[PATCH] drm/amd/display:fix a Null pointer dereference vulnerability

[PATCH] drm/amd/display:fix a Null pointer dereference vulnerability

[jackysliu]

A null pointer dereference vulnerability exists in the AMD display driver's
 (DC module) cleanup function dc_destruct().
 When display control context (dc->ctx) construction fails
 (due to memory allocation failure), this pointer remains NULL.
During subsequent error handling when dc_destruct() is called,
there's no NULL check before dereferencing the perf_trace member
 (dc->ctx->perf_trace),
 causing a kernel null pointer dereference crash

Signed-off-by: jackysliu <Security@tencent.com>
---
 drivers/gpu/drm/amd/display/dc/core/dc.c | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/drivers/gpu/drm/amd/display/dc/core/dc.c b/drivers/gpu/drm/amd/display/dc/core/dc.c
index 56d011a1323c..3bda0593f66f 100644
--- a/drivers/gpu/drm/amd/display/dc/core/dc.c
+++ b/drivers/gpu/drm/amd/display/dc/core/dc.c
@@ -934,6 +934,11 @@ static void dc_destruct(struct dc *dc)
 	if (dc->link_srv)
 		link_destroy_link_service(&dc->link_srv);
 
+	if (!dc->ctx) {
+		dm_error("%s: called with NULL ctx\n", __func__);
+		goto skip_ctx_cleanup;
+	}
+
 	if (dc->ctx->gpio_service)
 		dal_gpio_service_destroy(&dc->ctx->gpio_service);
 
@@ -946,6 +951,7 @@ static void dc_destruct(struct dc *dc)
 	kfree(dc->ctx);
 	dc->ctx = NULL;
 
+skip_ctx_cleanup:
 	kfree(dc->bw_vbios);
 	dc->bw_vbios = NULL;
 
-- 
2.43.5

Re: [PATCH] drm/amd/display:fix a Null pointer dereference vulnerability

[Harry Wentland]

On 2025-07-02 23:39, jackysliu wrote:
> A null pointer dereference vulnerability exists in the AMD display driver's
>  (DC module) cleanup function dc_destruct().
>  When display control context (dc->ctx) construction fails
>  (due to memory allocation failure), this pointer remains NULL.
> During subsequent error handling when dc_destruct() is called,
> there's no NULL check before dereferencing the perf_trace member
>  (dc->ctx->perf_trace),
>  causing a kernel null pointer dereference crash
> 
> Signed-off-by: jackysliu <Security@tencent.com>

Thanks for your patch.

Please run and fix this checkpatch.pl warning:

WARNING: From:/Signed-off-by: email address mismatch: 'From: jackysliu <1972843537@qq.com>' != 'Signed-off-by: jackysliu <Security@tencent.com>'

> ---
>  drivers/gpu/drm/amd/display/dc/core/dc.c | 6 ++++++
>  1 file changed, 6 insertions(+)
> 
> diff --git a/drivers/gpu/drm/amd/display/dc/core/dc.c b/drivers/gpu/drm/amd/display/dc/core/dc.c
> index 56d011a1323c..3bda0593f66f 100644
> --- a/drivers/gpu/drm/amd/display/dc/core/dc.c
> +++ b/drivers/gpu/drm/amd/display/dc/core/dc.c
> @@ -934,6 +934,11 @@ static void dc_destruct(struct dc *dc)
>  	if (dc->link_srv)
>  		link_destroy_link_service(&dc->link_srv);
>  
> +	if (!dc->ctx) {
> +		dm_error("%s: called with NULL ctx\n", __func__);
> +		goto skip_ctx_cleanup;
> +	}
> +

I would prefer to simply wrap the dc->ctx->logger and dc->ctx bits
with if (!dc->ctx) and avoid the goto.

