lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <23f01ced-2885-4513-b4b5-826fe9837750@amd.com>
Date: Tue, 15 Jul 2025 16:29:23 -0500
From: Mario Limonciello <mario.limonciello@....com>
To: Krzysztof Kozlowski <krzk@...nel.org>, jackysliu <1972843537@...com>,
 harry.wentland@....com
Cc: Austin.Zheng@....com, Dillon.Varone@....com, Security@...cent.com,
 Sung.Lee@....com, Wayne.Lin@....com, airlied@...il.com,
 alexander.deucher@....com, alvin.lee2@....com,
 amd-gfx@...ts.freedesktop.org, aurabindo.pillai@....com,
 christian.koenig@....com, dri-devel@...ts.freedesktop.org,
 joshua.aberback@....com, linux-kernel@...r.kernel.org, linux@...blig.org,
 ryanseto@....com, simona@...ll.ch, siqueira@...lia.com, sunpeng.li@....com
Subject: Re: [PATCH v2] drm/amd/display:fix a Null pointer dereference
 vulnerability

On 7/15/2025 5:44 AM, Krzysztof Kozlowski wrote:
> On 04/07/2025 05:16, jackysliu wrote:
>> From: jackysliu <Security@...cent.com>
>>
>> A null pointer dereference vulnerability exists in the AMD display driver's
>>   (DC module) cleanup function dc_destruct().
>>   When display control context (dc->ctx) construction fails
>>   (due to memory allocation failure), this pointer remains NULL.
>> During subsequent error handling when dc_destruct() is called,
>> there's no NULL check before dereferencing the perf_trace member
>>   (dc->ctx->perf_trace),
>>   causing a kernel null pointer dereference crash
>>
>> Signed-off-by: jackysliu <Security@...cent.com>
>> ---
>>   drivers/gpu/drm/amd/display/dc/core/dc.c | 20 ++++++++++++--------
>>   1 file changed, 12 insertions(+), 8 deletions(-)
> 
> You should disclose that you used some AI tool for that... and that
> other report(s) was really fake finding.  People should know you
> generated it with AI, so they could make informed decision whether to
> even allocate time here.
> 
> Best regards,
> Krzysztof

Failure paths are so rarely executed that it sometimes takes years or 
static analyzers to find and fix issues.

In this case I think it's a real problem.  During init the following 
sequence happens:

dc_create()
->dc_construct_ctx()

If dc_construct_ctx() fails then it jumps to a label that calls 
dc_destruct().  So if the context wasn't set up then yeah there could be 
a NULL pointer deref.

So to me this makes sense.

Reviewed-by: Mario Limonciello <mario.limonciello@....com>

Harry, do you agree?

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