ghsa-v5jf-jh4j-87cv
Vulnerability from github
Published
2025-01-19 12:31
Modified
2025-02-18 15:31
Severity ?
5.5 (Medium) - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Details

In the Linux kernel, the following vulnerability has been resolved:

drm/amd/display: fix divide error in DM plane scale calcs

dm_get_plane_scale doesn't take into account plane scaled size equal to zero, leading to a kernel oops due to division by zero. Fix by setting out-scale size as zero when the dst size is zero, similar to what is done by drm_calc_scale(). This issue started with the introduction of cursor ovelay mode that uses this function to assess cursor mode changes via dm_crtc_get_cursor_mode() before checking plane state.

[Dec17 17:14] Oops: divide error: 0000 [#1] PREEMPT SMP NOPTI [ +0.000018] CPU: 5 PID: 1660 Comm: surface-DP-1 Not tainted 6.10.0+ #231 [ +0.000007] Hardware name: Valve Jupiter/Jupiter, BIOS F7A0131 01/30/2024 [ +0.000004] RIP: 0010:dm_get_plane_scale+0x3f/0x60 [amdgpu] [ +0.000553] Code: 44 0f b7 41 3a 44 0f b7 49 3e 83 e0 0f 48 0f a3 c2 73 21 69 41 28 e8 03 00 00 31 d2 41 f7 f1 31 d2 89 06 69 41 2c e8 03 00 00 <41> f7 f0 89 07 e9 d7 d8 7e e9 44 89 c8 45 89 c1 41 89 c0 eb d4 66 [ +0.000005] RSP: 0018:ffffa8df0de6b8a0 EFLAGS: 00010246 [ +0.000006] RAX: 00000000000003e8 RBX: ffff9ac65c1f6e00 RCX: ffff9ac65d055500 [ +0.000003] RDX: 0000000000000000 RSI: ffffa8df0de6b8b0 RDI: ffffa8df0de6b8b4 [ +0.000004] RBP: ffff9ac64e7a5800 R08: 0000000000000000 R09: 0000000000000a00 [ +0.000003] R10: 00000000000000ff R11: 0000000000000054 R12: ffff9ac6d0700010 [ +0.000003] R13: ffff9ac65d054f00 R14: ffff9ac65d055500 R15: ffff9ac64e7a60a0 [ +0.000004] FS: 00007f869ea00640(0000) GS:ffff9ac970080000(0000) knlGS:0000000000000000 [ +0.000004] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ +0.000003] CR2: 000055ca701becd0 CR3: 000000010e7f2000 CR4: 0000000000350ef0 [ +0.000004] Call Trace: [ +0.000007] [ +0.000006] ? __die_body.cold+0x19/0x27 [ +0.000009] ? die+0x2e/0x50 [ +0.000007] ? do_trap+0xca/0x110 [ +0.000007] ? do_error_trap+0x6a/0x90 [ +0.000006] ? dm_get_plane_scale+0x3f/0x60 [amdgpu] [ +0.000504] ? exc_divide_error+0x38/0x50 [ +0.000005] ? dm_get_plane_scale+0x3f/0x60 [amdgpu] [ +0.000488] ? asm_exc_divide_error+0x1a/0x20 [ +0.000011] ? dm_get_plane_scale+0x3f/0x60 [amdgpu] [ +0.000593] dm_crtc_get_cursor_mode+0x33f/0x430 [amdgpu] [ +0.000562] amdgpu_dm_atomic_check+0x2ef/0x1770 [amdgpu] [ +0.000501] drm_atomic_check_only+0x5e1/0xa30 [drm] [ +0.000047] drm_mode_atomic_ioctl+0x832/0xcb0 [drm] [ +0.000050] ? __pfx_drm_mode_atomic_ioctl+0x10/0x10 [drm] [ +0.000047] drm_ioctl_kernel+0xb3/0x100 [drm] [ +0.000062] drm_ioctl+0x27a/0x4f0 [drm] [ +0.000049] ? __pfx_drm_mode_atomic_ioctl+0x10/0x10 [drm] [ +0.000055] amdgpu_drm_ioctl+0x4e/0x90 [amdgpu] [ +0.000360] __x64_sys_ioctl+0x97/0xd0 [ +0.000010] do_syscall_64+0x82/0x190 [ +0.000008] ? __pfx_drm_mode_createblob_ioctl+0x10/0x10 [drm] [ +0.000044] ? srso_return_thunk+0x5/0x5f [ +0.000006] ? drm_ioctl_kernel+0xb3/0x100 [drm] [ +0.000040] ? srso_return_thunk+0x5/0x5f [ +0.000005] ? __check_object_size+0x50/0x220 [ +0.000007] ? srso_return_thunk+0x5/0x5f [ +0.000005] ? srso_return_thunk+0x5/0x5f [ +0.000005] ? drm_ioctl+0x2a4/0x4f0 [drm] [ +0.000039] ? __pfx_drm_mode_createblob_ioctl+0x10/0x10 [drm] [ +0.000043] ? srso_return_thunk+0x5/0x5f [ +0.000005] ? srso_return_thunk+0x5/0x5f [ +0.000005] ? __pm_runtime_suspend+0x69/0xc0 [ +0.000006] ? srso_return_thunk+0x5/0x5f [ +0.000005] ? amdgpu_drm_ioctl+0x71/0x90 [amdgpu] [ +0.000366] ? srso_return_thunk+0x5/0x5f [ +0.000006] ? syscall_exit_to_user_mode+0x77/0x210 [ +0.000007] ? srso_return_thunk+0x5/0x5f [ +0.000005] ? do_syscall_64+0x8e/0x190 [ +0.000006] ? srso_return_thunk+0x5/0x5f [ +0.000006] ? do_syscall_64+0x8e/0x190 [ +0.000006] ? srso_return_thunk+0x5/0x5f [ +0.000007] entry_SYSCALL_64_after_hwframe+0x76/0x7e [ +0.000008] RIP: 0033:0x55bb7cd962bc [ +0.000007] Code: 4c 89 6c 24 18 4c 89 64 24 20 4c 89 74 24 28 0f 57 c0 0f 11 44 24 30 89 c7 48 8d 54 24 08 b8 10 00 00 00 be bc 64 ---truncated---

