Google Git
Sign in
kernel / pub / scm / linux / security / vulns / b807559b691954ead9c19375ba5cf2d8ad373aad
commitb807559b691954ead9c19375ba5cf2d8ad373aad[log] [tgz]
authorSasha Levin <sashal@kernel.org>Mon Jun 09 08:17:05 2025 -0400
committerSasha Levin <sashal@kernel.org>Mon Jun 09 08:17:05 2025 -0400
tree86ffa6c388fb94da428c167413c336d37026f661
parent3580f4a5509155df09b1e7341a531e11c68b9720 [diff]
CVE-2024-49922: Add .vulnerable file

The commit 1ff12bcd7deae fixes three null pointer dereference issues
that were introduced at different times:

1. **dm_state null dereference in create_validate_stream_for_sink**

Root cause commit: cbd14ae7ea934 (2020-04-30) - "drm/amd/display: Fix
incorrectly pruned modes with deep color"

This commit introduced the create_validate_stream_for_sink function
which was called from amdgpu_dm_connector_mode_valid with NULL for the
dm_state parameter.

However, commit abdd2768d763 (2024-10-17) - "drm/amd/display: Prune
Invalid Modes For HDMI Output" introduced code that dereferenced
aconnector->dc_link after the dm_state null check but without
considering that when dm_state is NULL, the function should return
early. The bug was that this code was executed even when dm_state was
NULL, but the function continued to use dm_state later without checking,
causing a null pointer dereference.

2. **acrtc null dereference in amdgpu_dm_commit_streams**

Root cause commit: f872e2f5f0be (2023-12-01) - "drm/amd/display: Add
writeback enable field (wb_enabled)"

This commit added code that accessed acrtc->wb_enabled without checking
if acrtc is NULL. The code gets acrtc from get_crtc_by_otg_inst which
can return NULL if no CRTC matches the OTG instance.

3. **aconnector->dc_link null dereference in
   amdgpu_dm_atomic_commit_tail**

Root cause commit: e8fd3eeb5e87 (2022-11-15) - "drm/amd/display: phase3
mst hdcp for multiple displays"

This commit changed from using helper functions to directly calling
hdcp_update_display with aconnector->dc_link->link_index. The bug is
that aconnector->dc_link can be NULL in certain scenarios (e.g., when a
display is disconnected), but the code didn't check for this before
dereferencing dc_link->link_index.

The root causes are:
- abdd2768d763 (2024-10-17) - Introduced the dm_state null pointer
  dereference by adding code that uses dm_state without proper null
  checking
- f872e2f5f0be (2023-12-01) - Introduced the acrtc null pointer
  dereference by accessing wb_enabled without checking if acrtc is NULL
- e8fd3eeb5e87 (2022-11-15) - Introduced the dc_link null pointer
  dereference by directly accessing link_index without checking if
  dc_link is NULL

These bugs were all cases where pointer validation was incomplete - the
developers assumed certain pointers would always be valid but didn't
account for edge cases in the display pipeline where these assumptions
don't hold.

Signed-off-by: Sasha Levin <sashal@kernel.org>
1 file changed
tree: 86ffa6c388fb94da428c167413c336d37026f661
  1. cve/
  2. form_letters/
  3. git_hooks/
  4. gsd/
  5. LICENSES/
  6. scripts/
  7. tmp/
  8. tools/
  9. .gitignore
  10. .gitmodules
  11. HOWTO
  12. justfile
  13. README