CVE-2024-50037

See a problem?
Please try reporting it to the source first.
Source
https://nvd.nist.gov/vuln/detail/CVE-2024-50037
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2024-50037.json
JSON Data
https://api.test.osv.dev/v1/vulns/CVE-2024-50037
Downstream
Related
Published
2024-10-21T19:39:37Z
Modified
2025-10-14T17:46:56.270762Z
Summary
drm/fbdev-dma: Only cleanup deferred I/O if necessary
Details

In the Linux kernel, the following vulnerability has been resolved:

drm/fbdev-dma: Only cleanup deferred I/O if necessary

Commit 5a498d4d06d6 ("drm/fbdev-dma: Only install deferred I/O if necessary") initializes deferred I/O only if it is used. drmfbdevdmafbdestroy() however calls fbdeferrediocleanup() unconditionally with struct fbinfo.fbdefio == NULL. KASAN with the out-of-tree Apple silicon display driver posts following warning from _flushwork() of a random struct work_struct instead of the expected NULL pointer derefs.

[ 22.053799] ------------[ cut here ]------------ [ 22.054832] WARNING: CPU: 2 PID: 1 at kernel/workqueue.c:4177 _flushwork+0x4d8/0x580 [ 22.056597] Modules linked in: uhid bnep uinput nlsascii ip6tables iptables i2cdev loop fuse dmmultipath nfnetlink zram hidmagicmouse btrfs xor xorneon brcmfmacwcc raid6pq hcibcm4377 bluetooth brcmfmac hidapple brcmutil nvmemspmimfd simplemfdspmi dockchannelhid cfg80211 joydev regmapspmi nvmeapple ecdhgeneric ecc macsmchid rfkill dwc3 appledrm sndsocmacaudio macsmcpower nvmecore appleisp phyappleatc applesart applertkithelper appledockchannel tps6598x macsmchwmon sndsoccs42l84 videobuf2v4l2 spmiapplecontroller nvmemappleefuses videobuf2dmasg applez2 videobuf2memops spinor panelsummit videobuf2common asahi videodev pwmapple appledcp sndsocapplemca appleadmac spiapple clkapplenco i2cpasemiplatform sndpcmdmaengine mc i2cpasemicore muxcore ofpart adpdrm drmdmahelper appledart applesoccpufreq ledspwm phram [ 22.073768] CPU: 2 UID: 0 PID: 1 Comm: systemd-shutdow Not tainted 6.11.2-asahi+ #asahi-dev [ 22.075612] Hardware name: Apple MacBook Pro (13-inch, M2, 2022) (DT) [ 22.077032] pstate: 01400005 (nzcv daif +PAN -UAO -TCO +DIT -SSBS BTYPE=--) [ 22.078567] pc : _flushwork+0x4d8/0x580 [ 22.079471] lr : _flushwork+0x54/0x580 [ 22.080345] sp : ffffc000836ef820 [ 22.081089] x29: ffffc000836ef880 x28: 0000000000000000 x27: ffff80002ddb7128 [ 22.082678] x26: dfffc00000000000 x25: 1ffff000096f0c57 x24: ffffc00082d3e358 [ 22.084263] x23: ffff80004b7862b8 x22: dfffc00000000000 x21: ffff80005aa1d470 [ 22.085855] x20: ffff80004b786000 x19: ffff80004b7862a0 x18: 0000000000000000 [ 22.087439] x17: 0000000000000000 x16: 0000000000000000 x15: 0000000000000005 [ 22.089030] x14: 1ffff800106ddf0a x13: 0000000000000000 x12: 0000000000000000 [ 22.090618] x11: ffffb800106ddf0f x10: dfffc00000000000 x9 : 1ffff800106ddf0e [ 22.092206] x8 : 0000000000000000 x7 : aaaaaaaaaaaaaaaa x6 : 0000000000000001 [ 22.093790] x5 : ffffc000836ef728 x4 : 0000000000000000 x3 : 0000000000000020 [ 22.095368] x2 : 0000000000000008 x1 : 00000000000000aa x0 : 0000000000000000 [ 22.096955] Call trace: [ 22.097505] _flushwork+0x4d8/0x580 [ 22.098330] flushdelayedwork+0x80/0xb8 [ 22.099231] fbdeferrediocleanup+0x3c/0x130 [ 22.100217] drmfbdevdmafbdestroy+0x6c/0xe0 [drmdmahelper] [ 22.101559] unregisterframebuffer+0x210/0x2f0 [ 22.102575] drmfbhelperunregisterinfo+0x48/0x60 [ 22.103683] drmfbdevdmaclientunregister+0x4c/0x80 [drmdmahelper] [ 22.105147] drmclientdevunregister+0x1cc/0x230 [ 22.106217] drmdevunregister+0x58/0x570 [ 22.107125] appledrmunbind+0x50/0x98 [appledrm] [ 22.108199] componentdel+0x1f8/0x3a8 [ 22.109042] dcpplatformshutdown+0x24/0x38 [appledcp] [ 22.110357] platformshutdown+0x70/0x90 [ 22.111219] deviceshutdown+0x368/0x4d8 [ 22.112095] kernelrestart+0x6c/0x1d0 [ 22.112946] _arm64sysreboot+0x1c8/0x328 [ 22.113868] invokesyscall+0x78/0x1a8 [ 22.114703] doel0svc+0x124/0x1a0 [ 22.115498] el0svc+0x3c/0xe0 [ 22.116181] el0t64synchandler+0x70/0xc0 [ 22.117110] el0t64sync+0x190/0x198 [ 22.117931] ---[ end trace 0000000000000000 ]---

