cve-2024-50177
Vulnerability from cvelistv5
Published
2024-11-08 05:23
Modified
2024-12-19 09:34
Severity ?
Summary
In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: fix a UBSAN warning in DML2.1 When programming phantom pipe, since cursor_width is explicity set to 0, this causes calculation logic to trigger overflow for an unsigned int triggering the kernel's UBSAN check as below: [ 40.962845] UBSAN: shift-out-of-bounds in /tmp/amd.EfpumTkO/amd/amdgpu/../display/dc/dml2/dml21/src/dml2_core/dml2_core_dcn4_calcs.c:3312:34 [ 40.962849] shift exponent 4294967170 is too large for 32-bit type 'unsigned int' [ 40.962852] CPU: 1 PID: 1670 Comm: gnome-shell Tainted: G W OE 6.5.0-41-generic #41~22.04.2-Ubuntu [ 40.962854] Hardware name: Gigabyte Technology Co., Ltd. X670E AORUS PRO X/X670E AORUS PRO X, BIOS F21 01/10/2024 [ 40.962856] Call Trace: [ 40.962857] <TASK> [ 40.962860] dump_stack_lvl+0x48/0x70 [ 40.962870] dump_stack+0x10/0x20 [ 40.962872] __ubsan_handle_shift_out_of_bounds+0x1ac/0x360 [ 40.962878] calculate_cursor_req_attributes.cold+0x1b/0x28 [amdgpu] [ 40.963099] dml_core_mode_support+0x6b91/0x16bc0 [amdgpu] [ 40.963327] ? srso_alias_return_thunk+0x5/0x7f [ 40.963331] ? CalculateWatermarksMALLUseAndDRAMSpeedChangeSupport+0x18b8/0x2790 [amdgpu] [ 40.963534] ? srso_alias_return_thunk+0x5/0x7f [ 40.963536] ? dml_core_mode_support+0xb3db/0x16bc0 [amdgpu] [ 40.963730] dml2_core_calcs_mode_support_ex+0x2c/0x90 [amdgpu] [ 40.963906] ? srso_alias_return_thunk+0x5/0x7f [ 40.963909] ? dml2_core_calcs_mode_support_ex+0x2c/0x90 [amdgpu] [ 40.964078] core_dcn4_mode_support+0x72/0xbf0 [amdgpu] [ 40.964247] dml2_top_optimization_perform_optimization_phase+0x1d3/0x2a0 [amdgpu] [ 40.964420] dml2_build_mode_programming+0x23d/0x750 [amdgpu] [ 40.964587] dml21_validate+0x274/0x770 [amdgpu] [ 40.964761] ? srso_alias_return_thunk+0x5/0x7f [ 40.964763] ? resource_append_dpp_pipes_for_plane_composition+0x27c/0x3b0 [amdgpu] [ 40.964942] dml2_validate+0x504/0x750 [amdgpu] [ 40.965117] ? dml21_copy+0x95/0xb0 [amdgpu] [ 40.965291] ? srso_alias_return_thunk+0x5/0x7f [ 40.965295] dcn401_validate_bandwidth+0x4e/0x70 [amdgpu] [ 40.965491] update_planes_and_stream_state+0x38d/0x5c0 [amdgpu] [ 40.965672] update_planes_and_stream_v3+0x52/0x1e0 [amdgpu] [ 40.965845] ? srso_alias_return_thunk+0x5/0x7f [ 40.965849] dc_update_planes_and_stream+0x71/0xb0 [amdgpu] Fix this by adding a guard for checking cursor width before triggering the size calculation.
