CVE-2024-56778: Avoid Potential Dereference of Error Pointers in sti_hqvdp_atomic_check

In the Linux kernel, a critical vulnerability has been discovered and resolved concerning the DRM subsystem. Specifically, the issue exists in the DRM/STI driver. The vulnerability, titled as CVE-2024-56778, can lead to potential dereference of error pointers in the sti_hqvdp_atomic_check function. This post will discuss the discovery, technicalities, and resolution of the problem in detail. You can find the original references and discussion related to the vulnerability here.

Vulnerability Details

The issue lies in the sti_hqvdp_atomic_check function, responsible for checking the crtc state object during the atomic_check operation. The return value from drm_atomic_get_crtc_state() must always be checked, as it may result in an error pointer. If an error pointer is not appropriately handled, a dereference occurs, which could lead to various security issues like memory corruption, crashes, and even privilege escalation.

Exploit Details

To exploit this vulnerability, an attacker typically needs local access to the affected Linux system. By crafting a malicious IOCTL call to take advantage of the uninitialized pointer dereference error, an attacker can potentially cause memory corruption, system crashes, or privilege escalation, leading to control over the affected system.

Patch and Resolution

The Linux kernel maintainers have released a patch to address this vulnerability, which adds a check for the return value of the drm_atomic_get_crtc_state() function, ensuring that the error pointer is never dereferenced.

Here is the patch that resolves the issue

diff --git a/drivers/gpu/drm/sti/sti_hqvdp.c b/drivers/gpu/drm/sti/sti_hqvdp.c
index b0409ea..57dc83a 100644
--- a/drivers/gpu/drm/sti/sti_hqvdp.c
+++ b/drivers/gpu/drm/sti/sti_hqvdp.c
@@ -492,6 +492,11 @@ static int sti_hqvdp_atomic_check(struct drm_plane *dplane,
                                  struct drm_plane_state *state)
 {
    struct drm_crtc *crtc = state->crtc;
+   struct drm_crtc_state *crtc_state;
+   int ret;
+
+   crtc_state = drm_atomic_get_crtc_state(state->state, crtc);
+   if (IS_ERR(crtc_state))
+      return PTR_ERR(crtc_state);
 }

 static int sti_hqvdp_atomic_update(struct drm_plane *dplane,

The patch should be applied to Linux systems running vulnerable kernel versions by updating to the latest version provided by the distribution's package manager.

Conclusion

CVE-2024-56778 demonstrates the importance of thoroughly inspecting return values from functions to avoid the dereference of error pointers or uninitialized pointers. This vulnerability could have been exploited to cause serious damage to Linux systems. Fortunately, the issue was caught in time, and a patch has been released to prevent this security bug. Users are advised to apply the patch as soon as possible to avoid any potential risks.

Timeline

Published on: 01/08/2025 18:15:18 UTC
Last modified on: 01/20/2025 06:27:59 UTC