Attacker Value

Unknown

(0 users assessed)

Exploitability

Unknown

(0 users assessed)

User Interaction

Unknown

Privileges Required

Unknown

Attack Vector

Unknown

0

CVE-2024-26874

Disclosure Date: April 17, 2024 •

MITRE ATT&CK

Add MITRE ATT&CK tactics and techniques that apply to this CVE.

Description

In the Linux kernel, the following vulnerability has been resolved:

drm/mediatek: Fix a null pointer crash in mtk_drm_crtc_finish_page_flip

It’s possible that mtk_crtc->event is NULL in
mtk_drm_crtc_finish_page_flip().

pending_needs_vblank value is set by mtk_crtc->event, but in
mtk_drm_crtc_atomic_flush(), it’s is not guarded by the same
lock in mtk_drm_finish_page_flip(), thus a race condition happens.

Consider the following case:

CPU1 CPU2
step 1:
mtk_drm_crtc_atomic_begin()
mtk_crtc->event is not null,

                              step 1:
                              mtk_drm_crtc_atomic_flush:
                              mtk_drm_crtc_update_config(
                                  !!mtk_crtc->event)

step 2:
mtk_crtc_ddp_irq –>
mtk_drm_finish_page_flip:
lock
mtk_crtc->event set to null,
pending_needs_vblank set to false
unlock

                              pending_needs_vblank set to true,

                              step 2:
                              mtk_crtc_ddp_irq ->
                              mtk_drm_finish_page_flip called again,
                              pending_needs_vblank is still true
                              //null pointer

Instead of guarding the entire mtk_drm_crtc_atomic_flush(), it’s more
efficient to just check if mtk_crtc->event is null before use.

Add Assessment

No one has assessed this topic. Be the first to add your voice to the community.

CVSS V3 Severity and Metrics

Data provided by the National Vulnerability Database (NVD)

Base Score:

None

Impact Score:

Unknown

Exploitability Score:

Unknown

Vector:

Attack Vector (AV):

Unknown

Attack Complexity (AC):

Unknown

Privileges Required (PR):

Unknown

User Interaction (UI):

Unknown

Scope (S):

Unknown

Confidentiality (C):

Unknown

Integrity (I):

Unknown

Availability (A):

Unknown

Vendors

Linux

Products

Linux

References

Canonical

CVE-2024-26874 (https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-26874)

Miscellaneous

https://git.kernel.org/stable/c/accdac6b71d5a2b84040c3d2234f53a60edc398e

https://git.kernel.org/stable/c/dfde84cc6c589f2a9f820f12426d97365670b731

https://git.kernel.org/stable/c/4688be96d20ffa49d2186523ee84f475f316fd49

https://git.kernel.org/stable/c/9beec711a17245b853d64488fd5b739031612340

https://git.kernel.org/stable/c/d2bd30c710475b2e29288827d2c91f9e6e2b91d7

https://git.kernel.org/stable/c/a3dd12b64ae8373a41a216a0b621df224210860a

https://git.kernel.org/stable/c/9acee29a38b4d4b70f1f583e5ef9a245db4db710

https://git.kernel.org/stable/c/3fc88b246a2fc16014e374040fc15af1d3752535

https://git.kernel.org/stable/c/c958e86e9cc1b48cac004a6e245154dfba8e163b

https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html

https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html

Rapid7

Technical Analysis