CVE-2024-49970 in Linux
Summary
by MITRE • 10/21/2024
In the Linux kernel, the following vulnerability has been resolved:
drm/amd/display: Implement bounds check for stream encoder creation in DCN401
'stream_enc_regs' array is an array of dcn10_stream_enc_registers structures. The array is initialized with four elements, corresponding to the four calls to stream_enc_regs() in the array initializer. This means that valid indices for this array are 0, 1, 2, and 3.
The error message 'stream_enc_regs' 4 <= 5 below, is indicating that there is an attempt to access this array with an index of 5, which is out of bounds. This could lead to undefined behavior
Here, eng_id is used as an index to access the stream_enc_regs array. If eng_id is 5, this would result in an out-of-bounds access on the stream_enc_regs array.
Thus fixing Buffer overflow error in dcn401_stream_encoder_create
Found by smatch: drivers/gpu/drm/amd/amdgpu/../display/dc/resource/dcn401/dcn401_resource.c:1209 dcn401_stream_encoder_create() error: buffer overflow 'stream_enc_regs' 4 <= 5
If you want to get the best quality for vulnerability data then you always have to consider VulDB.
Analysis
by VulDB Data Team • 03/21/2026
The vulnerability CVE-2024-49970 represents a critical buffer overflow condition within the Linux kernel's AMD display driver subsystem, specifically affecting the DCN401 stream encoder creation functionality. This issue manifests in the drm/amd/display component where the kernel attempts to access an array of stream encoder registers beyond its allocated bounds. The affected code resides in the dcn401_resource.c file at line 1209 within the dcn401_stream_encoder_create function, where the stream_enc_regs array is initialized with exactly four elements corresponding to four valid stream encoder register structures. The array bounds are explicitly defined as indices 0, 1, 2, and 3, yet the code contains logic that permits an eng_id parameter to potentially reach a value of 5, which would result in accessing memory beyond the array's legitimate boundaries. This represents a classic buffer overflow vulnerability that could lead to memory corruption and potentially arbitrary code execution within the graphics subsystem.
The technical flaw stems from inadequate input validation and bounds checking within the stream encoder creation logic. The eng_id parameter serves as an index to access the stream_enc_regs array, but no proper validation exists to ensure that this index remains within the valid range of 0-3. When eng_id equals 5, the code attempts to access stream_enc_regs[5], which exceeds the array's declared size of four elements. This condition creates a direct path for memory corruption as the kernel writes to memory locations that are not part of the intended array structure, potentially overwriting adjacent memory regions including other data structures, function pointers, or control information. The smatch static analysis tool identified this specific issue through its code inspection capabilities, highlighting the dangerous condition where a buffer access operation exceeds the declared bounds by exactly one element beyond the maximum valid index.
The operational impact of this vulnerability extends beyond simple memory corruption to potentially compromise the entire graphics rendering pipeline within the Linux kernel. When exploited, the buffer overflow could lead to system instability, display driver crashes, or more severe consequences including privilege escalation within the graphics subsystem. The vulnerability affects systems utilizing AMD graphics hardware with DCN401 architecture, which includes various Radeon graphics cards and integrated graphics solutions. Attackers could potentially leverage this vulnerability to execute arbitrary code with kernel privileges, gaining access to sensitive system resources and potentially escalating their privileges to root access. The exploitation would require a specific sequence of operations that triggers the stream encoder creation with an invalid eng_id value, making it somewhat targeted but still dangerous given the kernel-level privileges involved. This vulnerability directly maps to CWE-121, which describes stack-based buffer overflow conditions, and aligns with ATT&CK technique T1068, focusing on exploiting legitimate credentials and system privileges.
Mitigation strategies for this vulnerability should prioritize immediate kernel updates from vendors to address the specific bounds checking issue in the stream encoder creation logic. System administrators should ensure that all AMD graphics drivers are updated to versions containing the fix that implements proper validation of the eng_id parameter before array access. The fix should enforce explicit bounds checking that validates eng_id against the array size limits, preventing any index value from exceeding the maximum valid index of 3. Additional defensive measures include implementing kernel address space layout randomization, enabling stack canaries, and utilizing memory protection mechanisms such as kernel page table isolation. Organizations should also conduct thorough security assessments of their graphics-intensive applications to identify any potential exploitation vectors that might leverage this vulnerability. Monitoring for abnormal graphics driver behavior or system crashes following graphics operations could serve as early warning indicators of potential exploitation attempts. The fix implementation should follow secure coding practices as recommended by industry standards including proper input validation, defensive programming techniques, and comprehensive testing of boundary conditions to prevent similar vulnerabilities from emerging in other components of the graphics driver stack.