{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-43901", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2024-08-17T09:11:59.292Z", "datePublished": "2024-08-26T10:11:00.255Z", "dateUpdated": "2025-07-11T17:20:07.269Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2025-07-11T17:20:07.269Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd/display: Fix NULL pointer dereference for DTN log in DCN401\n\nWhen users run the command:\n\ncat /sys/kernel/debug/dri/0/amdgpu_dm_dtn_log\n\nThe following NULL pointer dereference happens:\n\n[ +0.000003] BUG: kernel NULL pointer dereference, address: NULL\n[ +0.000005] #PF: supervisor instruction fetch in kernel mode\n[ +0.000002] #PF: error_code(0x0010) - not-present page\n[ +0.000002] PGD 0 P4D 0\n[ +0.000004] Oops: 0010 [#1] PREEMPT SMP NOPTI\n[ +0.000003] RIP: 0010:0x0\n[ +0.000008] Code: Unable to access opcode bytes at 0xffffffffffffffd6.\n[...]\n[ +0.000002] PKRU: 55555554\n[ +0.000002] Call Trace:\n[ +0.000002] <TASK>\n[ +0.000003] ? show_regs+0x65/0x70\n[ +0.000006] ? __die+0x24/0x70\n[ +0.000004] ? page_fault_oops+0x160/0x470\n[ +0.000006] ? do_user_addr_fault+0x2b5/0x690\n[ +0.000003] ? prb_read_valid+0x1c/0x30\n[ +0.000005] ? exc_page_fault+0x8c/0x1a0\n[ +0.000005] ? asm_exc_page_fault+0x27/0x30\n[ +0.000012] dcn10_log_color_state+0xf9/0x510 [amdgpu]\n[ +0.000306] ? srso_alias_return_thunk+0x5/0xfbef5\n[ +0.000003] ? vsnprintf+0x2fb/0x600\n[ +0.000009] dcn10_log_hw_state+0xfd0/0xfe0 [amdgpu]\n[ +0.000218] ? __mod_memcg_lruvec_state+0xe8/0x170\n[ +0.000008] ? srso_alias_return_thunk+0x5/0xfbef5\n[ +0.000002] ? debug_smp_processor_id+0x17/0x20\n[ +0.000003] ? srso_alias_return_thunk+0x5/0xfbef5\n[ +0.000002] ? srso_alias_return_thunk+0x5/0xfbef5\n[ +0.000002] ? set_ptes.isra.0+0x2b/0x90\n[ +0.000004] ? srso_alias_return_thunk+0x5/0xfbef5\n[ +0.000002] ? _raw_spin_unlock+0x19/0x40\n[ +0.000004] ? srso_alias_return_thunk+0x5/0xfbef5\n[ +0.000002] ? do_anonymous_page+0x337/0x700\n[ +0.000004] dtn_log_read+0x82/0x120 [amdgpu]\n[ +0.000207] full_proxy_read+0x66/0x90\n[ +0.000007] vfs_read+0xb0/0x340\n[ +0.000005] ? __count_memcg_events+0x79/0xe0\n[ +0.000002] ? srso_alias_return_thunk+0x5/0xfbef5\n[ +0.000003] ? count_memcg_events.constprop.0+0x1e/0x40\n[ +0.000003] ? handle_mm_fault+0xb2/0x370\n[ +0.000003] ksys_read+0x6b/0xf0\n[ +0.000004] __x64_sys_read+0x19/0x20\n[ +0.000003] do_syscall_64+0x60/0x130\n[ +0.000004] entry_SYSCALL_64_after_hwframe+0x6e/0x76\n[ +0.000003] RIP: 0033:0x7fdf32f147e2\n[...]\n\nThis error happens when the color log tries to read the gamut remap\ninformation from DCN401 which is not initialized in the dcn401_dpp_funcs\nwhich leads to a null pointer dereference. This commit addresses this\nissue by adding a proper guard to access the gamut_remap callback in\ncase the specific ASIC did not implement this function."