The Linux kernel recently fixed a serious bug in the AMD display driver that could have caused system instability or even crashes. This vulnerability, now tracked as CVE-2024-27044, was found in the dcn10_set_output_transfer_func() function in the AMD display code. In this long read, we’ll walk through what happened, the risks, and how you can protect your systems.
What Is CVE-2024-27044?
CVE-2024-27044 is a bug in the Linux kernel’s AMD GPU Direct Rendering Manager (DRM) subsystem. The problem occurred in the function dcn10_set_output_transfer_func() in the file dcn10_hwseq.c.
Why Is This a Problem?
A variable called stream is used in this function before checking if it’s actually valid (non-NULL). If stream is NULL (essentially “nothing” in programming), using it can cause a crash or make your system behave unpredictably — that’s called a NULL pointer dereference.
Here’s a simple analogy: Imagine grabbing a cup, then checking if there’s a cup on the table! If you ever try this with an empty table, you’re in trouble.
Diving Into the Code
Let’s look at a simplified version of the problematic code.
Before the Fix
void dcn10_set_output_transfer_func(...) {
// ... previous code ...
// Used 'stream' here before checking if it is NULL
color_space = stream->output_color_space; // CRASH if stream is NULL
if (!stream)
return;
// ... rest of the code ...
}
Here, if stream is NULL, stream->output_color_space will cause a system crash.
After the Fix
void dcn10_set_output_transfer_func(...) {
// ... previous code ...
if (!stream)
return;
// Now we are sure stream is not NULL
color_space = stream->output_color_space;
// ... rest of the code ...
}
Now, the code first checks if stream is NULL, and only then proceeds, making the system safe.
Where Did This Happen?
The bug was in this kernel file:
drivers/gpu/drm/amd/amdgpu/../display/dc/hwss/dcn10/dcn10_hwseq.c
Specifically, the warning was:
drivers/gpu/drm/amd/amdgpu/../display/dc/hwss/dcn10/dcn10_hwseq.c:1892 dcn10_set_output_transfer_func() warn: variable dereferenced before check 'stream' (see line 1875)
---
Potential Exploits
While this issue doesn’t directly allow for “remote code execution,” it is very valuable for a local attacker, or even just a buggy userspace application. Here’s how an attacker could possibly use this bug to crash your system (Denial-Of-Service):
Proof-of-Concept (PoC)
While a public exploit isn’t widely available (as of June 2024), you could create a userspace test that attempts to pass bad configuration data to the kernel, hitting the faulty function. Here’s a theoretical sketch of what an exploit might look like in pseudocode:
// Pseudocode: Do NOT use on production systems.
struct dc_stream_state *bad_stream = NULL;
dcn10_set_output_transfer_func(..., bad_stream, ...); // Causes crash pre-fix
If you’re writing graphics drivers or kernel modules, _always check your pointers!_
How Do I Fix CVE-2024-27044?
Good news: The patch is already in the Linux kernel.
Official Patch
You can see the original patch here:
- GitLab kernel.org Patch
- Linux Kernel Mailing List Patch Discussion
References
- CVE-2024-27044 at cve.org
- Linux Kernel Source
- drm/amd/display: Fix potential NULL pointer dereferences (commit)
Final Words
This bug is a good reminder that even small mistakes in pointer handling can lead to kernel vulnerabilities. Make sure to apply your system updates, and if you build your own kernels, include the fix for CVE-2024-27044.
Timeline
Published on: 05/01/2024 13:15:49 UTC
Last modified on: 12/23/2024 14:12:17 UTC