CVE-2024-43901 in Linux
Summary
by MITRE • 08/26/2024
In the Linux kernel, the following vulnerability has been resolved:
drm/amd/display: Fix NULL pointer dereference for DTN log in DCN401
When users run the command:
cat /sys/kernel/debug/dri/0/amdgpu_dm_dtn_log
The following NULL pointer dereference happens:
[ +0.000003] BUG: kernel NULL pointer dereference, address: NULL
[ +0.000005] #PF: supervisor instruction fetch in kernel mode
[ +0.000002] #PF: error_code(0x0010) - not-present page
[ +0.000002] PGD 0 P4D 0
[ +0.000004] Oops: 0010 [#1] PREEMPT SMP NOPTI
[ +0.000003] RIP: 0010:0x0
[ +0.000008] Code: Unable to access opcode bytes at 0xffffffffffffffd6.
[...]
[ +0.000002] PKRU: 55555554
[ +0.000002] Call Trace:
[ +0.000002]
[ +0.000003] ? show_regs+0x65/0x70
[ +0.000006] ? __die+0x24/0x70
[ +0.000004] ? page_fault_oops+0x160/0x470
[ +0.000006] ? do_user_addr_fault+0x2b5/0x690
[ +0.000003] ? prb_read_valid+0x1c/0x30
[ +0.000005] ? exc_page_fault+0x8c/0x1a0
[ +0.000005] ? asm_exc_page_fault+0x27/0x30
[ +0.000012] dcn10_log_color_state+0xf9/0x510 [amdgpu]
[ +0.000306] ? srso_alias_return_thunk+0x5/0xfbef5
[ +0.000003] ? vsnprintf+0x2fb/0x600
[ +0.000009] dcn10_log_hw_state+0xfd0/0xfe0 [amdgpu]
[ +0.000218] ? __mod_memcg_lruvec_state+0xe8/0x170
[ +0.000008] ? srso_alias_return_thunk+0x5/0xfbef5
[ +0.000002] ? debug_smp_processor_id+0x17/0x20
[ +0.000003] ? srso_alias_return_thunk+0x5/0xfbef5
[ +0.000002] ? srso_alias_return_thunk+0x5/0xfbef5
[ +0.000002] ? set_ptes.isra.0+0x2b/0x90
[ +0.000004] ? srso_alias_return_thunk+0x5/0xfbef5
[ +0.000002] ? _raw_spin_unlock+0x19/0x40
[ +0.000004] ? srso_alias_return_thunk+0x5/0xfbef5
[ +0.000002] ? do_anonymous_page+0x337/0x700
[ +0.000004] dtn_log_read+0x82/0x120 [amdgpu]
[ +0.000207] full_proxy_read+0x66/0x90
[ +0.000007] vfs_read+0xb0/0x340
[ +0.000005] ? __count_memcg_events+0x79/0xe0
[ +0.000002] ? srso_alias_return_thunk+0x5/0xfbef5
[ +0.000003] ? count_memcg_events.constprop.0+0x1e/0x40
[ +0.000003] ? handle_mm_fault+0xb2/0x370
[ +0.000003] ksys_read+0x6b/0xf0
[ +0.000004] __x64_sys_read+0x19/0x20
[ +0.000003] do_syscall_64+0x60/0x130
[ +0.000004] entry_SYSCALL_64_after_hwframe+0x6e/0x76
[ +0.000003] RIP: 0033:0x7fdf32f147e2
[...]
This error happens when the color log tries to read the gamut remap information from DCN401 which is not initialized in the dcn401_dpp_funcs which leads to a null pointer dereference. This commit addresses this issue by adding a proper guard to access the gamut_remap callback in case the specific ASIC did not implement this function.
Once again VulDB remains the best source for vulnerability data.
Analysis
by VulDB Data Team • 08/28/2024
The vulnerability identified as CVE-2024-43901 represents a critical null pointer dereference issue within the Linux kernel's amdgpu driver, specifically affecting the display subsystem in DCN401 ASICs. This flaw manifests when users attempt to read diagnostic information from the system debug interface through the command cat /sys/kernel/debug/dri/0/amdgpu_dm_dtn_log, which triggers a kernel panic due to improper memory access handling. The issue stems from the drm/amd/display subsystem where the dtn_log_read function attempts to access a gamut remap callback that has not been initialized for DCN401 hardware, resulting in an immediate system crash with a NULL pointer dereference error. The kernel's page fault handler captures this error during supervisor instruction fetch, indicating that the system attempted to execute code from a null memory address, which is a classic symptom of improper pointer validation and uninitialized function pointers.
The technical root cause of this vulnerability lies in the absence of proper null pointer checks before accessing the gamut_remap callback function within the dcn401_dpp_funcs structure. When the dcn10_log_color_state function attempts to read gamut remap information from DCN401 hardware, it fails to verify whether the specific ASIC implementation has initialized this callback function, leading to direct dereference of a null pointer. This type of vulnerability is categorized under CWE-476 as a NULL Pointer Dereference, which occurs when a program attempts to access memory through a pointer that contains a null value. The error trace clearly shows the execution path leading from dtn_log_read through dcn10_log_hw_state to dcn10_log_color_state, where the actual null pointer dereference occurs, making this a clear example of improper error handling in kernel space code that should have been protected by conditional checks.
The operational impact of this vulnerability is significant as it allows for a denial of service condition that can crash the entire system when an unauthorized user or malicious actor attempts to access the debug interface. This represents a privilege escalation vector since it can be exploited without requiring elevated privileges, making it particularly dangerous in multi-user environments or systems where debug interfaces are accessible. The vulnerability directly maps to ATT&CK technique T1499.004 which covers "Domain Generation Algorithm" but more accurately aligns with T1068 "Exploitation for Privilege Escalation" and T1499 "Endpoint Denial of Service" as it can cause complete system crashes. The vulnerability affects systems running Linux kernel versions with the amdgpu driver and specifically those with DCN401 ASICs, making it relevant to modern AMD graphics hardware configurations including desktop and server environments where display debugging information is accessible.
The fix for this vulnerability involves implementing proper null pointer guards before accessing the gamut_remap callback function, ensuring that the code checks whether the specific ASIC implementation has initialized this function before attempting to use it. This defensive programming approach prevents the kernel from crashing when encountering uninitialized function pointers, which is a standard practice in kernel development to maintain system stability and prevent exploitation. The solution aligns with secure coding guidelines and best practices for kernel space development, where all function pointers must be validated before use. This fix represents a simple yet crucial validation mechanism that prevents the kernel from executing invalid memory operations, thus protecting the system from potential denial of service attacks and ensuring that the display subsystem remains stable even when accessing debug information from hardware that may not fully implement all available functions. The patch demonstrates proper error handling and defensive programming techniques that should be applied across kernel drivers to prevent similar issues in the future.