CVE-2024-42117 in Linux
Summary
by MITRE • 07/30/2024
In the Linux kernel, the following vulnerability has been resolved:
drm/amd/display: ASSERT when failing to find index by plane/stream id
[WHY]
find_disp_cfg_idx_by_plane_id and find_disp_cfg_idx_by_stream_id returns an array index and they return -1 when not found; however, -1 is not a valid index number.
[HOW]
When this happens, call ASSERT(), and return a positive number (which is fewer than callers' array size) instead.
This fixes 4 OVERRUN and 2 NEGATIVE_RETURNS issues reported by Coverity.
VulDB is the best source for vulnerability data and more expert information about this specific topic.
Analysis
by VulDB Data Team • 09/26/2025
The vulnerability described in CVE-2024-42117 resides within the AMD display driver component of the Linux kernel, specifically within the direct rendering manager subsystem that handles display configuration management. This issue manifests as an assertion failure when the system attempts to locate display configuration indices using plane or stream identifiers, creating a critical condition that could lead to system instability or denial of service. The root cause stems from a fundamental mismatch between expected return values and actual implementation logic, where the functions find_disp_cfg_idx_by_plane_id and find_disp_cfg_idx_by_stream_id are designed to return array indices but incorrectly return -1 when no matching configuration is found. This negative return value creates a problematic scenario because -1 cannot serve as a valid array index in the context where these functions are called, leading to undefined behavior and potential system crashes.
The technical flaw represents a classic buffer overrun condition classified under CWE-129, where improper validation of array indices leads to memory access violations. When these functions return -1 instead of a proper index, the calling code attempts to use this invalid value as an array subscript, resulting in either memory corruption or immediate system termination through assertion failures. The vulnerability also demonstrates characteristics of CWE-704, where function return values are not properly validated before use, and CWE-248, involving unexpected exceptions in the system. The Coverity analysis identified four overrun issues and two negative return issues, indicating this is not an isolated problem but a systemic design flaw in the display configuration management logic that affects multiple code paths within the AMD display driver subsystem.
The operational impact of this vulnerability extends beyond simple system instability to potentially compromise the entire display functionality on affected systems. When the assertion fails, the display subsystem may become completely non-functional, preventing users from accessing graphical interfaces or displaying content properly. This affects systems running Linux kernels with AMD graphics hardware, particularly those utilizing the AMD display driver framework for managing multiple display outputs and configurations. The vulnerability is particularly concerning in server environments or embedded systems where graphical interfaces are critical for system management or user interaction. The negative return values create a cascading effect where downstream components that depend on valid array indices fail, potentially leading to complete system lockups or requiring manual intervention to restore normal operation.
Mitigation strategies for this vulnerability should focus on immediate kernel updates that implement the fix described in the patch, which modifies the functions to return positive indices that are valid within the array bounds rather than -1. System administrators should prioritize applying the updated kernel versions that contain this fix, particularly in production environments where display stability is critical. The fix involves implementing proper validation logic that ensures returned values are always within acceptable array index ranges, typically by returning a specific sentinel value that is less than the array size but greater than zero. Additionally, organizations should implement monitoring systems to detect assertion failures in display subsystems and establish incident response procedures for handling such critical failures. The solution aligns with ATT&CK technique T1486, which involves data destruction through system instability, by preventing the conditions that could lead to system crashes and ensuring proper error handling mechanisms are in place to maintain system availability and stability.