CVE-2024-43901 - NULL Pointer Dereference in AMDGPU DRM Debug Logging (Linux Kernel)

Summary:
CVE-2024-43901 is a critical vulnerability in the Linux kernel’s AMDGPU Direct Rendering Manager (DRM) subsystem, specifically affecting the DCN401 hardware block. A simple read to a debugfs file (amdgpu_dm_dtn_log) could trigger a kernel crash (NULL pointer dereference), leading to a denial of service (DoS). In this write-up, we explain how this bug occurs, detail the stack trace, show how it can be exploited, and provide links for further reading.

The Vulnerability in a Nutshell

The problematic code lives in the drm/amd/display driver, affecting systems that use the DCN401 display block (generally newer AMD GPUs). When users try to read the Debug Timing and Notification (DTN) log via:

cat /sys/kernel/debug/dri//amdgpu_dm_dtn_log

the kernel triggers an Oops due to a NULL pointer dereference. This crash can be reproduced with a simple cat command as any user able to access debugfs.

What’s Going Wrong?

The DCN401 implementation lacks initialization for the gamut_remap function in its DPP function table. When the DTN log code attempts to invoke the (missing) function, it dereferences a NULL pointer.

Here’s what the relevant code path looked like (simplified for clarity)

// In dcn10_log_color_state(), called from dcn10_log_hw_state()
if (dpp->funcs->gamut_remap) {
    dpp->funcs->gamut_remap(...);
}

But for DCN401, dpp->funcs->gamut_remap was NULL — the check was missing in some call sites or insufficient, resulting in the crash.

Triggering the bug was as simple as

cat /sys/kernel/debug/dri//amdgpu_dm_dtn_log

And here’s what shows up in dmesg

BUG: kernel NULL pointer dereference, address: NULL
#PF: supervisor instruction fetch in kernel mode
Oops: 001 [#1] PREEMPT SMP NOPTI
RIP: 001:x
Call Trace:
  dcn10_log_color_state+xf9/x510 [amdgpu]
  dcn10_log_hw_state+xfd/xfe [amdgpu]
  dtn_log_read+x82/x120 [amdgpu]
  full_proxy_read+x66/x90
  vfs_read+xb/x340
   ...

How a Malicious User Could Use This

- Impact: Any user with read access to /sys/kernel/debug/dri//amdgpu_dm_dtn_log (typically root, but sometimes broader on misconfigured systems) can crash the kernel, leading to a denial of service (DoS).

`sh

cat /sys/kernel/debug/dri//amdgpu_dm_dtn_log

Who’s Affected:

Any Linux machine with an AMD GPU using the DCN401 block and a kernel version from before the fix was merged.

PoC (Proof-of-Concept)

# This will immediately panic or freeze your system if your kernel and hardware are vulnerable.
cat /sys/kernel/debug/dri//amdgpu_dm_dtn_log

On a vulnerable machine, running the above command returns nothing, but dmesg/journalctl records

BUG: kernel NULL pointer dereference, address: 000000000000000
RIP: 001:x
...
dcn10_log_color_state+xf9/x510 [amdgpu]
dcn10_log_hw_state+xfd/xfe [amdgpu]
...

The Fix

The developers patched the code by *properly checking* whether the gamut_remap callback is initialized before calling it. If not, the code safely skips or returns.

Patch snippet

// PATCH: ensure gamut_remap is not null
if (dpp->funcs->gamut_remap)
    dpp->funcs->gamut_remap(...);
else
    // safely skip or handle missing function

*This fix is included in all current Linux kernel trees as of June 2024.*

Upstream patches are public (see below).

2. Restrict access to debugfs (/sys/kernel/debug/) by default!

References

- Kernel.org Patch Commit
- Bugzilla Report (hypothetical for context)
- AMDGPU DRM Documentation
- CVE Record (when available)

Conclusion

If you use AMD GPUs with Linux, it is essential to update your kernel to stay protected from CVE-2024-43901. Leaving debugfs readable or running an affected kernel can allow even non-privileged users (depending on setup) to crash your machine.

Stay safe, keep your system updated, and always restrict debug interfaces on production systems.

*Written exclusively for your technical curiosity — always test responsibly!*

Timeline

Published on: 08/26/2024 11:15:04 UTC
Last modified on: 08/27/2024 14:38:44 UTC