NULL Pointer Dereference Affecting kernel-uek-debug-modules-extra package, versions <0:5.15.0-303.171.5.2.el9uek


Severity

Recommended
high

Based on Oracle Linux security rating.

Threat Intelligence

EPSS
0.04% (6th percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

Snyk Learn

Learn about NULL Pointer Dereference vulnerabilities in an interactive lesson.

Start learning
  • Snyk IDSNYK-ORACLE9-KERNELUEKDEBUGMODULESEXTRA-8528389
  • published19 Dec 2024
  • disclosed21 Oct 2024

Introduced: 21 Oct 2024

CVE-2024-47720  (opens in a new tab)
CWE-476  (opens in a new tab)

How to fix?

Upgrade Oracle:9 kernel-uek-debug-modules-extra to version 0:5.15.0-303.171.5.2.el9uek or higher.
This issue was patched in ELSA-2024-12887.

NVD Description

Note: Versions mentioned in the description apply only to the upstream kernel-uek-debug-modules-extra package and not the kernel-uek-debug-modules-extra package as distributed by Oracle. See How to fix? for Oracle:9 relevant fixed versions and status.

In the Linux kernel, the following vulnerability has been resolved:

drm/amd/display: Add null check for set_output_gamma in dcn30_set_output_transfer_func

This commit adds a null check for the set_output_gamma function pointer in the dcn30_set_output_transfer_func function. Previously, set_output_gamma was being checked for nullity at line 386, but then it was being dereferenced without any nullity check at line 401. This could potentially lead to a null pointer dereference error if set_output_gamma is indeed null.

To fix this, we now ensure that set_output_gamma is not null before dereferencing it. We do this by adding a nullity check for set_output_gamma before the call to set_output_gamma at line 401. If set_output_gamma is null, we log an error message and do not call the function.

This fix prevents a potential null pointer dereference error.

drivers/gpu/drm/amd/amdgpu/../display/dc/hwss/dcn30/dcn30_hwseq.c:401 dcn30_set_output_transfer_func() error: we previously assumed 'mpc->funcs->set_output_gamma' could be null (see line 386)

drivers/gpu/drm/amd/amdgpu/../display/dc/hwss/dcn30/dcn30_hwseq.c 373 bool dcn30_set_output_transfer_func(struct dc *dc, 374 struct pipe_ctx *pipe_ctx, 375 const struct dc_stream_state *stream) 376 { 377 int mpcc_id = pipe_ctx->plane_res.hubp->inst; 378 struct mpc mpc = pipe_ctx->stream_res.opp->ctx->dc->res_pool->mpc; 379 const struct pwl_params params = NULL; 380 bool ret = false; 381 382 / program OGAM or 3DLUT only for the top pipe/ 383 if (pipe_ctx->top_pipe == NULL) { 384 /program rmu shaper and 3dlut in MPC/ 385 ret = dcn30_set_mpc_shaper_3dlut(pipe_ctx, stream); 386 if (ret == false && mpc->funcs->set_output_gamma) { ^^^^^^^^^^^^^^^^^^^^^^^^^^^^ If this is NULL

387                         if (stream-&gt;out_transfer_func.type == TF_TYPE_HWPWL)
388                                 params = &amp;stream-&gt;out_transfer_func.pwl;
389                         else if (pipe_ctx-&gt;stream-&gt;out_transfer_func.type ==
390                                         TF_TYPE_DISTRIBUTED_POINTS &amp;&amp;
391                                         cm3_helper_translate_curve_to_hw_format(
392                                         &amp;stream-&gt;out_transfer_func,
393                                         &amp;mpc-&gt;blender_params, false))
394                                 params = &amp;mpc-&gt;blender_params;
395                          /* there are no ROM LUTs in OUTGAM */
396                         if (stream-&gt;out_transfer_func.type == TF_TYPE_PREDEFINED)
397                                 BREAK_TO_DEBUGGER();
398                 }
399         }
400

--> 401 mpc->funcs->set_output_gamma(mpc, mpcc_id, params); ^^^^^^^^^^^^^^^^^^^^^^^^^^^^ Then it will crash

402         return ret;
403 }

CVSS Scores

version 3.1