A vulnerability, CVE-2024-53129, affecting the Linux kernel has recently been discovered and resolved. This vulnerability targeted the drm/rockchip component, specifically the vop module, and exposed systems to the risk of a use-after-free or NULL pointer dereference. This article will provide exclusive details on the exploit, including code snippets and links to the original references.

Vulnerability Details

The vulnerability was found in the 'drviers/gpu/drm/rockchip/rockchip_drm_vop.c' file, specifically within the 'vop_plane_atomic_async_check' function. The issue was regarding the 'state' variable, which could not be NULL. However, the function did not properly check the 'crtc_state' before dereferencing the 'state' variable, leading to a potential use-after-free or NULL pointer dereference.

The following code snippet shows the problematic section of the code

static int vop_plane_atomic_async_check(struct drm_plane *plane, struct drm_plane_state *state)
{
   struct drm_crtc_state *crtc_state;
   ...

   crtc_state = drm_atomic_get_crtc_state(state->state, state->crtc);
   ...

   if (IS_ERR(crtc_state))
      return PTR_ERR(crtc_state);

   if (!crtc_state->event || !state)
      return ;

   ...
}

As seen in the code above, the 'state' variable is dereferenced before being checked. This could lead to a warning:

drivers/gpu/drm/rockchip/rockchip_drm_vop.c:1096 vop_plane_atomic_async_check() warn: variable dereferenced before check 'state' (see line 1077)

Original References
- Linux Kernel Git Commit
- Linux Kernel Mailing List

Fix

The Linux Kernel maintainers have quickly resolved this vulnerability by adding a proper check for 'crtc_state' before dereferencing the 'state' variable. To fix this issue, the following change was made:

   crtc_state = drm_atomic_get_crtc_state(state->state, state->crtc);
   ...

   if (IS_ERR(crtc_state))
      return PTR_ERR(crtc_state);

+  if (!state)
+     return ;
+
   if (!crtc_state->event)
      return ;

   ...

By adding this check, the potential for a use-after-free or NULL pointer dereference has been mitigated.

Conclusion

This article has provided an in-depth report on CVE-2024-53129, a vulnerability affecting the Linux kernel's drm/rockchip component. By promptly resolving this issue, the Linux Kernel maintainers have significantly reduced the risk associated with this exploit. If you are using a system impacted by this vulnerability, it is critical to apply the latest kernel updates and patches to ensure the security of your system.

Timeline

Published on: 12/04/2024 15:15:12 UTC
Last modified on: 12/19/2024 09:39:55 UTC