drivers/gpu/drm/amd/display/dc/core/dc.c | 20 ++++++++++++-------- 1 file changed, 12 insertions(+), 8 deletions(-)
From: jackysliu <Security@tencent.com>
A null pointer dereference vulnerability exists in the AMD display driver's
(DC module) cleanup function dc_destruct().
When display control context (dc->ctx) construction fails
(due to memory allocation failure), this pointer remains NULL.
During subsequent error handling when dc_destruct() is called,
there's no NULL check before dereferencing the perf_trace member
(dc->ctx->perf_trace),
causing a kernel null pointer dereference crash
Signed-off-by: jackysliu <Security@tencent.com>
---
drivers/gpu/drm/amd/display/dc/core/dc.c | 20 ++++++++++++--------
1 file changed, 12 insertions(+), 8 deletions(-)
diff --git a/drivers/gpu/drm/amd/display/dc/core/dc.c b/drivers/gpu/drm/amd/display/dc/core/dc.c
index 56d011a1323c..393f87cfe74d 100644
--- a/drivers/gpu/drm/amd/display/dc/core/dc.c
+++ b/drivers/gpu/drm/amd/display/dc/core/dc.c
@@ -934,17 +934,21 @@ static void dc_destruct(struct dc *dc)
if (dc->link_srv)
link_destroy_link_service(&dc->link_srv);
- if (dc->ctx->gpio_service)
- dal_gpio_service_destroy(&dc->ctx->gpio_service);
+ if (!dc->ctx) {
+ dm_error("%s: called with NULL ctx\n", __func__);
+ } else {
+ if (dc->ctx->gpio_service)
+ dal_gpio_service_destroy(&dc->ctx->gpio_service);
- if (dc->ctx->created_bios)
- dal_bios_parser_destroy(&dc->ctx->dc_bios);
+ if (dc->ctx->created_bios)
+ dal_bios_parser_destroy(&dc->ctx->dc_bios);
- kfree(dc->ctx->logger);
- dc_perf_trace_destroy(&dc->ctx->perf_trace);
+ kfree(dc->ctx->logger);
+ dc_perf_trace_destroy(&dc->ctx->perf_trace);
- kfree(dc->ctx);
- dc->ctx = NULL;
+ kfree(dc->ctx);
+ dc->ctx = NULL;
+ }
kfree(dc->bw_vbios);
dc->bw_vbios = NULL;
--
2.43.5On 04/07/2025 05:16, jackysliu wrote: > From: jackysliu <Security@tencent.com> > > A null pointer dereference vulnerability exists in the AMD display driver's > (DC module) cleanup function dc_destruct(). > When display control context (dc->ctx) construction fails > (due to memory allocation failure), this pointer remains NULL. > During subsequent error handling when dc_destruct() is called, > there's no NULL check before dereferencing the perf_trace member > (dc->ctx->perf_trace), > causing a kernel null pointer dereference crash > > Signed-off-by: jackysliu <Security@tencent.com> > --- > drivers/gpu/drm/amd/display/dc/core/dc.c | 20 ++++++++++++-------- > 1 file changed, 12 insertions(+), 8 deletions(-) You should disclose that you used some AI tool for that... and that other report(s) was really fake finding. People should know you generated it with AI, so they could make informed decision whether to even allocate time here. Best regards, Krzysztof
On Tue, Jul 15 2025 12:45:00 +0200 Krzysztof Kozlowski wrote: >You should disclose that you used some AI tool for that... and that >other report(s) was really fake finding. People should know you >generated it with AI, so they could make informed decision whether to >even allocate time here. Although this problem was detected with the help of ai and static methods, I checked the trigger path by myself and verified this problem. I'll describe the ways of detection if I find other issues in the future. Anyway, thanks for your review. Siyang Liu
On Tue, Jul 15 2025 12:44:40 +0200 Krzysztof Kozlowski wrote: >You should disclose that you used some AI tool for that... and that >other report(s) was really fake finding. People should know you >generated it with AI, so they could make informed decision whether to >even allocate time here. Although this problem was detected with the help of ai and static methods, I checked the trigger path by myself and verified this problem. I'll describe the ways of detection if I find other issues in the future. Anyway, thanks for your review. Siyang Liu
On 7/15/2025 5:44 AM, Krzysztof Kozlowski wrote: > On 04/07/2025 05:16, jackysliu wrote: >> From: jackysliu <Security@tencent.com> >> >> A null pointer dereference vulnerability exists in the AMD display driver's >> (DC module) cleanup function dc_destruct(). >> When display control context (dc->ctx) construction fails >> (due to memory allocation failure), this pointer remains NULL. >> During subsequent error handling when dc_destruct() is called, >> there's no NULL check before dereferencing the perf_trace member >> (dc->ctx->perf_trace), >> causing a kernel null pointer dereference crash >> >> Signed-off-by: jackysliu <Security@tencent.com> >> --- >> drivers/gpu/drm/amd/display/dc/core/dc.c | 20 ++++++++++++-------- >> 1 file changed, 12 insertions(+), 8 deletions(-) > > You should disclose that you used some AI tool for that... and that > other report(s) was really fake finding. People should know you > generated it with AI, so they could make informed decision whether to > even allocate time here. > > Best regards, > Krzysztof Failure paths are so rarely executed that it sometimes takes years or static analyzers to find and fix issues. In this case I think it's a real problem. During init the following sequence happens: dc_create() ->dc_construct_ctx() If dc_construct_ctx() fails then it jumps to a label that calls dc_destruct(). So if the context wasn't set up then yeah there could be a NULL pointer deref. So to me this makes sense. Reviewed-by: Mario Limonciello <mario.limonciello@amd.com> Harry, do you agree?
© 2016 - 2025 Red Hat, Inc.