CVE-2024-26660

drm/amd/display: Implement bounds check for stream encoder creation in DCN301

Severity Score

4.4

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

Track

*SSVC

Descriptions

In the Linux kernel, the following vulnerability has been resolved:

drm/amd/display: Implement bounds check for stream encoder creation in DCN301

'stream_enc_regs' array is an array of dcn10_stream_enc_registers
structures. The array is initialized with four elements, corresponding
to the four calls to stream_enc_regs() in the array initializer. This
means that valid indices for this array are 0, 1, 2, and 3.

The error message 'stream_enc_regs' 4 <= 5 below, is indicating that
there is an attempt to access this array with an index of 5, which is
out of bounds. This could lead to undefined behavior

Here, eng_id is used as an index to access the stream_enc_regs array. If
eng_id is 5, this would result in an out-of-bounds access on the
stream_enc_regs array.

Thus fixing Buffer overflow error in dcn301_stream_encoder_create
reported by Smatch:
drivers/gpu/drm/amd/amdgpu/../display/dc/resource/dcn301/dcn301_resource.c:1011 dcn301_stream_encoder_create() error: buffer overflow 'stream_enc_regs' 4 <= 5

En el kernel de Linux, se resolvió la siguiente vulnerabilidad: drm/amd/display: implementar la verificación de los límites para la creación del codificador de flujo en la matriz DCN301 'stream_enc_regs' es una matriz de estructuras dcn10_stream_enc_registers. La matriz se inicializa con cuatro elementos, correspondientes a las cuatro llamadas a stream_enc_regs() en el inicializador de la matriz. Esto significa que los índices válidos para esta matriz son 0, 1, 2 y 3. El mensaje de error 'stream_enc_regs' 4 <= 5 a continuación indica que hay un intento de acceder a esta matriz con un índice de 5, que no está disponible. de los límites. Esto podría provocar un comportamiento indefinido. Aquí, eng_id se utiliza como índice para acceder a la matriz stream_enc_regs. Si eng_id es 5, esto daría como resultado un acceso fuera de los límites en la matriz stream_enc_regs. Solucionando así el error de desbordamiento de búfer en dcn301_stream_encoder_create informado por Smatch: drivers/gpu/drm/amd/amdgpu/../display/dc/resource/dcn301/dcn301_resource.c:1011 dcn301_stream_encoder_create() error: desbordamiento de búfer 'stream_enc_regs' 4 <= 5

A vulnerability was found in the DRM/AMD/Display module of the Linux Kernel. An out-of-bounds access exists in the 'stream_enc_regs' array within DCN301, while accessing the array with 'eng_id,’ could lead to an out-of-bounds access beyond its four-element size, which can cause a system crash.

*Credits: N/A

CVSS Scores

Red Hatv3.1 4.4

Attack Vector

Local

Attack Complexity

Low

Privileges Required

High

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

None

Availability

High

* Common Vulnerability Scoring System

SSVC

Decision:Track

Exploitation

None

Automatable

Tech. Impact

Partial

* Organization's Worst-case Scenario

Timeline

2024-02-19 CVE Reserved
2024-04-02 CVE Published
2024-04-02 EPSS Updated
2024-09-11 CVE Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-125: Out-of-bounds Read

CAPEC

References (8)

URL	Tag	Source
https://git.kernel.org/stable/c/3a83e4e64bb1522ddac67ffc787d1c38291e1a65	Vuln. Introduced

URL	Date	SRC

URL	Date	SRC
https://git.kernel.org/stable/c/42442f74314d41ddc68227047036fa3e78940054	2024-02-23
https://git.kernel.org/stable/c/efdd665ce1a1634b8c1dad5e7f6baaef3e131d0a	2024-02-16
https://git.kernel.org/stable/c/cd9bd10c59e3c1446680514fd3097c5b00d3712d	2024-02-16
https://git.kernel.org/stable/c/a938eab9586eea31cfd129a507f552efae14d738	2024-02-16
https://git.kernel.org/stable/c/58fca355ad37dcb5f785d9095db5f748b79c5dc2	2024-02-07

URL	Date	SRC
https://access.redhat.com/security/cve/CVE-2024-26660	2024-08-08
https://bugzilla.redhat.com/show_bug.cgi?id=2272782	2024-08-08

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 5.11 < 5.15.149 Search vendor "Linux" for product "Linux Kernel" and version " >= 5.11 < 5.15.149"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 5.11 < 6.1.78 Search vendor "Linux" for product "Linux Kernel" and version " >= 5.11 < 6.1.78"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 5.11 < 6.6.17 Search vendor "Linux" for product "Linux Kernel" and version " >= 5.11 < 6.6.17"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 5.11 < 6.7.5 Search vendor "Linux" for product "Linux Kernel" and version " >= 5.11 < 6.7.5"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 5.11 < 6.8 Search vendor "Linux" for product "Linux Kernel" and version " >= 5.11 < 6.8"		en		Affected