4.7

CVE-2024-26874

drm/mediatek: Fix a null pointer crash in mtk_drm_crtc_finish_page_flip

In the Linux kernel, the following vulnerability has been resolved:

drm/mediatek: Fix a null pointer crash in mtk_drm_crtc_finish_page_flip

It's possible that mtk_crtc->event is NULL in
mtk_drm_crtc_finish_page_flip().

pending_needs_vblank value is set by mtk_crtc->event, but in
mtk_drm_crtc_atomic_flush(), it's is not guarded by the same
lock in mtk_drm_finish_page_flip(), thus a race condition happens.

Consider the following case:

CPU1                              CPU2
step 1:
mtk_drm_crtc_atomic_begin()
mtk_crtc->event is not null,
                                  step 1:
                                  mtk_drm_crtc_atomic_flush:
                                  mtk_drm_crtc_update_config(
                                      !!mtk_crtc->event)
step 2:
mtk_crtc_ddp_irq ->
mtk_drm_finish_page_flip:
lock
mtk_crtc->event set to null,
pending_needs_vblank set to false
unlock
                                  pending_needs_vblank set to true,

                                  step 2:
                                  mtk_crtc_ddp_irq ->
                                  mtk_drm_finish_page_flip called again,
                                  pending_needs_vblank is still true
                                  //null pointer

Instead of guarding the entire mtk_drm_crtc_atomic_flush(), it's more
efficient to just check if mtk_crtc->event is null before use.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
LinuxLinux Kernel Version >= 4.7 < 4.19.311
LinuxLinux Kernel Version >= 4.20 < 5.4.273
LinuxLinux Kernel Version >= 5.5 < 5.10.214
LinuxLinux Kernel Version >= 5.11 < 5.15.153
LinuxLinux Kernel Version >= 5.16 < 6.1.83
LinuxLinux Kernel Version >= 6.2 < 6.6.23
LinuxLinux Kernel Version >= 6.7 < 6.7.11
LinuxLinux Kernel Version >= 6.8 < 6.8.2
DebianDebian Linux Version10.0
VulnDex Vulnerability Enrichment
Diese Information steht angemeldeten Benutzern zur Verfügung. Login Login
Zu dieser CVE wurde keine Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 0.24% 0.145
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
nvd@nist.gov 4.7 1 3.6
CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H
CWE-476 NULL Pointer Dereference

The product dereferences a pointer that it expects to be valid but is NULL.

https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html
Mailing List
https://lists.debian.org/debian-lts-announce/2024/06/msg00020.html
Mailing List
https://git.kernel.org/stable/c/3fc88b246a2fc16014e374040fc15af1d3752535
Patch
Mailing List
https://git.kernel.org/stable/c/4688be96d20ffa49d2186523ee84f475f316fd49
Patch
Mailing List
https://git.kernel.org/stable/c/9acee29a38b4d4b70f1f583e5ef9a245db4db710
Patch
Mailing List
https://git.kernel.org/stable/c/9beec711a17245b853d64488fd5b739031612340
Patch
Mailing List
https://git.kernel.org/stable/c/a3dd12b64ae8373a41a216a0b621df224210860a
Patch
Mailing List
https://git.kernel.org/stable/c/accdac6b71d5a2b84040c3d2234f53a60edc398e
Patch
Mailing List
https://git.kernel.org/stable/c/c958e86e9cc1b48cac004a6e245154dfba8e163b
Patch
Mailing List
https://git.kernel.org/stable/c/d2bd30c710475b2e29288827d2c91f9e6e2b91d7
Patch
Mailing List
https://git.kernel.org/stable/c/dfde84cc6c589f2a9f820f12426d97365670b731
Patch
Mailing List