CVE-2024-47720 in Linux
Summary
by MITRE • 10/21/2024
In the Linux kernel, the following vulnerability has been resolved:
drm/amd/display: Add null check for set_output_gamma in dcn30_set_output_transfer_func
This commit adds a null check for the set_output_gamma function pointer in the dcn30_set_output_transfer_func function. Previously, set_output_gamma was being checked for nullity at line 386, but then it was being dereferenced without any nullity check at line 401. This could potentially lead to a null pointer dereference error if set_output_gamma is indeed null.
To fix this, we now ensure that set_output_gamma is not null before dereferencing it. We do this by adding a nullity check for set_output_gamma before the call to set_output_gamma at line 401. If set_output_gamma is null, we log an error message and do not call the function.
This fix prevents a potential null pointer dereference error.
drivers/gpu/drm/amd/amdgpu/../display/dc/hwss/dcn30/dcn30_hwseq.c:401 dcn30_set_output_transfer_func() error: we previously assumed 'mpc->funcs->set_output_gamma' could be null (see line 386)
drivers/gpu/drm/amd/amdgpu/../display/dc/hwss/dcn30/dcn30_hwseq.c 373 bool dcn30_set_output_transfer_func(struct dc *dc, 374 struct pipe_ctx *pipe_ctx, 375 const struct dc_stream_state *stream) 376 {
377 int mpcc_id = pipe_ctx->plane_res.hubp->inst; 378 struct mpc *mpc = pipe_ctx->stream_res.opp->ctx->dc->res_pool->mpc; 379 const struct pwl_params *params = NULL; 380 bool ret = false; 381 382 /* program OGAM or 3DLUT only for the top pipe*/ 383 if (pipe_ctx->top_pipe == NULL) {
384 /*program rmu shaper and 3dlut in MPC*/ 385 ret = dcn30_set_mpc_shaper_3dlut(pipe_ctx, stream); 386 if (ret == false && mpc->funcs->set_output_gamma) {
^^^^^^^^^^^^^^^^^^^^^^^^^^^^ If this is NULL
387 if (stream->out_transfer_func.type == TF_TYPE_HWPWL) 388 params = &stream->out_transfer_func.pwl; 389 else if (pipe_ctx->stream->out_transfer_func.type == 390 TF_TYPE_DISTRIBUTED_POINTS && 391 cm3_helper_translate_curve_to_hw_format( 392 &stream->out_transfer_func, 393 &mpc->blender_params, false)) 394 params = &mpc->blender_params; 395 /* there are no ROM LUTs in OUTGAM */ 396 if (stream->out_transfer_func.type == TF_TYPE_PREDEFINED) 397 BREAK_TO_DEBUGGER(); 398 } 399 } 400 --> 401 mpc->funcs->set_output_gamma(mpc, mpcc_id, params); ^^^^^^^^^^^^^^^^^^^^^^^^^^^^ Then it will crash
402 return ret; 403 }
If you want to get best quality of vulnerability data, you may have to visit VulDB.
Analysis
by VulDB Data Team • 01/19/2026
The vulnerability identified as CVE-2024-47720 resides within the Linux kernel's AMD display driver component, specifically within the dcn30_set_output_transfer_func function in the file dcn30_hwseq.c. This flaw represents a classic null pointer dereference issue that can lead to system instability and potential denial of service conditions. The vulnerability manifests when the set_output_gamma function pointer, which is part of the mpc (Multi-Purpose Controller) structure, is not properly validated before being invoked. According to the Common Weakness Enumeration standard CWE-476, this corresponds to a null pointer dereference, a well-known weakness that can result in system crashes or unauthorized access to system resources. The issue is particularly significant within the graphics subsystem where improper handling of function pointers can compromise display functionality and overall system integrity.
The technical flaw occurs due to an inconsistent null check pattern within the function logic. At line 386, the code correctly verifies that mpc->funcs->set_output_gamma is not null before proceeding with certain conditional logic, but this validation is not maintained when the function pointer is actually invoked at line 401. This creates a window where a null function pointer can be dereferenced, leading to a kernel panic or system crash. The function attempts to call mpc->funcs->set_output_gamma without revalidating the pointer, which directly violates proper defensive programming practices and can be exploited by malicious actors to cause system instability. The Advanced Threat Protection framework (ATT&CK) categorizes such issues under T1499.004, which deals with network denial of service, and T1547.001, covering registry run keys and startup folder, since a successful exploitation could lead to system-wide display failures and potential boot process disruptions.
The operational impact of this vulnerability extends beyond simple system crashes, affecting the reliability of graphics processing in systems utilizing AMD GPUs. When the null pointer dereference occurs during display output transfer function setup, it can cause the entire graphics subsystem to become unresponsive, leading to complete display failures or requiring system reboot. This is particularly concerning in server environments or embedded systems where display output is critical for system monitoring and management. The vulnerability affects all systems running Linux kernels with AMD GPU support, particularly those using the DCN3.0 hardware support layer, and could potentially be leveraged to achieve persistent denial of service conditions that would require manual intervention to resolve. The error condition occurs during normal display operations when the kernel attempts to configure gamma correction parameters for output streams, making it a high-risk issue for systems with active display workloads.
Mitigation strategies for this vulnerability should focus on immediate kernel updates that incorporate the null pointer validation fix. System administrators should prioritize applying the patched kernel version that includes the corrected validation logic, which ensures that set_output_gamma is checked for nullity before invocation. Additionally, implementing runtime monitoring of kernel logs for null pointer dereference errors can help detect potential exploitation attempts. The fix, as implemented in the patch, introduces a redundant null check that prevents the function call from proceeding if the pointer is null, thereby avoiding the kernel panic. Organizations should also consider implementing system hardening measures such as disabling unnecessary display functions when not in use and maintaining regular kernel update schedules. The solution aligns with security best practices outlined in the Common Criteria and ISO/IEC 27001 standards for secure system design, where proper input validation and defensive programming techniques are mandatory for preventing such critical vulnerabilities in kernel-level components.