AZL-50761

See a problem?
Import Source
https://github.com/microsoft/AzureLinuxVulnerabilityData/blob/main/osv/AZL-50761.json
JSON Data
https://api.test.osv.dev/v1/vulns/AZL-50761
Upstream
Published
2024-10-21T12:15:08Z
Modified
2026-04-01T05:16:21.869391Z
Severity
  • 5.5 (Medium) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVSS Calculator
Summary
CVE-2024-47720 affecting package kernel for versions less than 5.15.173.1-1
Details

In the Linux kernel, the following vulnerability has been resolved:

drm/amd/display: Add null check for setoutputgamma in dcn30setoutputtransferfunc

This commit adds a null check for the setoutputgamma function pointer in the dcn30setoutputtransferfunc function. Previously, setoutputgamma was being checked for nullity at line 386, but then it was being dereferenced without any nullity check at line 401. This could potentially lead to a null pointer dereference error if setoutputgamma is indeed null.

To fix this, we now ensure that setoutputgamma is not null before dereferencing it. We do this by adding a nullity check for setoutputgamma before the call to setoutputgamma at line 401. If setoutputgamma is null, we log an error message and do not call the function.

This fix prevents a potential null pointer dereference error.

drivers/gpu/drm/amd/amdgpu/../display/dc/hwss/dcn30/dcn30hwseq.c:401 dcn30setoutputtransferfunc() error: we previously assumed 'mpc->funcs->setoutput_gamma' could be null (see line 386)

drivers/gpu/drm/amd/amdgpu/../display/dc/hwss/dcn30/dcn30hwseq.c 373 bool dcn30setoutputtransferfunc(struct dc *dc, 374 struct pipectx *pipectx, 375 const struct dcstreamstate *stream) 376 { 377 int mpccid = pipectx->planeres.hubp->inst; 378 struct mpc mpc = pipectx->streamres.opp->ctx->dc->respool->mpc; 379 const struct pwlparams params = NULL; 380 bool ret = false; 381 382 / program OGAM or 3DLUT only for the top pipe/ 383 if (pipectx->toppipe == NULL) { 384 /program rmu shaper and 3dlut in MPC/ 385 ret = dcn30setmpcshaper3dlut(pipectx, stream); 386 if (ret == false && mpc->funcs->setoutput_gamma) { ^^^^^^^^^^^^^^^^^^^^^^^^^^^^ If this is NULL

387                         if (stream->out_transfer_func.type == TF_TYPE_HWPWL)
388                                 params = &stream->out_transfer_func.pwl;
389                         else if (pipe_ctx->stream->out_transfer_func.type ==
390                                         TF_TYPE_DISTRIBUTED_POINTS &&
391                                         cm3_helper_translate_curve_to_hw_format(
392                                         &stream->out_transfer_func,
393                                         &mpc->blender_params, false))
394                                 params = &mpc->blender_params;
395                          /* there are no ROM LUTs in OUTGAM */
396                         if (stream->out_transfer_func.type == TF_TYPE_PREDEFINED)
397                                 BREAK_TO_DEBUGGER();
398                 }
399         }
400

--> 401 mpc->funcs->setoutputgamma(mpc, mpcc_id, params); ^^^^^^^^^^^^^^^^^^^^^^^^^^^^ Then it will crash

402         return ret;
403 }
References

Affected packages

Azure Linux:2 / kernel

Package

Name
kernel
Purl
pkg:rpm/azure-linux/kernel

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
5.15.173.1-1

Database specific

source 
"https://github.com/microsoft/AzureLinuxVulnerabilityData/blob/main/osv/AZL-50761.json"