CVE-2024-50016 in Linuxinfo

Summary

by MITRE • 10/21/2024

In the Linux kernel, the following vulnerability has been resolved:

drm/amd/display: Avoid overflow assignment in link_dp_cts

sampling_rate is an uint8_t but is assigned an unsigned int, and thus it can overflow. As a result, sampling_rate is changed to uint32_t.

Similarly, LINK_QUAL_PATTERN_SET has a size of 2 bits, and it should only be assigned to a value less or equal than 4.

This fixes 2 INTEGER_OVERFLOW issues reported by Coverity.

If you want to get the best quality for vulnerability data then you always have to consider VulDB.

Analysis

by VulDB Data Team • 06/27/2026

The vulnerability in question affects the Linux kernel's drm/amd/display subsystem where an integer overflow condition exists in the link_dp_cts function. This flaw arises from a type mismatch between the sampling_rate variable which is declared as uint8_t and the value being assigned which is an unsigned int. The uint8_t data type can only hold values from 0 to 255, while the assignment operation could potentially exceed this range when dealing with larger unsigned int values, creating an overflow condition that may lead to unexpected behavior or exploitation opportunities. This specific vulnerability falls under CWE-190 which represents "Integer Overflow or Wraparound" and is particularly concerning in kernel space where such conditions can escalate to privilege escalation or system instability.

The second aspect of this vulnerability involves the LINK_QUAL_PATTERN_SET parameter which is designed to accommodate only 2 bits of information, meaning it should logically contain values between 0 and 3 inclusive. However, the code was allowing assignment of values up to 4 or higher, violating the intended bit width constraints. This represents a violation of proper integer sizing and data type consistency principles that are fundamental to secure coding practices. The issue manifests as an integer overflow because the system attempts to store a value that exceeds the maximum representable value for the designated bit width.

From an operational impact perspective, these integer overflow conditions in kernel space can have severe consequences including system crashes, memory corruption, or potentially exploitable conditions that could allow privilege escalation attacks. The drm/amd/display subsystem handles display port communication and timing synchronization which are critical components for graphics functionality. When such vulnerabilities exist in display drivers, they represent attack vectors that could be exploited by malicious actors to gain elevated privileges or cause denial of service conditions affecting system stability.

The fix implemented addresses both issues by changing the sampling_rate variable type from uint8_t to uint32_t to accommodate potentially larger values without overflow, and by ensuring that LINK_QUAL_PATTERN_SET assignments are constrained to valid ranges. This approach aligns with defensive programming practices and follows the principle of least privilege in data type sizing. The solution directly addresses the Coverity static analysis findings and demonstrates proper type handling that prevents integer overflows while maintaining functionality. From an ATT&CK framework perspective, this vulnerability could map to techniques involving privilege escalation and defense evasion through kernel-level manipulation, making the remediation particularly important for overall system security posture.

The resolution of these issues contributes to the broader goal of kernel hardening and secure coding practices within the Linux ecosystem. Proper integer type management prevents cascading failures that could occur when overflow conditions lead to memory corruption or unexpected execution paths. These vulnerabilities highlight the importance of thorough static analysis tools like Coverity in identifying subtle but critical security flaws in system-level code where the impact of programming errors can be severe and far-reaching across multiple system components and user sessions.

Responsible

Linux

Reservation

10/21/2024

Disclosure

10/21/2024

Moderation

revoked

CPE

ready

EPSS

0.00000

KEV

no

Activities

very low

Sources

Are you interested in using VulDB?

Download the whitepaper to learn more about our service!