ghsa-6mj8-3p38-3j38
Vulnerability from github
Published
2024-10-21 12:30
Modified
2024-10-23 21:30
Severity ?
5.5 (Medium) - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Details

In the Linux kernel, the following vulnerability has been resolved:

drm/amd/display: Add null check for set_output_gamma in dcn30_set_output_transfer_func

This commit adds a null check for the set_output_gamma function pointer in the dcn30_set_output_transfer_func function. Previously, set_output_gamma was being checked for nullity at line 386, but then it was being dereferenced without any nullity check at line 401. This could potentially lead to a null pointer dereference error if set_output_gamma is indeed null.

To fix this, we now ensure that set_output_gamma is not null before dereferencing it. We do this by adding a nullity check for set_output_gamma before the call to set_output_gamma at line 401. If set_output_gamma is null, we log an error message and do not call the function.

This fix prevents a potential null pointer dereference error.

drivers/gpu/drm/amd/amdgpu/../display/dc/hwss/dcn30/dcn30_hwseq.c:401 dcn30_set_output_transfer_func() error: we previously assumed 'mpc->funcs->set_output_gamma' could be null (see line 386)

drivers/gpu/drm/amd/amdgpu/../display/dc/hwss/dcn30/dcn30_hwseq.c 373 bool dcn30_set_output_transfer_func(struct dc dc, 374 struct pipe_ctx pipe_ctx, 375 const struct dc_stream_state stream) 376 { 377 int mpcc_id = pipe_ctx->plane_res.hubp->inst; 378 struct mpc mpc = pipe_ctx->stream_res.opp->ctx->dc->res_pool->mpc; 379 const struct pwl_params params = NULL; 380 bool ret = false; 381 382 / program OGAM or 3DLUT only for the top pipe/ 383 if (pipe_ctx->top_pipe == NULL) { 384 /program rmu shaper and 3dlut in MPC*/ 385 ret = dcn30_set_mpc_shaper_3dlut(pipe_ctx, stream); 386 if (ret == false && mpc->funcs->set_output_gamma) { ^^^^^^^^^^^^^^^^^^^^^^^^^^^^ If this is NULL

387                         if (stream->out_transfer_func.type == TF_TYPE_HWPWL)
388                                 params = &stream->out_transfer_func.pwl;
389                         else if (pipe_ctx->stream->out_transfer_func.type ==
390                                         TF_TYPE_DISTRIBUTED_POINTS &&
391                                         cm3_helper_translate_curve_to_hw_format(
392                                         &stream->out_transfer_func,
393                                         &mpc->blender_params, false))
394                                 params = &mpc->blender_params;
395                          /* there are no ROM LUTs in OUTGAM */
396                         if (stream->out_transfer_func.type == TF_TYPE_PREDEFINED)
397                                 BREAK_TO_DEBUGGER();
398                 }
399         }
400

--> 401 mpc->funcs->set_output_gamma(mpc, mpcc_id, params); ^^^^^^^^^^^^^^^^^^^^^^^^^^^^ Then it will crash

402         return ret;
403 }
Show details on source website

To clipboard 

{
  "affected": [],
  "aliases": [
    "CVE-2024-47720"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-476"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-10-21T12:15:08Z",
    "severity": "MODERATE"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd/display: Add null check for set_output_gamma in dcn30_set_output_transfer_func\n\nThis commit adds a null check for the set_output_gamma function pointer\nin the  dcn30_set_output_transfer_func function. Previously,\nset_output_gamma was being checked for nullity at line 386, but then it\nwas being dereferenced without any nullity check at line 401. This\ncould potentially lead to a null pointer dereference error if\nset_output_gamma is indeed null.\n\nTo fix this, we now ensure that set_output_gamma is not null before\ndereferencing it. We do this by adding a nullity check for\nset_output_gamma before the call to set_output_gamma at line 401. If\nset_output_gamma is null, we log an error message and do not call the\nfunction.\n\nThis fix prevents a potential null pointer dereference error.\n\ndrivers/gpu/drm/amd/amdgpu/../display/dc/hwss/dcn30/dcn30_hwseq.c:401 dcn30_set_output_transfer_func()\nerror: we previously assumed \u0027mpc-\u003efuncs-\u003eset_output_gamma\u0027 could be null (see line 386)\n\ndrivers/gpu/drm/amd/amdgpu/../display/dc/hwss/dcn30/dcn30_hwseq.c\n    373 bool dcn30_set_output_transfer_func(struct dc *dc,\n    374                                 struct pipe_ctx *pipe_ctx,\n    375                                 const struct dc_stream_state *stream)\n    376 {\n    377         int mpcc_id = pipe_ctx-\u003eplane_res.hubp-\u003einst;\n    378         struct mpc *mpc = pipe_ctx-\u003estream_res.opp-\u003ectx-\u003edc-\u003eres_pool-\u003empc;\n    379         const struct pwl_params *params = NULL;\n    380         bool ret = false;\n    381\n    382         /* program OGAM or 3DLUT only for the top pipe*/\n    383         if (pipe_ctx-\u003etop_pipe == NULL) {\n    384                 /*program rmu shaper and 3dlut in MPC*/\n    385                 ret = dcn30_set_mpc_shaper_3dlut(pipe_ctx, stream);\n    386                 if (ret == false \u0026\u0026 mpc-\u003efuncs-\u003eset_output_gamma) {\n                                            ^^^^^^^^^^^^^^^^^^^^^^^^^^^^ If this is NULL\n\n    387                         if (stream-\u003eout_transfer_func.type == TF_TYPE_HWPWL)\n    388                                 params = \u0026stream-\u003eout_transfer_func.pwl;\n    389                         else if (pipe_ctx-\u003estream-\u003eout_transfer_func.type ==\n    390                                         TF_TYPE_DISTRIBUTED_POINTS \u0026\u0026\n    391                                         cm3_helper_translate_curve_to_hw_format(\n    392                                         \u0026stream-\u003eout_transfer_func,\n    393                                         \u0026mpc-\u003eblender_params, false))\n    394                                 params = \u0026mpc-\u003eblender_params;\n    395                          /* there are no ROM LUTs in OUTGAM */\n    396                         if (stream-\u003eout_transfer_func.type == TF_TYPE_PREDEFINED)\n    397                                 BREAK_TO_DEBUGGER();\n    398                 }\n    399         }\n    400\n--\u003e 401         mpc-\u003efuncs-\u003eset_output_gamma(mpc, mpcc_id, params);\n                ^^^^^^^^^^^^^^^^^^^^^^^^^^^^ Then it will crash\n\n    402         return ret;\n    403 }",
  "id": "GHSA-6mj8-3p38-3j38",
  "modified": "2024-10-23T21:30:28Z",
  "published": "2024-10-21T12:30:55Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-47720"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/08ae395ea22fb3d9b318c8bde28c0dfd2f5fa4d2"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/44948d3cb943602ba4a0b5ed3c91ae0525838fb1"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/64886a4e6f1dce843c0889505cf0673b5211e16a"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/72ee32d0907364104fbcf4f68dd5ae63cd8eae9e"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/84edd5a3f5fa6aafa4afcaf9f101f46426c620c9"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/ddf9ff244d704e1903533f7be377615ed34b83e7"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.