cve/published/2024/CVE-2024-47720.mbox

From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: <linux-cve-announce@vger.kernel.org>
Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
Subject: CVE-2024-47720: drm/amd/display: Add null check for set_output_gamma in dcn30_set_output_transfer_func

Description
===========

In the Linux kernel, the following vulnerability has been resolved:

drm/amd/display: Add null check for set_output_gamma in dcn30_set_output_transfer_func

This commit adds a null check for the set_output_gamma function pointer
in the  dcn30_set_output_transfer_func function. Previously,
set_output_gamma was being checked for nullity at line 386, but then it
was being dereferenced without any nullity check at line 401. This
could potentially lead to a null pointer dereference error if
set_output_gamma is indeed null.

To fix this, we now ensure that set_output_gamma is not null before
dereferencing it. We do this by adding a nullity check for
set_output_gamma before the call to set_output_gamma at line 401. If
set_output_gamma is null, we log an error message and do not call the
function.

This fix prevents a potential null pointer dereference error.

drivers/gpu/drm/amd/amdgpu/../display/dc/hwss/dcn30/dcn30_hwseq.c:401 dcn30_set_output_transfer_func()
error: we previously assumed 'mpc->funcs->set_output_gamma' could be null (see line 386)

drivers/gpu/drm/amd/amdgpu/../display/dc/hwss/dcn30/dcn30_hwseq.c
    373 bool dcn30_set_output_transfer_func(struct dc *dc,
    374                                 struct pipe_ctx *pipe_ctx,
    375                                 const struct dc_stream_state *stream)
    376 {
    377         int mpcc_id = pipe_ctx->plane_res.hubp->inst;
    378         struct mpc *mpc = pipe_ctx->stream_res.opp->ctx->dc->res_pool->mpc;
    379         const struct pwl_params *params = NULL;
    380         bool ret = false;
    381
    382         /* program OGAM or 3DLUT only for the top pipe*/
    383         if (pipe_ctx->top_pipe == NULL) {
    384                 /*program rmu shaper and 3dlut in MPC*/
    385                 ret = dcn30_set_mpc_shaper_3dlut(pipe_ctx, stream);
    386                 if (ret == false && mpc->funcs->set_output_gamma) {
                                            ^^^^^^^^^^^^^^^^^^^^^^^^^^^^ If this is NULL

    387                         if (stream->out_transfer_func.type == TF_TYPE_HWPWL)
    388                                 params = &stream->out_transfer_func.pwl;
    389                         else if (pipe_ctx->stream->out_transfer_func.type ==
    390                                         TF_TYPE_DISTRIBUTED_POINTS &&
    391                                         cm3_helper_translate_curve_to_hw_format(
    392                                         &stream->out_transfer_func,
    393                                         &mpc->blender_params, false))
    394                                 params = &mpc->blender_params;
    395                          /* there are no ROM LUTs in OUTGAM */
    396                         if (stream->out_transfer_func.type == TF_TYPE_PREDEFINED)
    397                                 BREAK_TO_DEBUGGER();
    398                 }
    399         }
    400
--> 401         mpc->funcs->set_output_gamma(mpc, mpcc_id, params);
                ^^^^^^^^^^^^^^^^^^^^^^^^^^^^ Then it will crash

    402         return ret;
    403 }

The Linux kernel CVE team has assigned CVE-2024-47720 to this issue.


Affected and fixed versions
===========================

	Issue introduced in 5.9 with commit d99f13878d6f9c286b13860d8bf0b4db9ffb189a and fixed in 5.15.168 with commit 44948d3cb943602ba4a0b5ed3c91ae0525838fb1
	Issue introduced in 5.9 with commit d99f13878d6f9c286b13860d8bf0b4db9ffb189a and fixed in 6.1.113 with commit 64886a4e6f1dce843c0889505cf0673b5211e16a
	Issue introduced in 5.9 with commit d99f13878d6f9c286b13860d8bf0b4db9ffb189a and fixed in 6.6.54 with commit ddf9ff244d704e1903533f7be377615ed34b83e7
	Issue introduced in 5.9 with commit d99f13878d6f9c286b13860d8bf0b4db9ffb189a and fixed in 6.10.13 with commit 84edd5a3f5fa6aafa4afcaf9f101f46426c620c9
	Issue introduced in 5.9 with commit d99f13878d6f9c286b13860d8bf0b4db9ffb189a and fixed in 6.11.2 with commit 72ee32d0907364104fbcf4f68dd5ae63cd8eae9e
	Issue introduced in 5.9 with commit d99f13878d6f9c286b13860d8bf0b4db9ffb189a and fixed in 6.12 with commit 08ae395ea22fb3d9b318c8bde28c0dfd2f5fa4d2

Please see https://www.kernel.org for a full list of currently supported
kernel versions by the kernel community.

Unaffected versions might change over time as fixes are backported to
older supported kernel versions.  The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2024-47720
will be updated if fixes are backported, please check that for the most
up to date information about this issue.


Affected files
==============

The file(s) affected by this issue are:
	drivers/gpu/drm/amd/display/dc/hwss/dcn30/dcn30_hwseq.c


Mitigation
==========

The Linux kernel CVE team recommends that you update to the latest
stable kernel version for this, and many other bugfixes.  Individual
changes are never tested alone, but rather are part of a larger kernel
release.  Cherry-picking individual commits is not recommended or
supported by the Linux kernel community at all.  If however, updating to
the latest release is impossible, the individual changes to resolve this
issue can be found at these commits:
	https://git.kernel.org/stable/c/44948d3cb943602ba4a0b5ed3c91ae0525838fb1
	https://git.kernel.org/stable/c/64886a4e6f1dce843c0889505cf0673b5211e16a
	https://git.kernel.org/stable/c/ddf9ff244d704e1903533f7be377615ed34b83e7
	https://git.kernel.org/stable/c/84edd5a3f5fa6aafa4afcaf9f101f46426c620c9
	https://git.kernel.org/stable/c/72ee32d0907364104fbcf4f68dd5ae63cd8eae9e
	https://git.kernel.org/stable/c/08ae395ea22fb3d9b318c8bde28c0dfd2f5fa4d2