Attacker Value
Unknown
(0 users assessed)
Exploitability
Unknown
(0 users assessed)
User Interaction
None
Privileges Required
Low
Attack Vector
Local
0

CVE-2024-47720

Disclosure Date: October 21, 2024
CVE-2024-47720 CVSS v3 Base Score: 5.5
Add MITRE ATT&CK tactics and techniques that apply to this CVE.

Description

In the Linux kernel, the following vulnerability has been resolved:

drm/amd/display: Add null check for set_output_gamma in dcn30_set_output_transfer_func

This commit adds a null check for the set_output_gamma function pointer
in the dcn30_set_output_transfer_func function. Previously,
set_output_gamma was being checked for nullity at line 386, but then it
was being dereferenced without any nullity check at line 401. This
could potentially lead to a null pointer dereference error if
set_output_gamma is indeed null.

To fix this, we now ensure that set_output_gamma is not null before
dereferencing it. We do this by adding a nullity check for
set_output_gamma before the call to set_output_gamma at line 401. If
set_output_gamma is null, we log an error message and do not call the
function.

This fix prevents a potential null pointer dereference error.

drivers/gpu/drm/amd/amdgpu/../display/dc/hwss/dcn30/dcn30_hwseq.c:401 dcn30_set_output_transfer_func()
error: we previously assumed ‘mpc->funcs->set_output_gamma’ could be null (see line 386)

drivers/gpu/drm/amd/amdgpu/../display/dc/hwss/dcn30/dcn30_hwseq.c

373 bool dcn30_set_output_transfer_func(struct dc *dc,
374                                 struct pipe_ctx *pipe_ctx,
375                                 const struct dc_stream_state *stream)
376 {
377         int mpcc_id = pipe_ctx->plane_res.hubp->inst;
378         struct mpc *mpc = pipe_ctx->stream_res.opp->ctx->dc->res_pool->mpc;
379         const struct pwl_params *params = NULL;
380         bool ret = false;
381
382         /* program OGAM or 3DLUT only for the top pipe*/
383         if (pipe_ctx->top_pipe == NULL) {
384                 /*program rmu shaper and 3dlut in MPC*/
385                 ret = dcn30_set_mpc_shaper_3dlut(pipe_ctx, stream);
386                 if (ret == false && mpc->funcs->set_output_gamma) {
                                        ^^^^^^^^^^^^^^^^^^^^^^^^^^^^ If this is NULL

387                         if (stream->out_transfer_func.type == TF_TYPE_HWPWL)
388                                 params = &stream->out_transfer_func.pwl;
389                         else if (pipe_ctx->stream->out_transfer_func.type ==
390                                         TF_TYPE_DISTRIBUTED_POINTS &&
391                                         cm3_helper_translate_curve_to_hw_format(
392                                         &stream->out_transfer_func,
393                                         &mpc->blender_params, false))
394                                 params = &mpc->blender_params;
395                          /* there are no ROM LUTs in OUTGAM */
396                         if (stream->out_transfer_func.type == TF_TYPE_PREDEFINED)
397                                 BREAK_TO_DEBUGGER();
398                 }
399         }
400

—> 401 mpc->funcs->set_output_gamma(mpc, mpcc_id, params);

            ^^^^^^^^^^^^^^^^^^^^^^^^^^^^ Then it will crash

402         return ret;
403 }

Add Assessment

No one has assessed this topic. Be the first to add your voice to the community.

CVSS V3 Severity and Metrics
Base Score:
5.5 Medium
Impact Score:
3.6
Exploitability Score:
1.8
Vector:
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Attack Vector (AV):
Local
Attack Complexity (AC):
Low
Privileges Required (PR):
Low
User Interaction (UI):
None
Scope (S):
Unchanged
Confidentiality (C):
None
Integrity (I):
None
Availability (A):
High

General Information

Offensive Application
Unknown
Utility Class
Unknown
Ports
Unknown
OS
Unknown
Vulnerable Versions
Linux 44948d3cb943
Linux not down converted
Prerequisites
Unknown
Discovered By
Unknown
PoC Author
Unknown
Metasploit Module
Unknown
Reporter
Unknown

Vendors

  • linux

Products

  • linux kernel
Technical Analysis