CVE-2024-47720

{"id": "CVE-2024-47720", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.5, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}, "impactScore": 3.6, "exploitabilityScore": 1.8}]}, "published": "2024-10-21T12:15:08.240", "references": [{"url": "https://git.kernel.org/stable/c/08ae395ea22fb3d9b318c8bde28c0dfd2f5fa4d2", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/44948d3cb943602ba4a0b5ed3c91ae0525838fb1", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/64886a4e6f1dce843c0889505cf0673b5211e16a", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/72ee32d0907364104fbcf4f68dd5ae63cd8eae9e", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/84edd5a3f5fa6aafa4afcaf9f101f46426c620c9", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/ddf9ff244d704e1903533f7be377615ed34b83e7", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-476"}]}], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd/display: Add null check for set_output_gamma in dcn30_set_output_transfer_func\n\nThis commit adds a null check for the set_output_gamma function pointer\nin the dcn30_set_output_transfer_func function. Previously,\nset_output_gamma was being checked for nullity at line 386, but then it\nwas being dereferenced without any nullity check at line 401. This\ncould potentially lead to a null pointer dereference error if\nset_output_gamma is indeed null.\n\nTo fix this, we now ensure that set_output_gamma is not null before\ndereferencing it. We do this by adding a nullity check for\nset_output_gamma before the call to set_output_gamma at line 401. If\nset_output_gamma is null, we log an error message and do not call the\nfunction.\n\nThis fix prevents a potential null pointer dereference error.\n\ndrivers/gpu/drm/amd/amdgpu/../display/dc/hwss/dcn30/dcn30_hwseq.c:401 dcn30_set_output_transfer_func()\nerror: we previously assumed 'mpc->funcs->set_output_gamma' could be null (see line 386)\n\ndrivers/gpu/drm/amd/amdgpu/../display/dc/hwss/dcn30/dcn30_hwseq.c\n 373 bool dcn30_set_output_transfer_func(struct dc *dc,\n 374 struct pipe_ctx *pipe_ctx,\n 375 const struct dc_stream_state *stream)\n 376 {\n 377 int mpcc_id = pipe_ctx->plane_res.hubp->inst;\n 378 struct mpc *mpc = pipe_ctx->stream_res.opp->ctx->dc->res_pool->mpc;\n 379 const struct pwl_params *params = NULL;\n 380 bool ret = false;\n 381\n 382 /* program OGAM or 3DLUT only for the top pipe*/\n 383 if (pipe_ctx->top_pipe == NULL) {\n 384 /*program rmu shaper and 3dlut in MPC*/\n 385 ret = dcn30_set_mpc_shaper_3dlut(pipe_ctx, stream);\n 386 if (ret == false && mpc->funcs->set_output_gamma) {\n ^^^^^^^^^^^^^^^^^^^^^^^^^^^^ If this is NULL\n\n 387 if (stream->out_transfer_func.type == TF_TYPE_HWPWL)\n 388 params = &stream->out_transfer_func.pwl;\n 389 else if (pipe_ctx->stream->out_transfer_func.type ==\n 390 TF_TYPE_DISTRIBUTED_POINTS &&\n 391 cm3_helper_translate_curve_to_hw_format(\n 392 &stream->out_transfer_func,\n 393 &mpc->blender_params, false))\n 394 params = &mpc->blender_params;\n 395 /* there are no ROM LUTs in OUTGAM */\n 396 if (stream->out_transfer_func.type == TF_TYPE_PREDEFINED)\n 397 BREAK_TO_DEBUGGER();\n 398 }\n 399 }\n 400\n--> 401 mpc->funcs->set_output_gamma(mpc, mpcc_id, params);\n ^^^^^^^^^^^^^^^^^^^^^^^^^^^^ Then it will crash\n\n 402 return ret;\n 403 }"}, {"lang": "es", "value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: drm/amd/display: Agregar comprobaci\u00f3n nula para