CVE-2024-50177

See a problem?
Please try reporting it to the source first.
Source
https://nvd.nist.gov/vuln/detail/CVE-2024-50177
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2024-50177.json
JSON Data
https://api.test.osv.dev/v1/vulns/CVE-2024-50177
Downstream
Related
Published
2024-11-08T05:23:59Z
Modified
2025-10-15T01:47:27.872127Z
Severity
  • 5.5 (Medium) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVSS Calculator
Summary
drm/amd/display: fix a UBSAN warning in DML2.1
Details

In the Linux kernel, the following vulnerability has been resolved:

drm/amd/display: fix a UBSAN warning in DML2.1

When programming phantom pipe, since cursor_width is explicity set to 0, this causes calculation logic to trigger overflow for an unsigned int triggering the kernel's UBSAN check as below:

[ 40.962845] UBSAN: shift-out-of-bounds in /tmp/amd.EfpumTkO/amd/amdgpu/../display/dc/dml2/dml21/src/dml2core/dml2coredcn4calcs.c:3312:34 [ 40.962849] shift exponent 4294967170 is too large for 32-bit type 'unsigned int' [ 40.962852] CPU: 1 PID: 1670 Comm: gnome-shell Tainted: G W OE 6.5.0-41-generic #41~22.04.2-Ubuntu [ 40.962854] Hardware name: Gigabyte Technology Co., Ltd. X670E AORUS PRO X/X670E AORUS PRO X, BIOS F21 01/10/2024 [ 40.962856] Call Trace: [ 40.962857] <TASK> [ 40.962860] dumpstacklvl+0x48/0x70 [ 40.962870] dumpstack+0x10/0x20 [ 40.962872] _ubsanhandleshiftoutofbounds+0x1ac/0x360 [ 40.962878] calculatecursorreqattributes.cold+0x1b/0x28 [amdgpu] [ 40.963099] dmlcoremodesupport+0x6b91/0x16bc0 [amdgpu] [ 40.963327] ? srsoaliasreturnthunk+0x5/0x7f [ 40.963331] ? CalculateWatermarksMALLUseAndDRAMSpeedChangeSupport+0x18b8/0x2790 [amdgpu] [ 40.963534] ? srsoaliasreturnthunk+0x5/0x7f [ 40.963536] ? dmlcoremodesupport+0xb3db/0x16bc0 [amdgpu] [ 40.963730] dml2corecalcsmodesupportex+0x2c/0x90 [amdgpu] [ 40.963906] ? srsoaliasreturnthunk+0x5/0x7f [ 40.963909] ? dml2corecalcsmodesupportex+0x2c/0x90 [amdgpu] [ 40.964078] coredcn4modesupport+0x72/0xbf0 [amdgpu] [ 40.964247] dml2topoptimizationperformoptimizationphase+0x1d3/0x2a0 [amdgpu] [ 40.964420] dml2buildmodeprogramming+0x23d/0x750 [amdgpu] [ 40.964587] dml21validate+0x274/0x770 [amdgpu] [ 40.964761] ? srsoaliasreturnthunk+0x5/0x7f [ 40.964763] ? resourceappenddpppipesforplanecomposition+0x27c/0x3b0 [amdgpu] [ 40.964942] dml2validate+0x504/0x750 [amdgpu] [ 40.965117] ? dml21copy+0x95/0xb0 [amdgpu] [ 40.965291] ? srsoaliasreturnthunk+0x5/0x7f [ 40.965295] dcn401validatebandwidth+0x4e/0x70 [amdgpu] [ 40.965491] updateplanesandstreamstate+0x38d/0x5c0 [amdgpu] [ 40.965672] updateplanesandstreamv3+0x52/0x1e0 [amdgpu] [ 40.965845] ? srsoaliasreturnthunk+0x5/0x7f [ 40.965849] dcupdateplanesandstream+0x71/0xb0 [amdgpu]

Fix this by adding a guard for checking cursor width before triggering the size calculation.

