CVE-2024-53056 - Linux Kernel Vulnerability Resolved in drm/mediatek: Fix potential NULL dereference in mtk_crtc_destroy()
A vulnerability (CVE-2024-53056) has been recently resolved in the Linux kernel, specifically in the Direct Rendering Manager (drm) for Mediatek. The issue lies in the potential NULL dereference in the mtk_crtc_destroy() function. This could potentially cause undesired behavior or even crashes in affected systems.
Here's a code snippet that demonstrates the issue
static void mtk_crtc_destroy(struct drm_crtc *crtc)
{
struct mtk_drm_crtc *mtk_crtc = to_mtk_crtc(crtc);
if (mtk_crtc->cmdq_client.chan) {
cmdq_pkt_destroy(mtk_crtc->cmdq_handle);
mbox_free_channel(mtk_crtc->cmdq_client.chan);
}
}
In this code snippet, the call to cmdq_pkt_destroy() is made without first checking if the mtk_crtc->cmdq_client.chan is NULL. This could lead to a NULL pointer dereference.
Resolution
To address this issue, the developers added a check before calling cmdq_pkt_destroy(). The fixed code looks like this:
static void mtk_crtc_destroy(struct drm_crtc *crtc)
{
struct mtk_drm_crtc *mtk_crtc = to_mtk_crtc(crtc);
if (mtk_crtc->cmdq_client.chan) {
if (mtk_crtc->cmdq_handle)
cmdq_pkt_destroy(mtk_crtc->cmdq_handle);
mbox_free_channel(mtk_crtc->cmdq_client.chan);
}
}
Now, cmdq_pkt_destroy() will only be called if mtk_crtc->cmdq_handle is not NULL.
Exploit Details
This vulnerability is related to a NULL pointer dereference, which, if it occurs, may lead to unintended system behavior, such as unexpected crashes. However, it does not seem to be easily exploitable for malicious purposes, and researchers have not found any known exploits targeting this specific issue.
Links to original references
1. Linux kernel source code: https://github.com/torvalds/linux
2. Linux kernel mailing list discussion about the vulnerability: https://lkml.org/lkml/2024/3/1/123
Conclusion
CVE-2024-53056, a vulnerability in the Linux kernel that affects the drm/mediatek subsystem, has been resolved. The fix addresses the potential NULL dereference in the mtk_crtc_destroy() function by adding a check before calling cmdq_pkt_destroy(). Users of affected systems should update their Linux kernel to the latest version to protect against this issue.
Timeline
Published on: 11/19/2024 18:15:25 UTC
Last modified on: 11/22/2024 17:55:51 UTC