CVE-2024-43899 - Critical Null Pointer Dereference in Linux Kernel AMD Display Driver (amdgpu) Leading to System Hang & Crash

Published: June 2024
Impact: Kernel crash, Local denial of service
Component: drm/amd/display, file dcn20_resource.c
Affected hardware: AMD DCN401 discrete GPU (dGPU)
Root cause: Null pointer dereference
Fixed in: Latest upstream Linux and stable kernels

Introduction

A critical vulnerability—CVE-2024-43899—was found and patched in the Linux kernel's AMDGPU display driver stack. The bug, a classic null pointer dereference, could instantly hang or crash affected systems during normal graphical operations, such as playing videos with hardware acceleration enabled.

This exclusive post explains the vulnerability in simple terms, demonstrates how it manifests, outlines possible security and stability risks, and walks you through the original patch. You'll find working proof-of-concept (PoC), code snippets, and essential references.

What is CVE-2024-43899?

In the Linux kernel driver code for AMD GPUs (amdgpu), there was a null pointer dereference introduced in drm/amd/display/dc/dcn20/dcn20_resource.c. This flaw is dangerous because it affects the display engine and can cause complete system lock-ups.

How is it triggered?

If you run a video player like mpv with VAAPI hardware decoding on an AMD DCN401 dGPU, playing any video and then switching to fullscreen mode would crash the kernel. Typical command:

mpv --hwdec=vaapi --vo=gpu --hwdec-codecs=all somevideo.mp4
# Then double-click to enter fullscreen

As soon as you enter fullscreen, your entire Linux desktop can freeze or crash due to this bug.

Here’s what the kernel log shows on affected systems

BUG: kernel NULL pointer dereference, address: 000000000000000
#PF: supervisor instruction fetch in kernel mode
#PF: error_code(x001) - not-present page
RIP: 001:x
...
Call Trace:
 dcn20_get_dcc_compression_cap+x23/x30 [amdgpu]
 amdgpu_dm_plane_validate_dcc.constprop.+xe5/x180 [amdgpu]
 amdgpu_dm_plane_fill_plane_buffer_attributes+x300/x580 [amdgpu]
 fill_dc_plane_info_and_addr+x258/x350 [amdgpu]
 fill_dc_plane_attributes+x162/x350 [amdgpu]
 dm_update_plane_state.constprop.+x4e3/x6b [amdgpu]
 amdgpu_dm_atomic_check+xdfe/x176 [amdgpu]

Notice the RIP: 001:x, showing the kernel tried to execute from a null address: a "null pointer dereference."

Denial of service: Causes full system freeze or crash, requiring a hard reboot.

- Security impact: While not a direct privilege escalation, denial of service is a significant attack vector—malicious users could exploit it repeatedly to disrupt shared systems or multi-user environments.

The Root Cause: Code Walkthrough

The problem lies in a missing check for a null pointer in the display pipeline. Specifically, the driver's internal structures, particularly the dcc_cap field inside the pipe_ctx->plane_res pointer, were being accessed without confirming that the pointer was valid.

Relevant buggy code (before the patch)

// in dcn20/dcn20_resource.c
void dcn20_get_dcc_compression_cap(..., struct pipe_ctx *pipe_ctx)
{
    // pipe_ctx->plane_res should be checked before dereference
    struct dcc_cap *dcc = pipe_ctx->plane_res.dcc_cap;   // <-- if pipe_ctx->plane_res == NULL, crash!
    ...
}

This function can be called with a pipe_ctx struct whose members may not be fully initialized, leading to dereferencing a null pointer and crashing.

The Official Fix

#### The patch, committed upstream and now integrated in recent Linux stable releases, adds proper null pointer checks.

Patched code

void dcn20_get_dcc_compression_cap(..., struct pipe_ctx *pipe_ctx)
{
    // New null check protects kernel from crash
    if (!pipe_ctx || !pipe_ctx->plane_res.dcc_cap)
        return;

    struct dcc_cap *dcc = pipe_ctx->plane_res.dcc_cap;
    ...
}

Sources

- Upstream Linux kernel commit
- Fixes tag on Patchwork
- Kernel bugzilla report

Exploiting the Vulnerability: PoC

Anyone with access to a graphical environment and an affected AMD GPU can crash the system with a simple sequence:

Execute

mpv --hwdec=vaapi --vo=gpu --hwdec-codecs=all anyvideo.mp4

Double-click the video window to go fullscreen.

4. Observe an immediate system freeze or crash; some users may see graphical corruption before the lock-up.

Note: This requires *no* root permissions, and can be performed by any local user.

Mitigation and Solutions

- Upgrade your linux kernel: Ensure you are using a patched version. All major distributions have shipped or will soon ship updates to address CVE-2024-43899.

Workaround: Disable hardware-accelerated video decoding until your system is patched.

- Check your kernel version: The bug has been fixed in Linux kernel versions after 6.5.-41-generic.

References & Further Reading

- Kernel upstream fix commit
- Original Patchwork Email
- Bugzilla bug report
- CVE entry (NVD)
- AMD GPU Linux Display Code

Conclusion

CVE-2024-43899 is a high-impact crash bug in Linux's AMDGPU DRM code, easily triggered by unprivileged local users just playing videos. If you use an AMD DCN401 dGPU—especially on desktops running GNOME, KDE, or similar—make sure your kernel is patched.

Stay safe,

Timeline

Published on: 08/26/2024 11:15:04 UTC
Last modified on: 08/27/2024 14:38:19 UTC