References

Affected packages

Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git

Affected ranges

Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
70839da6360500a82e4d5f78499284474cbed7c1
Fixed
27bc3da5eae57e3af8f5648b4498ffde48781434
Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
70839da6360500a82e4d5f78499284474cbed7c1
Fixed
eaf3adb8faab611ba57594fa915893fc93a7788c

Affected versions

v6.*

v6.10
v6.10-rc1
v6.10-rc2
v6.10-rc3
v6.10-rc4
v6.10-rc5
v6.10-rc6
v6.10-rc7
v6.11
v6.11-rc1
v6.11-rc2
v6.11-rc3
v6.11-rc4
v6.11-rc5
v6.11-rc6
v6.11-rc7
v6.11.1
v6.11.2
v6.9
v6.9-rc6
v6.9-rc7

Database specific

vanir_signatures

[
    {
        "signature_type": "Function",
        "id": "CVE-2024-50177-0b55db18",
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@eaf3adb8faab611ba57594fa915893fc93a7788c",
        "signature_version": "v1",
        "target": {
            "function": "dml_core_mode_programming",
            "file": "drivers/gpu/drm/amd/display/dc/dml2/dml21/src/dml2_core/dml2_core_dcn4_calcs.c"
        },
        "digest": {
            "function_hash": "243858375020765168433439485952869893862",
            "length": 88347.0
        },
        "deprecated": false
    },
    {
        "signature_type": "Line",
        "id": "CVE-2024-50177-59c479c7",
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@eaf3adb8faab611ba57594fa915893fc93a7788c",
        "signature_version": "v1",
        "target": {
            "file": "drivers/gpu/drm/amd/display/dc/dml2/dml21/src/dml2_core/dml2_core_dcn4_calcs.c"
        },
        "digest": {
            "threshold": 0.9,
            "line_hashes": [
                "85734840517904900723158290403299532648",
                "309379032900266822579775760360843964477",
                "238005068817070186865371865274922284243",
                "241246797997366630750385595628385376385",
                "19367231289395085628108657107701547457",
                "32086911835760397024901403109648788981",
                "214448252711192747954140002463442872044",
                "194098292790784469708527877977148441288",
                "112790323970933489707195002608923278796",
                "329602671515550483950872931664342785175",
                "141598956783756280250010562860688008301",
                "205512702446868086724753572601416623788",
                "77050422746283855821314232465054277523",
                "335907043451950537641178323952883423955",
                "74883060421632631586412779795194983184",
                "252690338944641197934830627953903563850",
                "11437148396926410323171198547250394547",
                "217230961932995247245065714883335296816",
                "276089810093768546913139637883046748394",
                "192826818287103295013468330846981486047",
                "99942578903988707184619854470644588190",
                "31241109096205050425506471565682669418",
                "140499355864495613675659976561842323581",
                "234381014598539891845599047023472822402",
                "292538815400907771827234907129278779377",
                "221596426640851588211360010035322990777",
                "45381127093838238192693130796612185111",
                "221050278297720001506485221929219691790",
                "321070755186104108403189988113307454298",
                "163727334272081509806514633030926797917",
                "141598956783756280250010562860688008301",
                "205512702446868086724753572601416623788",
                "77050422746283855821314232465054277523",
                "335907043451950537641178323952883423955",
                "153640028925260165587345213960842896763",
                "331235186211933937754086394691263797474",
                "208983597856574398019210177346597721507",
                "269518637670056283264805628260455720402",
                "217230961932995247245065714883335296816",
                "276089810093768546913139637883046748394",
                "192826818287103295013468330846981486047",
                "33041415748828209993103525867496125613",
                "37693666811541696420133713884591377356",
                "219003794261466174079187910486838893089",
                "327701970728972119026294371891895262299",
                "250844679107905005811499550432055462381",
                "149044234579991931765462983478849344856"
            ]
        },
        "deprecated": false
    },
    {
        "signature_type": "Function",
        "id": "CVE-2024-50177-999394e3",
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@eaf3adb8faab611ba57594fa915893fc93a7788c",
        "signature_version": "v1",
        "target": {
            "function": "dml_core_mode_support",
            "file": "drivers/gpu/drm/amd/display/dc/dml2/dml21/src/dml2_core/dml2_core_dcn4_calcs.c"
        },
        "digest": {
            "function_hash": "12357802163776962390065229144076527825",
            "length": 125649.0
        },
        "deprecated": false
    }
]

Linux / Kernel

Package

Name
Kernel

Affected ranges

Type
ECOSYSTEM
Events
Introduced
6.11.0
Fixed
6.11.3