CVE-2024-47720

Summary

In the Linux kernel, the following vulnerability has been resolved:

drm/amd/display: Add null check for set_output_gamma in dcn30_set_output_transfer_func

This commit adds a null check for the set_output_gamma function pointer in the dcn30_set_output_transfer_func function. Previously, set_output_gamma was being checked for nullity at line 386, but then it was being dereferenced without any nullity check at line 401. This could potentially lead to a null pointer dereference error if set_output_gamma is indeed null.

To fix this, we now ensure that set_output_gamma is not null before dereferencing it. We do this by adding a nullity check for set_output_gamma before the call to set_output_gamma at line 401. If set_output_gamma is null, we log an error message and do not call the function.

This fix prevents a potential null pointer dereference error.

drivers/gpu/drm/amd/amdgpu/../display/dc/hwss/dcn30/dcn30_hwseq.c:401 dcn30_set_output_transfer_func() error: we previously assumed 'mpc->funcs->set_output_gamma' could be null (see line 386)

drivers/gpu/drm/amd/amdgpu/../display/dc/hwss/dcn30/dcn30_hwseq.c 373 bool dcn30_set_output_transfer_func(struct dc *dc, 374 struct pipe_ctx *pipe_ctx, 375 const struct dc_stream_state *stream) 376 { 377 int mpcc_id = pipe_ctx->plane_res.hubp->inst; 378 struct mpc mpc = pipe_ctx->stream_res.opp->ctx->dc->res_pool->mpc; 379 const struct pwl_params params = NULL; 380 bool ret = false; 381 382 / program OGAM or 3DLUT only for the top pipe/ 383 if (pipe_ctx->top_pipe == NULL) { 384 /program rmu shaper and 3dlut in MPC/ 385 ret = dcn30_set_mpc_shaper_3dlut(pipe_ctx, stream); 386 if (ret == false && mpc->funcs->set_output_gamma) { ^^^^^^^^^^^^^^^^^^^^^^^^^^^^ If this is NULL

387                         if (stream->out_transfer_func.type == TF_TYPE_HWPWL)
388                                 params = &stream->out_transfer_func.pwl;
389                         else if (pipe_ctx->stream->out_transfer_func.type ==
390                                         TF_TYPE_DISTRIBUTED_POINTS &&
391                                         cm3_helper_translate_curve_to_hw_format(
392                                         &stream->out_transfer_func,
393                                         &mpc->blender_params, false))
394                                 params = &mpc->blender_params;
395                          /* there are no ROM LUTs in OUTGAM */
396                         if (stream->out_transfer_func.type == TF_TYPE_PREDEFINED)
397                                 BREAK_TO_DEBUGGER();
398                 }
399         }
400

–> 401 mpc->funcs->set_output_gamma(mpc, mpcc_id, params); ^^^^^^^^^^^^^^^^^^^^^^^^^^^^ Then it will crash

402         return ret;
403 }

Affected Software

VendorProductVersion RangeStatus
LinuxLinuxd99f13878d6f9c286b13860d8bf0b4db9ffb189a < 44948d3cb943602ba4a0b5ed3c91ae0525838fb1affected
LinuxLinuxd99f13878d6f9c286b13860d8bf0b4db9ffb189a < 64886a4e6f1dce843c0889505cf0673b5211e16aaffected
LinuxLinuxd99f13878d6f9c286b13860d8bf0b4db9ffb189a < ddf9ff244d704e1903533f7be377615ed34b83e7affected
LinuxLinuxd99f13878d6f9c286b13860d8bf0b4db9ffb189a < 84edd5a3f5fa6aafa4afcaf9f101f46426c620c9affected
LinuxLinuxd99f13878d6f9c286b13860d8bf0b4db9ffb189a < 72ee32d0907364104fbcf4f68dd5ae63cd8eae9eaffected
LinuxLinuxd99f13878d6f9c286b13860d8bf0b4db9ffb189a < 08ae395ea22fb3d9b318c8bde28c0dfd2f5fa4d2affected
LinuxLinux5.9affected
LinuxLinux0 < 5.9unaffected
LinuxLinux5.15.168 <= 5.15.*unaffected
LinuxLinux6.1.113 <= 6.1.*unaffected
LinuxLinux6.6.54 <= 6.6.*unaffected
LinuxLinux6.10.13 <= 6.10.*unaffected
LinuxLinux6.11.2 <= 6.11.*unaffected
LinuxLinux6.12 <= *unaffected

Weaknesses

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

CVE Program Container

Additional References

References