lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <220f9fb4-45ad-4997-9572-564242737dd4@amd.com>
Date: Thu, 3 Jul 2025 11:15:49 -0400
From: Harry Wentland <harry.wentland@....com>
To: jackysliu <1972843537@...com>
Cc: sunpeng.li@....com, siqueira@...lia.com, alexander.deucher@....com,
 christian.koenig@....com, airlied@...il.com, simona@...ll.ch,
 alvin.lee2@....com, aurabindo.pillai@....com, Dillon.Varone@....com,
 Austin.Zheng@....com, Sung.Lee@....com, mario.limonciello@....com,
 Wayne.Lin@....com, ryanseto@....com, linux@...blig.org,
 joshua.aberback@....com, amd-gfx@...ts.freedesktop.org,
 dri-devel@...ts.freedesktop.org, linux-kernel@...r.kernel.org,
 jackysliu <Security@...cent.com>
Subject: Re: [PATCH] drm/amd/display:fix a Null pointer dereference
 vulnerability

On 2025-07-02 23:39, jackysliu wrote:
> A null pointer dereference vulnerability exists in the AMD display driver's
>  (DC module) cleanup function dc_destruct().
>  When display control context (dc->ctx) construction fails
>  (due to memory allocation failure), this pointer remains NULL.
> During subsequent error handling when dc_destruct() is called,
> there's no NULL check before dereferencing the perf_trace member
>  (dc->ctx->perf_trace),
>  causing a kernel null pointer dereference crash
> 
> Signed-off-by: jackysliu <Security@...cent.com>

Thanks for your patch.

Please run and fix this checkpatch.pl warning:

WARNING: From:/Signed-off-by: email address mismatch: 'From: jackysliu <1972843537@...com>' != 'Signed-off-by: jackysliu <Security@...cent.com>'

> ---
>  drivers/gpu/drm/amd/display/dc/core/dc.c | 6 ++++++
>  1 file changed, 6 insertions(+)
> 
> diff --git a/drivers/gpu/drm/amd/display/dc/core/dc.c b/drivers/gpu/drm/amd/display/dc/core/dc.c
> index 56d011a1323c..3bda0593f66f 100644
> --- a/drivers/gpu/drm/amd/display/dc/core/dc.c
> +++ b/drivers/gpu/drm/amd/display/dc/core/dc.c
> @@ -934,6 +934,11 @@ static void dc_destruct(struct dc *dc)
>  	if (dc->link_srv)
>  		link_destroy_link_service(&dc->link_srv);
>  
> +	if (!dc->ctx) {
> +		dm_error("%s: called with NULL ctx\n", __func__);
> +		goto skip_ctx_cleanup;
> +	}
> +

I would prefer to simply wrap the dc->ctx->logger and dc->ctx bits
with if (!dc->ctx) and avoid the goto.

Harry

>  	if (dc->ctx->gpio_service)
>  		dal_gpio_service_destroy(&dc->ctx->gpio_service);
>  
> @@ -946,6 +951,7 @@ static void dc_destruct(struct dc *dc)
>  	kfree(dc->ctx);
>  	dc->ctx = NULL;
>  
> +skip_ctx_cleanup:
>  	kfree(dc->bw_vbios);
>  	dc->bw_vbios = NULL;
>

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