}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["drivers/gpu/drm/amd/display/dc/hwss/dcn10/dcn10_hwseq.c"], "versions": [{"version": "4562236b3bc0a28aeb6ee93b2d8a849a4c4e1c7c", "lessThan": "1e68b7ce6bc6073579fe8713ec6b85aa9cd2e351", "status": "affected", "versionType": "git"}, {"version": "4562236b3bc0a28aeb6ee93b2d8a849a4c4e1c7c", "lessThan": "5af757124792817f8eb1bd0c80ad60fab519586b", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["drivers/gpu/drm/amd/display/dc/hwss/dcn10/dcn10_hwseq.c"], "versions": [{"version": "4.15", "status": "affected"}, {"version": "0", "lessThan": "4.15", "status": "unaffected", "versionType": "semver"}, {"version": "6.10.5", "lessThanOrEqual": "6.10.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.11", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.15", "versionEndExcluding": "6.10.5"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.15", "versionEndExcluding": "6.11"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/1e68b7ce6bc6073579fe8713ec6b85aa9cd2e351"}, {"url": "https://git.kernel.org/stable/c/5af757124792817f8eb1bd0c80ad60fab519586b"}], "title": "drm/amd/display: Fix NULL pointer dereference for DTN log in DCN401", "x_generator": {"engine": "bippy-1.2.0"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-43901", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-09-10T15:28:50.219513Z"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-09-12T17:33:07.936Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-43901", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-09-10T15:28:50.219513Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-09-11T12:42:15.178Z"}}], "cna": {"title": "drm/amd/display: Fix NULL pointer dereference for DTN log in DCN401", "affected": [{"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "product": "Linux", "versions": [{"status": "affected", "version": "4562236b3bc0a28aeb6ee93b2d8a849a4c4e1c7c", "lessThan": "1e68b7ce6bc6073579fe8713ec6b85aa9cd2e351", "versionType": "git"}, {"status": "affected", "version": "4562236b3bc0a28aeb6ee93b2d8a849a4c4e1c7c", "lessThan": "5af757124792817f8eb1bd0c80ad60fab519586b", "versionType": "git"}], "programFiles": ["drivers/gpu/drm/amd/display/dc/hwss/dcn10/dcn10_hwseq.c"], "defaultStatus": "unaffected"}, {"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "product": "Linux", "versions": [{"status": "affected", "version": "4.15"}, {"status": "unaffected", "version": "0", "lessThan": "4.15", "versionType": "semver"}, {"status": "unaffected", "version": "6.10.5", "versionType": "semver", "lessThanOrEqual": "6.10.*"}, {"status": "unaffected", "version": "6.11", "versionType": "original_commit_for_fix", "lessThanOrEqual": "*"}], "programFiles": ["drivers/gpu/drm/amd/display/dc/hwss/dcn10/dcn10_hwseq.c"], "defaultStatus": "affected"}], "references": [{"url": "https://git.kernel.org/stable/c/1e68b7ce6bc6073579fe8713ec6b85aa9cd2e351"}, {"url": "https://git.kernel.org/stable/c/5af757124792817f8eb1bd0c80ad60fab519586b"}], "x_generator": {"engine": "bippy-1.2.0"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd/display: Fix NULL pointer dereference for DTN log in DCN401\n\nWhen users run the command:\n\ncat /sys/kernel/debug/dri/0/amdgpu_dm_dtn_log\n\nThe following NULL pointer dereference happens:\n\n[ +0.000003] BUG: kernel NULL pointer dereference, address: NULL\n[ +0.000005] #PF: supervisor instruction fetch in kernel mode\n[ +0.000002] #PF: error_code(0x0010) - not-present page\n[ +0.000002] PGD 0 P4D 0\n[ +0.000004] Oops: 0010 [#1] PREEMPT SMP NOPTI\n[ +0.000003] RIP: 0010:0x0\n[ +0.000008] Code: Unable to access opcode bytes at 0xffffffffffffffd6.