Google Git
Sign in
kernel / pub / scm / linux / security / vulns / cf92e380cdaeb80bc92114fcc6272afa4974b129
commitcf92e380cdaeb80bc92114fcc6272afa4974b129[log] [tgz]
authorSasha Levin <sashal@kernel.org>Mon Jun 09 08:33:19 2025 -0400
committerSasha Levin <sashal@kernel.org>Mon Jun 09 08:33:19 2025 -0400
tree3c113a39b2c6b313c2a5620b86ce55eb15a871d1
parentc5ae3a292d25bd6b8440dd9d3e728cc2595cacb3 [diff]
CVE-2024-42122: Add .vulnerable file

The issue fixed by commit 8e65a1b7118acf6af96449e1e66b7adbc9396912 is
missing NULL pointer checks after memory allocation calls (kzalloc and
dm_helpers_allocate_gpu_mem). These missing checks were introduced by
multiple commits over the span of 2020-2022 when adding support for
various DCN (Display Core Next) hardware blocks.

Timeline and Root Causes:

1. Commit 4d55b0dd1cdd8 (May 21, 2020) - "drm/amd/display: Add DCN3
   CLK_MGR"
   - Introduced: Missing NULL check for clk_mgr->base.bw_params =
     kzalloc(...) in dcn3_clk_mgr_construct()
   - Author: Bhawanpreet Lakha

2. Commit 5dba4991fd338 (May 21, 2020) - "drm/amd/display: Add DCN3
   Resource"
   - Introduced: Missing NULL check for pipes = kzalloc(...) in
     dcn30_validate_bandwidth()
   - Author: Bhawanpreet Lakha

3. Commit dd827a489c955 (June 15, 2020) - "drm/amd/display: Preserve
   gpu memory allocation for life of dc"
   - Introduced: Missing NULL check for clk_mgr->wm_range_table =
     dm_helpers_allocate_gpu_mem(...) in dcn3_clk_mgr_construct()
   - Author: Joshua Aberback

4. Commit 3bc8d9214679c (August 3, 2021) - "drm/amd/display: Add DP 2.0
   HPO Link Encoder"
   - Introduced: Missing NULL check for hpo_dp_enc31 = kzalloc(...) in
     dcn31_hpo_dp_link_encoder_create()
   - Author: Fangzhi Zuo

5. Commit 265280b99822e (February 21, 2022) - "drm/amd/display: add
   CLKMGR changes for DCN32/321"
   - Introduced: Missing NULL checks for both clk_mgr->base.bw_params
     and clk_mgr->wm_range_table allocations in
     dcn32_clk_mgr_construct()
   - Author: Aurabindo Pillai

The fundamental issue is a violation of basic defensive programming
practices. When dynamic memory allocation functions like kzalloc() or
dm_helpers_allocate_gpu_mem() are called, they can fail and return NULL
if:
- The system is out of memory
- The requested size is too large
- Memory fragmentation prevents allocation

Without NULL checks, the code would dereference these NULL pointers,
leading to:
1. Kernel panics/crashes - Dereferencing NULL in kernel space typically
   causes a system crash
2. Security vulnerabilities - Potential for exploitation if the NULL
   dereference can be controlled
3. System instability - Even if not immediately crashing, corruption
   could occur

The pattern shows this was a systemic issue in the AMD display driver
development process where memory allocation error handling was
consistently overlooked when adding new hardware support. The issue
persisted across multiple developers and over nearly 2 years before
being comprehensively fixed.

Signed-off-by: Sasha Levin <sashal@kernel.org>
1 file changed
tree: 3c113a39b2c6b313c2a5620b86ce55eb15a871d1
  1. cve/
  2. form_letters/
  3. git_hooks/
  4. gsd/
  5. LICENSES/
  6. scripts/
  7. tmp/
  8. tools/
  9. .gitignore
  10. .gitmodules
  11. HOWTO
  12. justfile
  13. README