CVE-2024-56778 - Linux Kernel drm/sti Error Pointer Dereference Vulnerability Explained

In June 2024, a new vulnerability, CVE-2024-56778, was identified and patched in the Linux kernel. The bug affects the DRM driver for STMicroelectronics hardware, specifically the sti_hqvdp_atomic_check function in the drm/sti subsystem. Let’s break down what happened, why it mattered, and look at how it can be exploited and how it was fixed.

What’s the Problem?

Within the Linux kernel’s Direct Rendering Manager (DRM) for STI hardware, the function sti_hqvdp_atomic_check() calls another function, drm_atomic_get_crtc_state(), to retrieve the status of a CRTC (the part that generates video signals). However, it didn’t properly check if the result of this function was an error pointer before using it.

If something went wrong inside drm_atomic_get_crtc_state(), it would return an error pointer—not a valid structure. The code would then use this invalid pointer as if it were valid, causing a potential kernel crash, memory corruption, or further security issues.

Here’s the snippet that was problematic

struct drm_crtc_state *crtc_state;
crtc_state = drm_atomic_get_crtc_state(state, crtc);
if (!crtc_state)
    return -EINVAL;

if (!drm_atomic_crtc_needs_modeset(crtc_state))
    return ;

... // other code using crtc_state

The issue is:
drm_atomic_get_crtc_state() returns either a valid pointer or an error pointer (using macros like IS_ERR()/PTR_ERR()), but the check only checked NULL, not error pointers!

How Could This Be Exploited?

An attacker or a buggy user-space driver could trigger an error from drm_atomic_get_crtc_state(), causing it to return an error pointer. Since the code would dereference this as if it were a real pointer, it could result in:

Information leak or memory corruption, under some conditions.

This type of vulnerability could be used as part of a local privilege escalation attack, especially if an unprivileged user can interact with the DRM API.

The fix makes sure to check for both NULL and error pointers with Linux standard macros

struct drm_crtc_state *crtc_state;
crtc_state = drm_atomic_get_crtc_state(state, crtc);
if (IS_ERR(crtc_state))
    return PTR_ERR(crtc_state);

if (!drm_atomic_crtc_needs_modeset(crtc_state))
    return ;

... // safe to use crtc_state here

The IS_ERR() macro checks if the pointer is an error, and if so, the function returns the error code, not the bad pointer.

Official Patch:
See: drm/sti: avoid potential dereference of error pointers in sti_hqvdp_atomic_check

Proof of Concept (PoC) Exploit

Since this is a logic error in the kernel, any user able to trigger a call to sti_hqvdp_atomic_check() with a crafted atomic state that would make drm_atomic_get_crtc_state() fail could potentially cause a crash.

Example exploit scenario in pseudo-code

import os
import drm_api

# Trigger display atomic commit that references invalid CRTC state
bad_state = drm_api.create_invalid_atomic_state()
try:
    drm_api.commit(bad_state)
except Exception as e:
    print("Kernel might have crashed or OOPSed!")

This is generalized—the real exploit would require creating an invalid state through the DRM interface, possibly via ioctl calls.

Note: Writing a real remote exploit would require advanced kernel knowledge and understanding of the device tree and DRM internals.

Who’s Affected?

- Linux kernels with the DRM/STI subsystem enabled.
- Devices using STMicroelectronics video/display hardware.

How to Stay Safe

- Apply kernel updates as soon as possible. Most distributions will include the patch in upcoming kernel updates.
- Restrict access to DRM device nodes (/dev/dri/*) to trusted users.
- Review systems for suspicious crashes or unexpected reboots, which could indicate past attempts at exploiting this bug.

Patch:

kernel/git/torvalds/linux.git commit 54a4578...

Linux DRM Documentation:

https://www.kernel.org/doc/html/latest/gpu/drm-internals.html

CVE Record (if available):

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-56778

Conclusion

CVE-2024-56778 is a classic example of why careful error checking matters in C code—especially in kernel-space where the slightest mistake can have big consequences. If you run a system with Linux DRM/STI support, update your kernel promptly and limit access to graphics interfaces.

Timeline

Published on: 01/08/2025 18:15:18 UTC
Last modified on: 01/20/2025 06:27:59 UTC