\n[...]\n[ +0.000002] PKRU: 55555554\n[ +0.000002] Call Trace:\n[ +0.000002] <TASK>\n[ +0.000003] ? show_regs+0x65/0x70\n[ +0.000006] ? __die+0x24/0x70\n[ +0.000004] ? page_fault_oops+0x160/0x470\n[ +0.000006] ? do_user_addr_fault+0x2b5/0x690\n[ +0.000003] ? prb_read_valid+0x1c/0x30\n[ +0.000005] ? exc_page_fault+0x8c/0x1a0\n[ +0.000005] ? asm_exc_page_fault+0x27/0x30\n[ +0.000012] dcn10_log_color_state+0xf9/0x510 [amdgpu]\n[ +0.000306] ? srso_alias_return_thunk+0x5/0xfbef5\n[ +0.000003] ? vsnprintf+0x2fb/0x600\n[ +0.000009] dcn10_log_hw_state+0xfd0/0xfe0 [amdgpu]\n[ +0.000218] ? __mod_memcg_lruvec_state+0xe8/0x170\n[ +0.000008] ? srso_alias_return_thunk+0x5/0xfbef5\n[ +0.000002] ? debug_smp_processor_id+0x17/0x20\n[ +0.000003] ? srso_alias_return_thunk+0x5/0xfbef5\n[ +0.000002] ? srso_alias_return_thunk+0x5/0xfbef5\n[ +0.000002] ? set_ptes.isra.0+0x2b/0x90\n[ +0.000004] ? srso_alias_return_thunk+0x5/0xfbef5\n[ +0.000002] ? _raw_spin_unlock+0x19/0x40\n[ +0.000004] ? srso_alias_return_thunk+0x5/0xfbef5\n[ +0.000002] ? do_anonymous_page+0x337/0x700\n[ +0.000004] dtn_log_read+0x82/0x120 [amdgpu]\n[ +0.000207] full_proxy_read+0x66/0x90\n[ +0.000007] vfs_read+0xb0/0x340\n[ +0.000005] ? __count_memcg_events+0x79/0xe0\n[ +0.000002] ? srso_alias_return_thunk+0x5/0xfbef5\n[ +0.000003] ? count_memcg_events.constprop.0+0x1e/0x40\n[ +0.000003] ? handle_mm_fault+0xb2/0x370\n[ +0.000003] ksys_read+0x6b/0xf0\n[ +0.000004] __x64_sys_read+0x19/0x20\n[ +0.000003] do_syscall_64+0x60/0x130\n[ +0.000004] entry_SYSCALL_64_after_hwframe+0x6e/0x76\n[ +0.000003] RIP: 0033:0x7fdf32f147e2\n[...]\n\nThis error happens when the color log tries to read the gamut remap\ninformation from DCN401 which is not initialized in the dcn401_dpp_funcs\nwhich leads to a null pointer dereference. This commit addresses this\nissue by adding a proper guard to access the gamut_remap callback in\ncase the specific ASIC did not implement this function."}], "cpeApplicability": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "versionEndExcluding": "6.10.5", "versionStartIncluding": "4.15"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "versionEndExcluding": "6.11", "versionStartIncluding": "4.15"}], "operator": "OR"}]}], "providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2025-07-11T17:20:07.269Z"}}}, "cveMetadata": {"cveId": "CVE-2024-43901", "state": "PUBLISHED", "dateUpdated": "2025-07-11T17:20:07.269Z", "dateReserved": "2024-08-17T09:11:59.292Z", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "datePublished": "2024-08-26T10:11:00.255Z", "assignerShortName": "Linux"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "E4CB0927-C720-465B-99F2-3E47215515F2", "versionEndExcluding": "6.10.5", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd/display: Fix NULL pointer dereference for DTN log in DCN401\n\nWhen users run the command:\n\ncat /sys/kernel/debug/dri/0/amdgpu_dm_dtn_log\n\nThe following NULL pointer dereference happens:\n\n[ +0.000003] BUG: kernel NULL pointer dereference, address: NULL\n[ +0.000005] #PF: supervisor instruction fetch in kernel mode\n[ +0.000002] #PF: error_code(0x0010) - not-present page\n[ +0.000002] PGD 0 P4D 0\n[ +0.000004] Oops: 0010 [#1] PREEMPT SMP NOPTI\n[ +0.000003] RIP: 0010:0x0\n[ +0.000008] Code: Unable to access opcode bytes at 0xffffffffffffffd6.