Impacted products
Vendor Product Version
Linux Linux
Show details on NVD website


{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/gpu/drm/amd/display/dc/dml2/dml21/src/dml2_core/dml2_core_dcn4_calcs.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "27bc3da5eae57e3af8f5648b4498ffde48781434",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "eaf3adb8faab611ba57594fa915893fc93a7788c",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/gpu/drm/amd/display/dc/dml2/dml21/src/dml2_core/dml2_core_dcn4_calcs.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThanOrEqual": "6.11.*",
              "status": "unaffected",
              "version": "6.11.3",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.12",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd/display: fix a UBSAN warning in DML2.1\n\nWhen programming phantom pipe, since cursor_width is explicity set to 0,\nthis causes calculation logic to trigger overflow for an unsigned int\ntriggering the kernel\u0027s UBSAN check as below:\n\n[   40.962845] UBSAN: shift-out-of-bounds in /tmp/amd.EfpumTkO/amd/amdgpu/../display/dc/dml2/dml21/src/dml2_core/dml2_core_dcn4_calcs.c:3312:34\n[   40.962849] shift exponent 4294967170 is too large for 32-bit type \u0027unsigned int\u0027\n[   40.962852] CPU: 1 PID: 1670 Comm: gnome-shell Tainted: G        W  OE      6.5.0-41-generic #41~22.04.2-Ubuntu\n[   40.962854] Hardware name: Gigabyte Technology Co., Ltd. X670E AORUS PRO X/X670E AORUS PRO X, BIOS F21 01/10/2024\n[   40.962856] Call Trace:\n[   40.962857]  \u003cTASK\u003e\n[   40.962860]  dump_stack_lvl+0x48/0x70\n[   40.962870]  dump_stack+0x10/0x20\n[   40.962872]  __ubsan_handle_shift_out_of_bounds+0x1ac/0x360\n[   40.962878]  calculate_cursor_req_attributes.cold+0x1b/0x28 [amdgpu]\n[   40.963099]  dml_core_mode_support+0x6b91/0x16bc0 [amdgpu]\n[   40.963327]  ? srso_alias_return_thunk+0x5/0x7f\n[   40.963331]  ? CalculateWatermarksMALLUseAndDRAMSpeedChangeSupport+0x18b8/0x2790 [amdgpu]\n[   40.963534]  ? srso_alias_return_thunk+0x5/0x7f\n[   40.963536]  ? dml_core_mode_support+0xb3db/0x16bc0 [amdgpu]\n[   40.963730]  dml2_core_calcs_mode_support_ex+0x2c/0x90 [amdgpu]\n[   40.963906]  ? srso_alias_return_thunk+0x5/0x7f\n[   40.963909]  ? dml2_core_calcs_mode_support_ex+0x2c/0x90 [amdgpu]\n[   40.964078]  core_dcn4_mode_support+0x72/0xbf0 [amdgpu]\n[   40.964247]  dml2_top_optimization_perform_optimization_phase+0x1d3/0x2a0 [amdgpu]\n[   40.964420]  dml2_build_mode_programming+0x23d/0x750 [amdgpu]\n[   40.964587]  dml21_validate+0x274/0x770 [amdgpu]\n[   40.964761]  ? srso_alias_return_thunk+0x5/0x7f\n[   40.964763]  ? resource_append_dpp_pipes_for_plane_composition+0x27c/0x3b0 [amdgpu]\n[   40.964942]  dml2_validate+0x504/0x750 [amdgpu]\n[   40.965117]  ? dml21_copy+0x95/0xb0 [amdgpu]\n[   40.965291]  ? srso_alias_return_thunk+0x5/0x7f\n[   40.965295]  dcn401_validate_bandwidth+0x4e/0x70 [amdgpu]\n[   40.965491]  update_planes_and_stream_state+0x38d/0x5c0 [amdgpu]\n[   40.965672]  update_planes_and_stream_v3+0x52/0x1e0 [amdgpu]\n[   40.965845]  ? srso_alias_return_thunk+0x5/0x7f\n[   40.965849]  dc_update_planes_and_stream+0x71/0xb0 [amdgpu]\n\nFix this by adding a guard for checking cursor width before triggering\nthe size calculation."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2024-12-19T09:34:42.539Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/27bc3da5eae57e3af8f5648b4498ffde48781434"
