulnerability is related to a NULL pointer dereference in the Direct Timing Normal (DTN) log functionality of the Display Core Next 4.01 (DCN401) within the drm/amd/display module. When users run the following command:

cat /sys/kernel/debug/dri//amdgpu_dm_dtn_log

The kernel experiences a NULL pointer dereference as shown in the following log snippet

[  +.000003] BUG: kernel NULL pointer dereference, address: NULL
...
[  +.000012]  dcn10_log_color_state+xf9/x510 [amdgpu]
...
[  +.000004]  dtn_log_read+x82/x120 [amdgpu]
...

The reason behind this is that the color log function attempts to read the gamut remap information from DCN401. However, this specific information is not initialized in the dcn401_dpp_funcs, leading to a NULL pointer dereference.

The Solution

The vulnerability has been addressed through a commit in the Linux kernel source code. The solution involves adding a proper guard to access the gamut_remap callback function, ensuring that it does not attempt to read from the uninitialized pointer. The following is the implemented code change (original reference):

if (pipe_ctx->plane_res.xfm->funcs->get_gamut_remap_func)
    crtc_state->funcs->log_color_info(&crtc_state->state, GLM_RAMA);

With this fix, any attempt to access the gamut_remap callback in case the specific ASIC did not implement this function will be prevented, eliminating the NULL pointer dereference vulnerability.

Exploit Details

As mentioned earlier, this vulnerability only comes into play when users try to access the DTN log by running the cat /sys/kernel/debug/dri//amdgpu_dm_dtn_log command. While it is unlikely that an attacker can exploit this vulnerability to gain unauthorized access or escalate privileges, it could potentially crash the system or cause unstable behavior due to the NULL pointer dereference.

It is highly recommended for users to apply the latest kernel updates to ensure the vulnerability is addressed and their Linux systems are secure.

Keep your systems up to date to minimize the risks of such vulnerabilities and stay secure.

Timeline

Published on: 08/26/2024 11:15:04 UTC
Last modified on: 08/27/2024 14:38:44 UTC