References

Affected packages

Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git

Affected ranges

Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
5a498d4d06d6d9bad76d8a50a7f8fe01670ad46f
Fixed
5a4a8ea14c54c651ec532a480bd560d0c6e52f3d
Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
5a498d4d06d6d9bad76d8a50a7f8fe01670ad46f
Fixed
fcddc71ec7ecf15b4df3c41288c9cf0b8e886111

Affected versions

v6.*

v6.11
v6.11-rc2
v6.11-rc3
v6.11-rc4
v6.11-rc5
v6.11-rc6
v6.11-rc7
v6.11.1
v6.11.2
v6.11.3
v6.12-rc1

Database specific 

{
    "vanir_signatures": [
        {
            "target": {
                "file": "drivers/gpu/drm/drm_fbdev_dma.c"
            },
            "id": "CVE-2024-50037-035fecc3",
            "signature_version": "v1",
            "digest": {
                "threshold": 0.9,
                "line_hashes": [
                    "25379296793283388667592577776138313368",
                    "44229631974302218467786903976143280157",
                    "214982560198962190571882550820942424251",
                    "175010442973185706171895325659737375605"
                ]
            },
            "deprecated": false,
            "signature_type": "Line",
            "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@fcddc71ec7ecf15b4df3c41288c9cf0b8e886111"
        },
        {
            "target": {
                "file": "drivers/gpu/drm/drm_fbdev_dma.c"
            },
            "id": "CVE-2024-50037-336ec9b3",
            "signature_version": "v1",
            "digest": {
                "threshold": 0.9,
                "line_hashes": [
                    "25379296793283388667592577776138313368",
                    "44229631974302218467786903976143280157",
                    "214982560198962190571882550820942424251",
                    "175010442973185706171895325659737375605"
                ]
            },
            "deprecated": false,
            "signature_type": "Line",
            "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@5a4a8ea14c54c651ec532a480bd560d0c6e52f3d"
        },
        {
            "target": {
                "file": "drivers/gpu/drm/drm_fbdev_dma.c",
                "function": "drm_fbdev_dma_fb_destroy"
            },
            "id": "CVE-2024-50037-931d0e2f",
            "signature_version": "v1",
            "digest": {
                "length": 268.0,
                "function_hash": "277862585114216022293344494905195069539"
            },
            "deprecated": false,
            "signature_type": "Function",
            "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@5a4a8ea14c54c651ec532a480bd560d0c6e52f3d"
        },
        {
            "target": {
                "file": "drivers/gpu/drm/drm_fbdev_dma.c",
                "function": "drm_fbdev_dma_fb_destroy"
            },
            "id": "CVE-2024-50037-add6cdb0",
            "signature_version": "v1",
            "digest": {
                "length": 268.0,
                "function_hash": "277862585114216022293344494905195069539"
            },
            "deprecated": false,
            "signature_type": "Function",
            "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@fcddc71ec7ecf15b4df3c41288c9cf0b8e886111"
        }
    ]
}

Linux / Kernel

Package

Name
Kernel

Affected ranges

Type
ECOSYSTEM
Events
Introduced
6.11.0
Fixed
6.11.4