fkie_cve-2024-47720
Vulnerability from fkie_nvd
Published
2024-10-21 12:15
Modified
2024-10-23 20:53
Severity ?
5.5 (Medium) - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Summary
In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: Add null check for set_output_gamma in dcn30_set_output_transfer_func This commit adds a null check for the set_output_gamma function pointer in the dcn30_set_output_transfer_func function. Previously, set_output_gamma was being checked for nullity at line 386, but then it was being dereferenced without any nullity check at line 401. This could potentially lead to a null pointer dereference error if set_output_gamma is indeed null. To fix this, we now ensure that set_output_gamma is not null before dereferencing it. We do this by adding a nullity check for set_output_gamma before the call to set_output_gamma at line 401. If set_output_gamma is null, we log an error message and do not call the function. This fix prevents a potential null pointer dereference error. drivers/gpu/drm/amd/amdgpu/../display/dc/hwss/dcn30/dcn30_hwseq.c:401 dcn30_set_output_transfer_func() error: we previously assumed 'mpc->funcs->set_output_gamma' could be null (see line 386) drivers/gpu/drm/amd/amdgpu/../display/dc/hwss/dcn30/dcn30_hwseq.c 373 bool dcn30_set_output_transfer_func(struct dc *dc, 374 struct pipe_ctx *pipe_ctx, 375 const struct dc_stream_state *stream) 376 { 377 int mpcc_id = pipe_ctx->plane_res.hubp->inst; 378 struct mpc *mpc = pipe_ctx->stream_res.opp->ctx->dc->res_pool->mpc; 379 const struct pwl_params *params = NULL; 380 bool ret = false; 381 382 /* program OGAM or 3DLUT only for the top pipe*/ 383 if (pipe_ctx->top_pipe == NULL) { 384 /*program rmu shaper and 3dlut in MPC*/ 385 ret = dcn30_set_mpc_shaper_3dlut(pipe_ctx, stream); 386 if (ret == false && mpc->funcs->set_output_gamma) { ^^^^^^^^^^^^^^^^^^^^^^^^^^^^ If this is NULL 387 if (stream->out_transfer_func.type == TF_TYPE_HWPWL) 388 params = &stream->out_transfer_func.pwl; 389 else if (pipe_ctx->stream->out_transfer_func.type == 390 TF_TYPE_DISTRIBUTED_POINTS && 391 cm3_helper_translate_curve_to_hw_format( 392 &stream->out_transfer_func, 393 &mpc->blender_params, false)) 394 params = &mpc->blender_params; 395 /* there are no ROM LUTs in OUTGAM */ 396 if (stream->out_transfer_func.type == TF_TYPE_PREDEFINED) 397 BREAK_TO_DEBUGGER(); 398 } 399 } 400 --> 401 mpc->funcs->set_output_gamma(mpc, mpcc_id, params); ^^^^^^^^^^^^^^^^^^^^^^^^^^^^ Then it will crash 402 return ret; 403 }
References
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/08ae395ea22fb3d9b318c8bde28c0dfd2f5fa4d2Patch
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/44948d3cb943602ba4a0b5ed3c91ae0525838fb1Patch
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/64886a4e6f1dce843c0889505cf0673b5211e16aPatch
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/72ee32d0907364104fbcf4f68dd5ae63cd8eae9ePatch
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/84edd5a3f5fa6aafa4afcaf9f101f46426c620c9Patch
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/ddf9ff244d704e1903533f7be377615ed34b83e7Patch
Impacted products
Vendor Product Version
linux linux_kernel *
linux linux_kernel *
linux linux_kernel *
linux linux_kernel *
linux linux_kernel *


To clipboard 

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "643E292D-C242-4FEC-8A11-034AB46708C1",
              "versionEndExcluding": "5.15.168",
              "versionStartIncluding": "5.9",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "D01BD22E-ACD1-4618-9D01-6116570BE1EE",
              "versionEndExcluding": "6.1.113",
              "versionStartIncluding": "5.16",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "D448821D-C085-4CAF-88FA-2DDE7BE21976",
              "versionEndExcluding": "6.6.54",
              "versionStartIncluding": "6.2",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "CE94BB8D-B0AB-4563-9ED7-A12122B56EBE",
              "versionEndExcluding": "6.10.13",
              "versionStartIncluding": "6.7",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "AB755D26-97F4-43B6-8604-CD076811E181",