        },
        {
          "url": "https://git.kernel.org/stable/c/eaf3adb8faab611ba57594fa915893fc93a7788c"
        }
      ],
      "title": "drm/amd/display: fix a UBSAN warning in DML2.1",
      "x_generator": {
        "engine": "bippy-5f407fcff5a0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2024-50177",
    "datePublished": "2024-11-08T05:23:59.205Z",
    "dateReserved": "2024-10-21T19:36:19.964Z",
    "dateUpdated": "2024-12-19T09:34:42.539Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2024-50177\",\"sourceIdentifier\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"published\":\"2024-11-08T06:15:15.117\",\"lastModified\":\"2024-12-09T23:14:39.593\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"In the Linux kernel, the following vulnerability has been resolved:\\n\\ndrm/amd/display: fix a UBSAN warning in DML2.1\\n\\nWhen programming phantom pipe, since cursor_width is explicity set to 0,\\nthis causes calculation logic to trigger overflow for an unsigned int\\ntriggering the kernel\u0027s UBSAN check as below:\\n\\n[   40.962845] UBSAN: shift-out-of-bounds in /tmp/amd.EfpumTkO/amd/amdgpu/../display/dc/dml2/dml21/src/dml2_core/dml2_core_dcn4_calcs.c:3312:34\\n[   40.962849] shift exponent 4294967170 is too large for 32-bit type \u0027unsigned int\u0027\\n[   40.962852] CPU: 1 PID: 1670 Comm: gnome-shell Tainted: G        W  OE      6.5.0-41-generic #41~22.04.2-Ubuntu\\n[   40.962854] Hardware name: Gigabyte Technology Co., Ltd. X670E AORUS PRO X/X670E AORUS PRO X, BIOS F21 01/10/2024\\n[   40.962856] Call Trace:\\n[   40.962857]  \u003cTASK\u003e\\n[   40.962860]  dump_stack_lvl+0x48/0x70\\n[   40.962870]  dump_stack+0x10/0x20\\n[   40.962872]  __ubsan_handle_shift_out_of_bounds+0x1ac/0x360\\n[   40.962878]  calculate_cursor_req_attributes.cold+0x1b/0x28 [amdgpu]\\n[   40.963099]  dml_core_mode_support+0x6b91/0x16bc0 [amdgpu]\\n[   40.963327]  ? srso_alias_return_thunk+0x5/0x7f\\n[   40.963331]  ? CalculateWatermarksMALLUseAndDRAMSpeedChangeSupport+0x18b8/0x2790 [amdgpu]\\n[   40.963534]  ? srso_alias_return_thunk+0x5/0x7f\\n[   40.963536]  ? dml_core_mode_support+0xb3db/0x16bc0 [amdgpu]\\n[   40.963730]  dml2_core_calcs_mode_support_ex+0x2c/0x90 [amdgpu]\\n[   40.963906]  ? srso_alias_return_thunk+0x5/0x7f\\n[   40.963909]  ? dml2_core_calcs_mode_support_ex+0x2c/0x90 [amdgpu]\\n[   40.964078]  core_dcn4_mode_support+0x72/0xbf0 [amdgpu]\\n[   40.964247]  dml2_top_optimization_perform_optimization_phase+0x1d3/0x2a0 [amdgpu]\\n[   40.964420]  dml2_build_mode_programming+0x23d/0x750 [amdgpu]\\n[   40.964587]  dml21_validate+0x274/0x770 [amdgpu]\\n[   40.964761]  ? srso_alias_return_thunk+0x5/0x7f\\n[   40.964763]  ? resource_append_dpp_pipes_for_plane_composition+0x27c/0x3b0 [amdgpu]\\n[   40.964942]  dml2_validate+0x504/0x750 [amdgpu]\\n[   40.965117]  ? dml21_copy+0x95/0xb0 [amdgpu]\\n[   40.965291]  ? srso_alias_return_thunk+0x5/0x7f\\n[   40.965295]  dcn401_validate_bandwidth+0x4e/0x70 [amdgpu]\\n[   40.965491]  update_planes_and_stream_state+0x38d/0x5c0 [amdgpu]\\n[   40.965672]  update_planes_and_stream_v3+0x52/0x1e0 [amdgpu]\\n[   40.965845]  ? srso_alias_return_thunk+0x5/0x7f\\n[   40.965849]  dc_update_planes_and_stream+0x71/0xb0 [amdgpu]\\n\\nFix this by adding a guard for checking cursor width before triggering\\nthe size calculation.