CVE-2024-36897 - Null Pointer Dereference in AMD Display Drivers on Linux — Analysis and Exploit Details

In June 2024, a new security vulnerability (CVE-2024-36897) was found and patched in the Linux kernel, specifically affecting AMD graphics drivers under the DRM subsystem. If you run a system with AMD GPUs and use the amdgpu driver, this is particularly relevant — especially if your GPU utilizes the new BIOS UMA carveout model and the kernel was built without the latest protection.

Below, you’ll find a plain-English explanation of what happened, a breakdown of the code, and practical exploit details.

TL;DR

- Component Affected: Linux kernel, AMD display driver (drm/amd/display)

Impact: Local DoS (system crash), possibly EoP if leveraged in combination with other bugs

- Fixed in: Linux kernel mainline commit

References:

- Linux kernel commit eefdedafe61a
- Red Hat bug tracker
- OSS security mailing list

Background: What Does the Bug Do?

The AMD display driver in the Linux kernel parses system BIOS data at startup to configure graphics hardware. For graphics chips compatible with DCN35 (Display Core Next), a new BIOS layout (version 2.2 and up) changes how video memory is mapped (“carved out”).

Older kernel releases didn’t know about this new layout, so when the driver attempted to read information about video memory, it dereferenced a pointer (integrated_info) that was never properly set—a classic null pointer dereference.

In practice:
When you boot with an affected kernel and an affected GPU/BIOS, the system could crash (kernel panic, black screen, or freeze). In theory, a malicious local program could try to trigger this if not running as root, leading to local denial of service.

Below is a simplified version of what the Linux kernel driver used to do

// Pseudocode - old version
ctx = allocate_driver_context();
ctx->dc_bios = get_bios_data(device);

if (ctx->dc_bios->integrated_info) {
    parse_integrated_info(ctx->dc_bios->integrated_info);
} else {
    // Some codepaths ignored this else!
}

free_driver_context(ctx);

In the specific case for DCN 3.5 and BIOS version 2.3 or higher, the driver did not properly initialize integrated_info, so ctx->dc_bios->integrated_info was just NULL. Any function trying to use it would immediately crash the kernel.

The Actual Fix

The fix added support for the new BIOS structure and ensured the code won’t use a null pointer by explicitly handling this new case. Here is the patch summary:

+   case ATOM_INTEGRATED_SYSTEM_INFO_V2_2: // DCN35 and newer
+       if (bios_has_uma_carveout()) {
+           ctx->dc_bios->integrated_info = parse_new_uma_layout();
+       } else {
+           ctx->dc_bios->integrated_info = NULL;
+       }
+       break;

Now, the code checks if the new BIOS version is present and only attempts to parse memory information if the right data is available.

Proof of Concept: Trigger the Crash

To *reliably* trigger this bug (on impacted systems, with vulnerable BIOS and kernel versions), you need:

Here's a trivial example to provoke the bug

#include <stdio.h>
#include <fcntl.h>
#include <unistd.h>
#include <sys/ioctl.h>

int main(void) {
    // This ioctl triggers an operation that uses integrated_info
    int fd = open("/dev/dri/card", O_RDWR);
    if (fd < ) {
        perror("open");
        return 1;
    }
    // Example trigger, depends on system
    ioctl(fd, xC01064A5, ); // IOCTL code will vary!
    close(fd);
    return ;
}

*Note*: You may need to be in the video group or have CAP_SYS_ADMIN capabilities.

On a vulnerable system, this could cause a kernel oops similar to

BUG: kernel NULL pointer dereference at x000000000000000
...

How Do I Fix It?

- Update your Linux kernel: Any mainline kernel after this commit is safe.
- Check with your distro: See if your distribution’s kernel includes the fix. Search for packages addressing CVE-2024-36897 or check for "drm/amd/display: Atom Integrated System Info v2_2 for DCN35".
- Workaround: If you can't upgrade, consider using an older BIOS or switching to the open-source nouveau driver if you’re not bound to AMD hardware.

Denial of service: Most likely scenario—crashing the machine

- Security escalation: Not in isolation, but certain setups might allow chaining with other vulnerabilities for privilege escalation.

References and Further Reading

- Upstream Fix (git.kernel.org)
- Red Hat Security Tracker
- AMD GPU Open GitHub
- OSS Security Mailing List – Discussion

Conclusion

CVE-2024-36897 is a prime example of how new hardware features and BIOS layouts can break driver assumptions, leading to real-world bugs. While this one “just” crashes systems, it’s a reminder to keep your kernels updated. If you use AMD graphics, check your system for patch status!

For more insights, keep following Linux kernel security news.


*This post was written solely for educational purposes. Do not attempt to exploit this vulnerability on any system you do not own or have permission to test.*

Timeline

Published on: 05/30/2024 16:15:13 UTC
Last modified on: 08/02/2024 03:43:49 UTC