CVE-2024-57922 - Fix for Divide-by-Zero Error in drm/amd/display on Linux Kernel

Recently, a patch addressing CVE-2024-57922 got published to enhance the security in Linux kernels. This vulnerability in the drm/amd/display functionality relates to the absence of granularity checks, which can result in divide-by-zero errors. In this long-read post, we'll delve into the specifics of the error, comprehend the code snippet, explore the necessary fixes, and review the original sources.

Background

A crucial component of the Linux kernel - the Direct Rendering Manager (DRM) subsystem - is responsible for handling graphics hardware. A subset of this functionality is the drm/amd/display, which falls under the AMDGPU DRM driver for AMD graphic hardware. A vulnerability was spotted within code performing specific mathematical operations on the GPU hardware.

Details

The code flaw results from a lack of checks for non-zero granularity values during calls to dcn_bw_ceil2() and dcn_bw_floor2() functions. Granularity here refers to the smallest unit representing a physical quantity, such as detail in an image. When granularity is zero, the dcn_bw_ functions can trigger divide-by-zero errors, which can lead to a system crash or other undefined behavior.

Here's a snippet of the original faulty code

uint32_t dcn_bw_ceil2(uint32_t value, uint32_t granularity)
{
	return ((value - 1) / granularity + 1) * granularity;
}

uint32_t dcn_bw_floor2(uint32_t value, uint32_t granularity)
{
	return (value / granularity) * granularity;
}

The functions, dcn_bw_ceil2() and dcn_bw_floor2(), perform mathematical ceiling and flooring operations based on the provided granularity. However, if granularity equals zero, this results in a divide-by-zero error.

Here’s a code snippet reflecting the recommended fix

uint32_t dcn_bw_ceil2(uint32_t value, uint32_t granularity)
{
    if (granularity == ) {
        return value;
    }
	return ((value - 1) / granularity + 1) * granularity;
}

uint32_t dcn_bw_floor2(uint32_t value, uint32_t granularity)
{
    if (granularity == ) {
        return value;
    }
	return (value / granularity) * granularity;
}

As seen, an additional check is included for each function to verify if granularity is zero. If it's zero, the functions return the value without performing any operations.

The relevant patch was picked from here

- upstream commit f6e09701c3eb2ccb8cb0518eb67f1c69742a4ec

Conclusion

Due to the Linux kernel's open-source nature, vulnerabilities like CVE-2024-57922 can be promptly identified and resolved through cooperation among organizations and developers worldwide. This particular fix addresses a divide-by-zero error that could potentially affect system stability and security. The additional check for zero granularity helps prevent assertions and ensures smoother functionality.

Timeline

Published on: 01/19/2025 12:15:26 UTC
Last modified on: 02/27/2025 21:59:28 UTC