In the Linux kernel, a vulnerability has been discovered and resolved to prevent kernel null pointer dereference in the Direct Rendering Manager (drm) of the i915 driver for Intel Graphics. The fix consists of adding an encoder check in the intel_hdcp_get_capability function to ensure that the encoder is always initialized during hotplug scenarios or suspend/resume scenarios. This vulnerability has been addressed with the Common Vulnerabilities and Exposures (CVE) ID CVE-2024-53051.

Background

The i915 driver in the Linux kernel is responsible for managing Intel Graphics hardware. One of its important procedures is the intel_hdcp_get_capability function, which checks the High-bandwidth Digital Content Protection (HDCP) capability of the connected device during hotplug scenarios or suspend/resume scenarios. HDCP is a security feature that protects high-definition digital content (like movies, TV shows, etc.) by encrypting the data transmitted between the source device and the receiving device.

The Vulnerability

During these scenarios, the encoder for the connected device may not always be initialized, which can lead to kernel null pointer dereference, a potentially serious issue that can cause the kernel to crash. To avoid this problem, the developers have added an encoder check in the intel_hdcp_get_capability function to ensure that the encoder is always initialized before proceeding further.

The code snippet below shows the changes made to the intel_hdcp_get_capability function in the Linux kernel:

static int intel_hdcp_get_capability(struct intel_connector *connector,
        uint64_t *receiver_caps, bool *repeater)
{
    struct drm_i915_private *dev_priv = to_i915(connector->base.dev);
    struct drm_device *dev = connector->base.dev;
    struct drm_connector_state *conn_state;
    struct drm_dp_aux *aux;
    struct intel_digital_port *dig_port;
    struct intel_encoder *encoder;
    int ret;

    conn_state = connector->base.state;

    if (!conn_state)
        return -ENODEV;

    encoder = intel_attached_encoder(conn_state->best_encoder);
    if (!encoder)
        return -ENODEV;

    aux = intel_hdcp_get_aux(connector, &dig_port);
    if (!aux)
        return -ENOENT;

    if (!dev_priv->display.hdcp_handshake)
        return -ENOENT;

  *repeater = false;

    if (IS_TGL_DISPLAY_D(dev_priv) &&
        (conn_state->connector->connector_type ==
        DRM_MODE_CONNECTOR_DP))
        ret = tgl_hdcp_caps(conn_state, dig_port, aux);
    else
        ret = dev_priv->display.hdcp_handshake(aux);

    if (ret < )
        return ret;

    *receiver_caps = ret & xF;

    if (ret & (1 << 1))
        *repeater = true;

    return ;
}

The lines if (!encoder) return -ENODEV; have been added to check and ensure that the encoder is initialized before the function proceeds further.

Original References

1. Kernel.org Git Repository
2. DRM Developer Mailing List
3. Intel Graphics for Linux FAQ

Conclusion

The fix for CVE-2024-53051 in the Linux kernel ensures that the encoder is always properly initialized during hotplug scenarios or suspend/resume scenarios to avoid kernel null pointer dereference. This provides increased stability and reduces the risk of potential kernel crashes and errors. Implementing this patch should be considered essential for running a secure and stable Linux system with Intel Graphics hardware.

Timeline

Published on: 11/19/2024 18:15:25 UTC
Last modified on: 11/20/2024 16:16:15 UTC