Show details on source website

To clipboard 

{
  "affected": [],
  "aliases": [
    "CVE-2024-57919"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-369"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-01-19T12:15:26Z",
    "severity": "MODERATE"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd/display: fix divide error in DM plane scale calcs\n\ndm_get_plane_scale doesn\u0027t take into account plane scaled size equal to\nzero, leading to a kernel oops due to division by zero. Fix by setting\nout-scale size as zero when the dst size is zero, similar to what is\ndone by drm_calc_scale(). This issue started with the introduction of\ncursor ovelay mode that uses this function to assess cursor mode changes\nvia dm_crtc_get_cursor_mode() before checking plane state.\n\n[Dec17 17:14] Oops: divide error: 0000 [#1] PREEMPT SMP NOPTI\n[  +0.000018] CPU: 5 PID: 1660 Comm: surface-DP-1 Not tainted 6.10.0+ #231\n[  +0.000007] Hardware name: Valve Jupiter/Jupiter, BIOS F7A0131 01/30/2024\n[  +0.000004] RIP: 0010:dm_get_plane_scale+0x3f/0x60 [amdgpu]\n[  +0.000553] Code: 44 0f b7 41 3a 44 0f b7 49 3e 83 e0 0f 48 0f a3 c2 73 21 69 41 28 e8 03 00 00 31 d2 41 f7 f1 31 d2 89 06 69 41 2c e8 03 00 00 \u003c41\u003e f7 f0 89 07 e9 d7 d8 7e e9 44 89 c8 45 89 c1 41 89 c0 eb d4 66\n[  +0.000005] RSP: 0018:ffffa8df0de6b8a0 EFLAGS: 00010246\n[  +0.000006] RAX: 00000000000003e8 RBX: ffff9ac65c1f6e00 RCX: ffff9ac65d055500\n[  +0.000003] RDX: 0000000000000000 RSI: ffffa8df0de6b8b0 RDI: ffffa8df0de6b8b4\n[  +0.000004] RBP: ffff9ac64e7a5800 R08: 0000000000000000 R09: 0000000000000a00\n[  +0.000003] R10: 00000000000000ff R11: 0000000000000054 R12: ffff9ac6d0700010\n[  +0.000003] R13: ffff9ac65d054f00 R14: ffff9ac65d055500 R15: ffff9ac64e7a60a0\n[  +0.000004] FS:  00007f869ea00640(0000) GS:ffff9ac970080000(0000) knlGS:0000000000000000\n[  +0.000004] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[  +0.000003] CR2: 000055ca701becd0 CR3: 000000010e7f2000 CR4: 0000000000350ef0\n[  +0.000004] Call Trace:\n[  +0.000007]  \u003cTASK\u003e\n[  +0.000006]  ? __die_body.cold+0x19/0x27\n[  +0.000009]  ? die+0x2e/0x50\n[  +0.000007]  ? do_trap+0xca/0x110\n[  +0.000007]  ? do_error_trap+0x6a/0x90\n[  +0.000006]  ? dm_get_plane_scale+0x3f/0x60 [amdgpu]\n[  +0.000504]  ? exc_divide_error+0x38/0x50\n[  +0.000005]  ? dm_get_plane_scale+0x3f/0x60 [amdgpu]\n[  +0.000488]  ? asm_exc_divide_error+0x1a/0x20\n[  +0.000011]  ? dm_get_plane_scale+0x3f/0x60 [amdgpu]\n[  +0.000593]  dm_crtc_get_cursor_mode+0x33f/0x430 [amdgpu]\n[  +0.000562]  amdgpu_dm_atomic_check+0x2ef/0x1770 [amdgpu]\n[  +0.000501]  drm_atomic_check_only+0x5e1/0xa30 [drm]\n[  +0.000047]  drm_mode_atomic_ioctl+0x832/0xcb0 [drm]\n[  +0.000050]  ? __pfx_drm_mode_atomic_ioctl+0x10/0x10 [drm]\n[  +0.000047]  drm_ioctl_kernel+0xb3/0x100 [drm]\n[  +0.000062]  drm_ioctl+0x27a/0x4f0 [drm]\n[  +0.000049]  ? __pfx_drm_mode_atomic_ioctl+0x10/0x10 [drm]\n[  +0.000055]  amdgpu_drm_ioctl+0x4e/0x90 [amdgpu]\n[  +0.000360]  __x64_sys_ioctl+0x97/0xd0\n[  +0.000010]  do_syscall_64+0x82/0x190\n[  +0.000008]  ? __pfx_drm_mode_createblob_ioctl+0x10/0x10 [drm]\n[  +0.000044]  ? srso_return_thunk+0x5/0x5f\n[  +0.000006]  ? drm_ioctl_kernel+0xb3/0x100 [drm]\n[  +0.000040]  ? srso_return_thunk+0x5/0x5f\n[  +0.000005]  ? __check_object_size+0x50/0x220\n[  +0.000007]  ? srso_return_thunk+0x5/0x5f\n[  +0.000005]  ? srso_return_thunk+0x5/0x5f\n[  +0.000005]  ? drm_ioctl+0x2a4/0x4f0 [drm]\n[  +0.000039]  ? __pfx_drm_mode_createblob_ioctl+0x10/0x10 [drm]\n[  +0.000043]  ? srso_return_thunk+0x5/0x5f\n[  +0.000005]  ? srso_return_thunk+0x5/0x5f\n[  +0.000005]  ? __pm_runtime_suspend+0x69/0xc0\n[  +0.000006]  ? srso_return_thunk+0x5/0x5f\n[  +0.000005]  ? amdgpu_drm_ioctl+0x71/0x90 [amdgpu]\n[  +0.000366]  ? srso_return_thunk+0x5/0x5f\n[  +0.000006]  ? syscall_exit_to_user_mode+0x77/0x210\n[  +0.000007]  ? srso_return_thunk+0x5/0x5f\n[  +0.000005]  ? do_syscall_64+0x8e/0x190\n[  +0.000006]  ? srso_return_thunk+0x5/0x5f\n[  +0.000006]  ? do_syscall_64+0x8e/0x190\n[  +0.000006]  ? srso_return_thunk+0x5/0x5f\n[  +0.000007]  entry_SYSCALL_64_after_hwframe+0x76/0x7e\n[  +0.000008] RIP: 0033:0x55bb7cd962bc\n[  +0.000007] Code: 4c 89 6c 24 18 4c 89 64 24 20 4c 89 74 24 28 0f 57 c0 0f 11 44 24 30 89 c7 48 8d 54 24 08 b8 10 00 00 00 be bc 64\n---truncated---",
  "id": "GHSA-v5jf-jh4j-87cv",
  "modified": "2025-02-18T15:31:06Z",
  "published": "2025-01-19T12:31:26Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-57919"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/5225fd2a26211d012533acf98a6ad3f983885817"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/c2eaa73bd542b0168a0519e4a1c6e94bc121ec3d"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.