CVE-2024-36897 in Linuxinfo

Summary

by MITRE • 05/30/2024

In the Linux kernel, the following vulnerability has been resolved:

drm/amd/display: Atom Integrated System Info v2_2 for DCN35

New request from KMD/VBIOS in order to support new UMA carveout model. This fixes a null dereference from accessing Ctx->dc_bios->integrated_info while it was NULL.

DAL parses through the BIOS and extracts the necessary integrated_info but was missing a case for the new BIOS version 2.3.

Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.

Analysis

by VulDB Data Team • 08/29/2025

The vulnerability CVE-2024-36897 represents a critical null pointer dereference issue within the Linux kernel's AMD display driver subsystem, specifically affecting the Display Driver Library (DAL) component responsible for parsing BIOS data structures. This flaw exists in the drm/amd/display subsystem where the kernel attempts to access the integrated_info structure through a context pointer that may remain uninitialized or null, leading to a potential system crash or denial of service condition. The vulnerability manifests when the kernel processes BIOS versions that include new integrated system information structures, particularly those implementing version 2.3 of the Atom Integrated System Info specification. The issue stems from incomplete support for newer BIOS formats that introduce changes to how UMA (Unified Memory Architecture) carveout models are defined and communicated to the display driver layer.

The technical implementation flaw occurs within the DAL parsing logic where the driver attempts to dereference a pointer to ctx->dc_bios->integrated_info without proper validation of whether the integrated_info structure has been successfully initialized. This null pointer dereference vulnerability (cwe-476) is classified under the broader category of improper null pointer dereference conditions that can lead to system instability and potential privilege escalation scenarios. The vulnerability specifically affects the DCN35 (Display Core Next 3.5) hardware generation support within the AMD display driver stack, where the kernel fails to handle the new BIOS version 2.3 format correctly. The missing case in the parsing logic prevents proper initialization of the integrated_info structure, causing the driver to attempt memory access on a null pointer when it encounters the new UMA carveout model definition.

The operational impact of this vulnerability extends beyond simple system crashes, potentially affecting device availability and stability in systems utilizing AMD graphics hardware with newer BIOS versions. When the kernel encounters a BIOS implementing version 2.3 of the Atom Integrated System Info, the display subsystem fails to initialize properly, resulting in a kernel oops or system panic that terminates the graphics driver functionality. This can lead to complete display functionality loss, forcing users to reboot the system and potentially impacting critical workloads that depend on consistent graphics processing. The vulnerability affects systems where the kernel attempts to parse BIOS information during boot or runtime display configuration, particularly in environments where AMD graphics hardware is actively utilized. Attackers could potentially exploit this condition to cause denial of service attacks against systems with AMD graphics hardware, though the direct privilege escalation potential is limited given the kernel context in which the flaw occurs.

Mitigation strategies for CVE-2024-36897 involve applying the patched kernel version that includes proper handling for BIOS version 2.3 and the new UMA carveout model specifications. System administrators should prioritize kernel updates from their respective distribution channels, as the fix typically involves adding proper validation checks before accessing the integrated_info structure and implementing appropriate fallback mechanisms for unknown BIOS versions. The fix addresses the underlying parsing logic by ensuring that when new BIOS versions are encountered, the driver properly initializes the integrated_info structure or gracefully handles the missing data. Additionally, implementing proper error handling and logging within the display driver subsystem can help identify systems affected by this vulnerability before they experience system instability. Organizations should also consider monitoring for systems running older kernel versions that may be vulnerable to this specific null pointer dereference condition, particularly in enterprise environments where AMD graphics hardware is deployed. The vulnerability resolution aligns with standard security practices for kernel-level memory safety and demonstrates the importance of maintaining up-to-date graphics driver support for evolving hardware specifications and firmware interfaces.

Reservation

05/30/2024

Disclosure

05/30/2024

Moderation

accepted

CPE

ready

EPSS

0.00227

KEV

no

Activities

very low

Sources

Do you need the next level of professionalism?

Upgrade your account now!