              "versionEndExcluding": "6.11.2",
              "versionStartIncluding": "6.11",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd/display: Add null check for set_output_gamma in dcn30_set_output_transfer_func\n\nThis commit adds a null check for the set_output_gamma function pointer\nin the  dcn30_set_output_transfer_func function. Previously,\nset_output_gamma was being checked for nullity at line 386, but then it\nwas being dereferenced without any nullity check at line 401. This\ncould potentially lead to a null pointer dereference error if\nset_output_gamma is indeed null.\n\nTo fix this, we now ensure that set_output_gamma is not null before\ndereferencing it. We do this by adding a nullity check for\nset_output_gamma before the call to set_output_gamma at line 401. If\nset_output_gamma is null, we log an error message and do not call the\nfunction.\n\nThis fix prevents a potential null pointer dereference error.\n\ndrivers/gpu/drm/amd/amdgpu/../display/dc/hwss/dcn30/dcn30_hwseq.c:401 dcn30_set_output_transfer_func()\nerror: we previously assumed \u0027mpc-\u003efuncs-\u003eset_output_gamma\u0027 could be null (see line 386)\n\ndrivers/gpu/drm/amd/amdgpu/../display/dc/hwss/dcn30/dcn30_hwseq.c\n    373 bool dcn30_set_output_transfer_func(struct dc *dc,\n    374                                 struct pipe_ctx *pipe_ctx,\n    375                                 const struct dc_stream_state *stream)\n    376 {\n    377         int mpcc_id = pipe_ctx-\u003eplane_res.hubp-\u003einst;\n    378         struct mpc *mpc = pipe_ctx-\u003estream_res.opp-\u003ectx-\u003edc-\u003eres_pool-\u003empc;\n    379         const struct pwl_params *params = NULL;\n    380         bool ret = false;\n    381\n    382         /* program OGAM or 3DLUT only for the top pipe*/\n    383         if (pipe_ctx-\u003etop_pipe == NULL) {\n    384                 /*program rmu shaper and 3dlut in MPC*/\n    385                 ret = dcn30_set_mpc_shaper_3dlut(pipe_ctx, stream);\n    386                 if (ret == false \u0026\u0026 mpc-\u003efuncs-\u003eset_output_gamma) {\n                                            ^^^^^^^^^^^^^^^^^^^^^^^^^^^^ If this is NULL\n\n    387                         if (stream-\u003eout_transfer_func.type == TF_TYPE_HWPWL)\n    388                                 params = \u0026stream-\u003eout_transfer_func.pwl;\n    389                         else if (pipe_ctx-\u003estream-\u003eout_transfer_func.type ==\n    390                                         TF_TYPE_DISTRIBUTED_POINTS \u0026\u0026\n    391                                         cm3_helper_translate_curve_to_hw_format(\n    392                                         \u0026stream-\u003eout_transfer_func,\n    393                                         \u0026mpc-\u003eblender_params, false))\n    394                                 params = \u0026mpc-\u003eblender_params;\n    395                          /* there are no ROM LUTs in OUTGAM */\n    396                         if (stream-\u003eout_transfer_func.type == TF_TYPE_PREDEFINED)\n    397                                 BREAK_TO_DEBUGGER();\n    398                 }\n    399         }\n    400\n--\u003e 401         mpc-\u003efuncs-\u003eset_output_gamma(mpc, mpcc_id, params);\n                ^^^^^^^^^^^^^^^^^^^^^^^^^^^^ Then it will crash\n\n    402         return ret;\n    403 }"
    },
    {
      "lang": "es",
      "value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: drm/amd/display: Agregar comprobaci\u00f3n nula para set_output_gamma en dcn30_set_output_transfer_func Esta confirmaci\u00f3n agrega una comprobaci\u00f3n nula para el puntero de funci\u00f3n set_output_gamma en la funci\u00f3n dcn30_set_output_transfer_func. Anteriormente, se estaba comprobando la nulidad de set_output_gamma en la l\u00ednea 386, pero luego se estaba desreferenciando sin ninguna comprobaci\u00f3n de nulidad en la l\u00ednea 401. Esto podr\u00eda conducir potencialmente a un error de desreferencia de puntero nulo si set_output_gamma es de hecho nulo. Para solucionar esto, ahora nos aseguramos de