\n[...]\n[ +0.000002] PKRU: 55555554\n[ +0.000002] Call Trace:\n[ +0.000002] <TASK>\n[ +0.000003] ? show_regs+0x65/0x70\n[ +0.000006] ? __die+0x24/0x70\n[ +0.000004] ? page_fault_oops+0x160/0x470\n[ +0.000006] ? do_user_addr_fault+0x2b5/0x690\n[ +0.000003] ? prb_read_valid+0x1c/0x30\n[ +0.000005] ? exc_page_fault+0x8c/0x1a0\n[ +0.000005] ? asm_exc_page_fault+0x27/0x30\n[ +0.000012] dcn10_log_color_state+0xf9/0x510 [amdgpu]\n[ +0.000306] ? srso_alias_return_thunk+0x5/0xfbef5\n[ +0.000003] ? vsnprintf+0x2fb/0x600\n[ +0.000009] dcn10_log_hw_state+0xfd0/0xfe0 [amdgpu]\n[ +0.000218] ? __mod_memcg_lruvec_state+0xe8/0x170\n[ +0.000008] ? srso_alias_return_thunk+0x5/0xfbef5\n[ +0.000002] ? debug_smp_processor_id+0x17/0x20\n[ +0.000003] ? srso_alias_return_thunk+0x5/0xfbef5\n[ +0.000002] ? srso_alias_return_thunk+0x5/0xfbef5\n[ +0.000002] ? set_ptes.isra.0+0x2b/0x90\n[ +0.000004] ? srso_alias_return_thunk+0x5/0xfbef5\n[ +0.000002] ? _raw_spin_unlock+0x19/0x40\n[ +0.000004] ? srso_alias_return_thunk+0x5/0xfbef5\n[ +0.000002] ? do_anonymous_page+0x337/0x700\n[ +0.000004] dtn_log_read+0x82/0x120 [amdgpu]\n[ +0.000207] full_proxy_read+0x66/0x90\n[ +0.000007] vfs_read+0xb0/0x340\n[ +0.000005] ? __count_memcg_events+0x79/0xe0\n[ +0.000002] ? srso_alias_return_thunk+0x5/0xfbef5\n[ +0.000003] ? count_memcg_events.constprop.0+0x1e/0x40\n[ +0.000003] ? handle_mm_fault+0xb2/0x370\n[ +0.000003] ksys_read+0x6b/0xf0\n[ +0.000004] __x64_sys_read+0x19/0x20\n[ +0.000003] do_syscall_64+0x60/0x130\n[ +0.000004] entry_SYSCALL_64_after_hwframe+0x6e/0x76\n[ +0.000003] RIP: 0033:0x7fdf32f147e2\n[...]\n\nThis error happens when the color log tries to read the gamut remap\ninformation from DCN401 which is not initialized in the dcn401_dpp_funcs\nwhich leads to a null pointer dereference. This commit addresses this\nissue by adding a proper guard to access the gamut_remap callback in\ncase the specific ASIC did not implement this function."}, {"lang": "es", "value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: drm/amd/display: corrige la desreferencia del puntero NULL para el registro DTN en DCN401 Cuando los usuarios ejecutan el comando: cat /sys/kernel/debug/dri/0/amdgpu_dm_dtn_log El siguiente puntero NULL ocurre la desreferencia: [+0.000003] ERROR: desreferencia del puntero NULL del kernel, direcci\u00f3n: NULL [+0.000005] #PF: b\u00fasqueda de instrucciones del supervisor en modo kernel [+0.000002] #PF: c\u00f3digo_error(0x0010) - p\u00e1gina no presente [+0.000002] PGD 0 P4D 0 [ +0.000004] Ups: 0010 [#1] PREEMPT SMP NOPTI [ +0.000003] RIP: 0010:0x0 [ +0.000008] C\u00f3digo: No se puede acceder a los bytes del c\u00f3digo de operaci\u00f3n en 0xffffffffffffffd6. [...] [ +0.000002] PKRU: 55555554 [ +0.000002] Seguimiento de llamadas: [ +0.000002] [ +0.000003] ? show_regs+0x65/0x70 [+0.000006]? __die+0x24/0x70 [ +0.000004] ? page_fault_oops+0x160/0x470 [+0.000006]? do_user_addr_fault+0x2b5/0x690 [+0.000003]? prb_read_valid+0x1c/0x30 [+0.000005]? exc_page_fault+0x8c/0x1a0 [+0.000005]? asm_exc_page_fault+0x27/0x30 [ +0.000012] dcn10_log_color_state+0xf9/0x510 [amdgpu] [ +0.000306] ? srso_alias_return_thunk+0x5/0xfbef5 [+0.000003]? vsnprintf+0x2fb/0x600 [ +0.000009] dcn10_log_hw_state+0xfd0/0xfe0 [amdgpu] [ +0.000218] ? __mod_memcg_lruvec_state+0xe8/0x170 [ +0.000008] ? srso_alias_return_thunk+0x5/0xfbef5 [+0.000002]? debug_smp_processor_id+0x17/0x20 [+0.000003]? srso_alias_return_thunk+0x5/0xfbef5 [+0.000002]? srso_alias_return_thunk+0x5/0xfbef5 [+0.000002]? set_ptes.isra.0+0x2b/0x90 [ +0.000004] ? srso_alias_return_thunk+0x5/0xfbef5 [+0.000002]? _raw_spin_unlock+0x19/0x40 [+0.000004]? srso_alias_return_thunk+0x5/0xfbef5 [+0.000002]? do_anonymous_page+0x337/0x700 [ +0.000004] dtn_log_read+0x82/0x120 [amdgpu] [ +0.000207] full_proxy_read+0x66/0x90 [ +0.000007] vfs_read+0xb0/0x340 [ +0.000005] ? __count_memcg_events+0x79/0xe0 [+0.000002]? srso_alias_return_thunk+0x5/0xfbef5 [+0.000003]? count_memcg_events.constprop.0+0x1e/0x40 [+0.000003]? handle_mm_fault+0xb2/0x370 [ +0.000003] ksys_read+0x6b/0xf0 [ +0.000004] __x64_sys_read+0x19/0x20 [ +0.000003] do_syscall_64+0x60/0x130 [ +0.000004] _64_after_hwframe+0x6e/0x76 [+0.000003] RIP: 0033:0x7fdf32f147e2 [...] Este error ocurre cuando el registro de color intenta leer la informaci\u00f3n de reasignaci\u00f3n de gama de DCN401 que no est\u00e1 inicializada en dcn401_dpp_funcs, lo que conduce a una desreferencia del puntero nulo. Esta confirmaci\u00f3n soluciona este problema agregando una protecci\u00f3n adecuada para acceder a la devoluci\u00f3n de llamada gamut_remap en caso de que el ASIC espec\u00edfico no haya implementado esta funci\u00f3n."}], "id": "CVE-2024-43901", "lastModified": "2024-08-27T14:38:44.187", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 5.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2024-08-26T11:15:04.673", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/1e68b7ce6bc6073579fe8713ec6b85aa9cd2e351"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/5af757124792817f8eb1bd0c80ad60fab519586b"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-476"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"bugzilla": {"description": "kernel: drm/amd/display: Fix NULL pointer dereference for DTN log in DCN401", "id": "2307874", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2307874"}, "csaw": false, "cvss3": {"cvss3_base_score": "5.5", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "draft"}, "cwe": "CWE-476", "details": ["In the Linux kernel, the following vulnerability has been resolved:\ndrm/amd/display: Fix NULL pointer dereference for DTN log in DCN401\nWhen users run the command:\ncat /sys/kernel/debug/dri/0/amdgpu_dm_dtn_log\nThe following NULL pointer dereference happens:\n[ +0.000003] BUG: kernel NULL pointer dereference, address: NULL\n[ +0.000005] #PF: supervisor instruction fetch in kernel mode\n[ +0.000002] #PF: error_code(0x0010) - not-present page\n[ +0.000002] PGD 0 P4D 0\n[ +0.000004] Oops: 0010 [#1] PREEMPT SMP NOPTI\n[ +0.000003] RIP: 0010:0x0\n[ +0.000008] Code: Unable to access opcode bytes at 0xffffffffffffffd6.