\"},{\"lang\":\"es\",\"value\":\"En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: drm/amd/display: se corrige una advertencia de UBSAN en DML2.1 Al programar una tuber\u00eda fantasma, dado que cursor_width se establece expl\u00edcitamente en 0, esto hace que la l\u00f3gica de c\u00e1lculo active un desbordamiento para un int sin signo que activa la comprobaci\u00f3n UBSAN del kernel como se muestra a continuaci\u00f3n: [ 40.962845] UBSAN: desplazamiento fuera de los l\u00edmites en /tmp/amd.EfpumTkO/amd/amdgpu/../display/dc/dml2/dml21/src/dml2_core/dml2_core_dcn4_calcs.c:3312:34 [ 40.962849] El exponente de desplazamiento 4294967170 es demasiado grande para el tipo de 32 bits \u0027unsigned int\u0027 [ 40.962852] CPU: 1 PID: 1670 Comm: gnome-shell Contaminado: GW OE 6.5.0-41-generic #41~22.04.2-Ubuntu [ 40.962854] Nombre del hardware: Gigabyte Technology Co., Ltd. X670E AORUS PRO X/X670E AORUS PRO X, BIOS F21 01/10/2024 [ 40.962856] Seguimiento de llamadas: [ 40.962857]  [ 40.962860] dump_stack_lvl+0x48/0x70 [ 40.962870] dump_stack+0x10/0x20 [ 40.962872] __ubsan_handle_shift_out_of_bounds+0x1ac/0x360 [ 40.962878] CalculateWatermarksMALLUseAndDRAMSpeedChangeSupport+0x18b8/0x2790 [amdgpu] [ 40.963534] ? srso_alias_return_thunk+0x5/0x7f [ 40.963536] ? srso_alias_return_thunk+0x5/0x7f [ 40.963909] ? srso_alias_return_thunk+0x5/0x7f [ 40.964763] ? recurso_agregar_dpp_tuber\u00edas_para_composici\u00f3n_de_planos+0x27c/0x3b0 [amdgpu] [ 40.964942] dml2_validate+0x504/0x750 [amdgpu] [ 40.965117] ? dml21_copy+0x95/0xb0 [amdgpu] [ 40.965291] ? srso_alias_return_thunk+0x5/0x7f [ 40.965295] dcn401_validate_bandwidth+0x4e/0x70 [amdgpu] [ 40.965491] update_planes_and_stream_state+0x38d/0x5c0 [amdgpu] [ 40.965672] update_planes_and_stream_v3+0x52/0x1e0 [amdgpu] [ 40.965845] ? srso_alias_return_thunk+0x5/0x7f [ 40.965849] dc_update_planes_and_stream+0x71/0xb0 [amdgpu] Solucione esto agregando una protecci\u00f3n para verificar el ancho del cursor antes de activar el c\u00e1lculo del tama\u00f1o.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H\",\"baseScore\":5.5,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"LOCAL\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":1.8,\"impactScore\":3.6}]},\"weaknesses\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-190\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"6.11.3\",\"matchCriteriaId\":\"6D5FF9C2-A011-4A64-B614-F9244ED2EA0D\"}]}]}],\"references\":[{\"url\":\"https://git.kernel.org/stable/c/27bc3da5eae57e3af8f5648b4498ffde48781434\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/eaf3adb8faab611ba57594fa915893fc93a7788c\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]}]}}"
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.


Loading…

Loading…

Loading…

Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.