set_output_gamma en dcn30_set_output_transfer_func Esta confirmaci\u00f3n agrega una comprobaci\u00f3n nula para el puntero de funci\u00f3n set_output_gamma en la funci\u00f3n dcn30_set_output_transfer_func. Anteriormente, se estaba comprobando la nulidad de set_output_gamma en la l\u00ednea 386, pero luego se estaba desreferenciando sin ninguna comprobaci\u00f3n de nulidad en la l\u00ednea 401. Esto podr\u00eda conducir potencialmente a un error de desreferencia de puntero nulo si set_output_gamma es de hecho nulo. Para solucionar esto, ahora nos aseguramos de que set_output_gamma no sea nulo antes de desreferenciarlo. Hacemos esto agregando una comprobaci\u00f3n de nulidad para set_output_gamma antes de la llamada a set_output_gamma en la l\u00ednea 401. Si set_output_gamma es nulo, registramos un mensaje de error y no llamamos a la funci\u00f3n. Esta correcci\u00f3n evita un posible error de desreferencia de puntero nulo. drivers/gpu/drm/amd/amdgpu/../display/dc/hwss/dcn30/dcn30_hwseq.c:401 error de dcn30_set_output_transfer_func(): anteriormente asumimos que 'mpc->funcs->set_output_gamma' podr\u00eda ser nulo (ver l\u00ednea 386) drivers/gpu/drm/amd/amdgpu/../display/dc/hwss/dcn30/dcn30_hwseq.c 373 bool dcn30_set_output_transfer_func(struct dc *dc, 374 struct pipe_ctx *pipe_ctx, 375 const struct dc_stream_state *stream) 376 { 377 int mpcc_id = pipe_ctx->plane_res.hubp->inst; 378 struct mpc *mpc = pipe_ctx->stream_res.opp->ctx->dc->res_pool->mpc; 379 const struct pwl_params *params = NULL; 380 bool ret = false; 381 382 /* programa OGAM o 3DLUT solo para la tuber\u00eda superior*/ 383 if (pipe_ctx->top_pipe == NULL) { 384 /*programa rmu shaper y 3dlut en MPC*/ 385 ret = dcn30_set_mpc_shaper_3dlut(pipe_ctx, stream); 386 si (ret == falso && mpc->funcs->set_output_gamma) { ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ Si esto es NULL 387 si (flujo->out_transfer_func.type == TF_TYPE_HWPWL) 388 par\u00e1metros = &flujo->out_transfer_func.pwl; 389 de lo contrario si (pipe_ctx->flujo->out_transfer_func.type == 390 TF_TYPE_DISTRIBUTED_POINTS && 391 cm3_helper_translate_curve_to_hw_format( 392 &flujo->out_transfer_func, 393 &mpc->blender_params, falso)) 394 par\u00e1metros = &mpc->blender_params; 395 /* no hay LUT de ROM en OUTGAM */ 396 if (stream->out_transfer_func.type == TF_TYPE_PREDEFINED) 397 BREAK_TO_DEBUGGER(); 398 } 399 } 400 --> 401 mpc->funcs->set_output_gamma(mpc, mpcc_id, params); ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ Entonces se bloquear\u00e1 402 return ret; 403 }"}], "lastModified": "2024-10-23T20:53:54.150", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "643E292D-C242-4FEC-8A11-034AB46708C1", "versionEndExcluding": "5.15.168", "versionStartIncluding": "5.9"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "D01BD22E-ACD1-4618-9D01-6116570BE1EE", "versionEndExcluding": "6.1.113", "versionStartIncluding": "5.16"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "D448821D-C085-4CAF-88FA-2DDE7BE21976", "versionEndExcluding": "6.6.54", "versionStartIncluding": "6.2"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "CE94BB8D-B0AB-4563-9ED7-A12122B56EBE", "versionEndExcluding": "6.10.13", "versionStartIncluding": "6.7"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "AB755D26-97F4-43B6-8604-CD076811E181", "versionEndExcluding": "6.11.2", "versionStartIncluding": "6.11"}], "operator": "OR"}]}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}