\n[...]\n[ +0.000002] PKRU: 55555554\n[ +0.000002] Call Trace:\n[ +0.000002] <TASK>\n[ +0.000003] ? show_regs+0x65/0x70\n[ +0.000006] ? __die+0x24/0x70\n[ +0.000004] ? page_fault_oops+0x160/0x470\n[ +0.000006] ? do_user_addr_fault+0x2b5/0x690\n[ +0.000003] ? prb_read_valid+0x1c/0x30\n[ +0.000005] ? exc_page_fault+0x8c/0x1a0\n[ +0.000005] ? asm_exc_page_fault+0x27/0x30\n[ +0.000012] dcn10_log_color_state+0xf9/0x510 [amdgpu]\n[ +0.000306] ? srso_alias_return_thunk+0x5/0xfbef5\n[ +0.000003] ? vsnprintf+0x2fb/0x600\n[ +0.000009] dcn10_log_hw_state+0xfd0/0xfe0 [amdgpu]\n[ +0.000218] ? __mod_memcg_lruvec_state+0xe8/0x170\n[ +0.000008] ? srso_alias_return_thunk+0x5/0xfbef5\n[ +0.000002] ? debug_smp_processor_id+0x17/0x20\n[ +0.000003] ? srso_alias_return_thunk+0x5/0xfbef5\n[ +0.000002] ? srso_alias_return_thunk+0x5/0xfbef5\n[ +0.000002] ? set_ptes.isra.0+0x2b/0x90\n[ +0.000004] ? srso_alias_return_thunk+0x5/0xfbef5\n[ +0.000002] ? _raw_spin_unlock+0x19/0x40\n[ +0.000004] ? srso_alias_return_thunk+0x5/0xfbef5\n[ +0.000002] ? do_anonymous_page+0x337/0x700\n[ +0.000004] dtn_log_read+0x82/0x120 [amdgpu]\n[ +0.000207] full_proxy_read+0x66/0x90\n[ +0.000007] vfs_read+0xb0/0x340\n[ +0.000005] ? __count_memcg_events+0x79/0xe0\n[ +0.000002] ? srso_alias_return_thunk+0x5/0xfbef5\n[ +0.000003] ? count_memcg_events.constprop.0+0x1e/0x40\n[ +0.000003] ? handle_mm_fault+0xb2/0x370\n[ +0.000003] ksys_read+0x6b/0xf0\n[ +0.000004] __x64_sys_read+0x19/0x20\n[ +0.000003] do_syscall_64+0x60/0x130\n[ +0.000004] entry_SYSCALL_64_after_hwframe+0x6e/0x76\n[ +0.000003] RIP: 0033:0x7fdf32f147e2\n[...]\nThis error happens when the color log tries to read the gamut remap\ninformation from DCN401 which is not initialized in the dcn401_dpp_funcs\nwhich leads to a null pointer dereference. This commit addresses this\nissue by adding a proper guard to access the gamut_remap callback in\ncase the specific ASIC did not implement this function.", "A NULL pointer dereference vulnerability was found in the AMD Display (drm/amd/display) subsystem of the Linux kernel when users attempt to access the DTN log. When the command (cat /sys/kernel/debug/dri/0/amdgpu_dm_dtn_log\n) to access the DTN log is run, the code attempts to read the gamut remap information. If this information has not been initialized, it will result in a NULL pointer dereference, leading to a kernel panic. This flaw allows an attacker to cause kernel panic, which leads the system to crash or become unresponsive."], "mitigation": {"lang": "en:us", "value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability."}, "name": "CVE-2024-43901", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2024-08-26T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2024-43901\nhttps://nvd.nist.gov/vuln/detail/CVE-2024-43901\nhttps://lore.kernel.org/linux-cve-announce/2024082617-CVE-2024-43901-6c76@gregkh/T"], "threat_severity": "Low"}

{}