que set_output_gamma no sea nulo antes de desreferenciarlo. Hacemos esto agregando una comprobaci\u00f3n de nulidad para set_output_gamma antes de la llamada a set_output_gamma en la l\u00ednea 401. Si set_output_gamma es nulo, registramos un mensaje de error y no llamamos a la funci\u00f3n. Esta correcci\u00f3n evita un posible error de desreferencia de puntero nulo. drivers/gpu/drm/amd/amdgpu/../display/dc/hwss/dcn30/dcn30_hwseq.c:401 error de dcn30_set_output_transfer_func(): anteriormente asumimos que \u0027mpc-\u0026gt;funcs-\u0026gt;set_output_gamma\u0027 podr\u00eda ser nulo (ver l\u00ednea 386) drivers/gpu/drm/amd/amdgpu/../display/dc/hwss/dcn30/dcn30_hwseq.c 373 bool dcn30_set_output_transfer_func(struct dc *dc, 374 struct pipe_ctx *pipe_ctx, 375 const struct dc_stream_state *stream) 376 { 377 int mpcc_id = pipe_ctx-\u0026gt;plane_res.hubp-\u0026gt;inst; 378 struct mpc *mpc = pipe_ctx-\u0026gt;stream_res.opp-\u0026gt;ctx-\u0026gt;dc-\u0026gt;res_pool-\u0026gt;mpc; 379 const struct pwl_params *params = NULL; 380 bool ret = false; 381 382 /* programa OGAM o 3DLUT solo para la tuber\u00eda superior*/ 383 if (pipe_ctx-\u0026gt;top_pipe == NULL) { 384 /*programa rmu shaper y 3dlut en MPC*/ 385 ret = dcn30_set_mpc_shaper_3dlut(pipe_ctx, stream); 386 si (ret == falso \u0026amp;\u0026amp; mpc-\u0026gt;funcs-\u0026gt;set_output_gamma) { ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ Si esto es NULL 387 si (flujo-\u0026gt;out_transfer_func.type == TF_TYPE_HWPWL) 388 par\u00e1metros = \u0026amp;flujo-\u0026gt;out_transfer_func.pwl; 389 de lo contrario si (pipe_ctx-\u0026gt;flujo-\u0026gt;out_transfer_func.type == 390 TF_TYPE_DISTRIBUTED_POINTS \u0026amp;\u0026amp; 391 cm3_helper_translate_curve_to_hw_format( 392 \u0026amp;flujo-\u0026gt;out_transfer_func, 393 \u0026amp;mpc-\u0026gt;blender_params, falso)) 394 par\u00e1metros = \u0026amp;mpc-\u0026gt;blender_params; 395 /* no hay LUT de ROM en OUTGAM */ 396 if (stream-\u0026gt;out_transfer_func.type == TF_TYPE_PREDEFINED) 397 BREAK_TO_DEBUGGER(); 398 } 399 } 400 --\u0026gt; 401 mpc-\u0026gt;funcs-\u0026gt;set_output_gamma(mpc, mpcc_id, params); ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ Entonces se bloquear\u00e1 402 return ret; 403 }"
    }
  ],
  "id": "CVE-2024-47720",
  "lastModified": "2024-10-23T20:53:54.150",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "LOCAL",
          "availabilityImpact": "HIGH",
          "baseScore": 5.5,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "NONE",
          "integrityImpact": "NONE",
          "privilegesRequired": "LOW",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 1.8,
        "impactScore": 3.6,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ]
  },
  "published": "2024-10-21T12:15:08.240",
  "references": [
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "tags": [
        "Patch"
      ],
      "url": "https://git.kernel.org/stable/c/08ae395ea22fb3d9b318c8bde28c0dfd2f5fa4d2"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "tags": [
        "Patch"
      ],
      "url": "https://git.kernel.org/stable/c/44948d3cb943602ba4a0b5ed3c91ae0525838fb1"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "tags": [
        "Patch"
      ],
      "url": "https://git.kernel.org/stable/c/64886a4e6f1dce843c0889505cf0673b5211e16a"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "tags": [
        "Patch"
      ],
      "url": "https://git.kernel.org/stable/c/72ee32d0907364104fbcf4f68dd5ae63cd8eae9e"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "tags": [
        "Patch"
      ],
      "url": "https://git.kernel.org/stable/c/84edd5a3f5fa6aafa4afcaf9f101f46426c620c9"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "tags": [
        "Patch"
      ],
      "url": "https://git.kernel.org/stable/c/ddf9ff244d704e1903533f7be377615ed34b83e7"
    }
  ],
  "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
  "vulnStatus": "Analyzed",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-476"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Primary"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.