Harry

>  	if (dc->ctx->gpio_service)
>  		dal_gpio_service_destroy(&dc->ctx->gpio_service);
>  
> @@ -946,6 +951,7 @@ static void dc_destruct(struct dc *dc)
>  	kfree(dc->ctx);
>  	dc->ctx = NULL;
>  
> +skip_ctx_cleanup:
>  	kfree(dc->bw_vbios);
>  	dc->bw_vbios = NULL;
>  

RE:[PATCH] drm/amd/display:fix a Null pointer dereference vulnerability

[jackysliu]

On 2025-07-03 11:15, Harry Wentland wrote
>Thanks for your patch.
>
>Please run and fix this checkpatch.pl warning:
>
>WARNING: From:/Signed-off-by: email address mismatch: 'From: jackysliu <1972843537@qq.com>' != 'Signed-off-by: jackysliu <Security@tencent.com>'

>I would prefer to simply wrap the dc->ctx->logger and dc->ctx bits
>with if (!dc->ctx) and avoid the goto.
Thank you Harry, for the patient review. I'll submit a revised patch later.

[PATCH v2] drm/amd/display:fix a Null pointer dereference vulnerability

[jackysliu]

From: jackysliu <Security@tencent.com>

A null pointer dereference vulnerability exists in the AMD display driver's
 (DC module) cleanup function dc_destruct().
 When display control context (dc->ctx) construction fails
 (due to memory allocation failure), this pointer remains NULL.
During subsequent error handling when dc_destruct() is called,
there's no NULL check before dereferencing the perf_trace member
 (dc->ctx->perf_trace),
 causing a kernel null pointer dereference crash

Signed-off-by: jackysliu <Security@tencent.com>
---
 drivers/gpu/drm/amd/display/dc/core/dc.c | 20 ++++++++++++--------
 1 file changed, 12 insertions(+), 8 deletions(-)

diff --git a/drivers/gpu/drm/amd/display/dc/core/dc.c b/drivers/gpu/drm/amd/display/dc/core/dc.c
index 56d011a1323c..393f87cfe74d 100644
--- a/drivers/gpu/drm/amd/display/dc/core/dc.c
+++ b/drivers/gpu/drm/amd/display/dc/core/dc.c
@@ -934,17 +934,21 @@ static void dc_destruct(struct dc *dc)
 	if (dc->link_srv)
 		link_destroy_link_service(&dc->link_srv);
 
-	if (dc->ctx->gpio_service)
-		dal_gpio_service_destroy(&dc->ctx->gpio_service);
+	if (!dc->ctx) {
+		dm_error("%s: called with NULL ctx\n", __func__);
+	} else {
+		if (dc->ctx->gpio_service)
+			dal_gpio_service_destroy(&dc->ctx->gpio_service);
 
-	if (dc->ctx->created_bios)
-		dal_bios_parser_destroy(&dc->ctx->dc_bios);
+		if (dc->ctx->created_bios)
+			dal_bios_parser_destroy(&dc->ctx->dc_bios);
 
-	kfree(dc->ctx->logger);
-	dc_perf_trace_destroy(&dc->ctx->perf_trace);
+		kfree(dc->ctx->logger);
+		dc_perf_trace_destroy(&dc->ctx->perf_trace);
 
-	kfree(dc->ctx);
-	dc->ctx = NULL;
+		kfree(dc->ctx);
+		dc->ctx = NULL;
+	}
 
 	kfree(dc->bw_vbios);
 	dc->bw_vbios = NULL;
-- 
2.43.5

Re: [PATCH v2] drm/amd/display:fix a Null pointer dereference vulnerability

[Krzysztof Kozlowski]

On 04/07/2025 05:16, jackysliu wrote:
> From: jackysliu <Security@tencent.com>
> 
> A null pointer dereference vulnerability exists in the AMD display driver's
>  (DC module) cleanup function dc_destruct().
>  When display control context (dc->ctx) construction fails
>  (due to memory allocation failure), this pointer remains NULL.
> During subsequent error handling when dc_destruct() is called,
> there's no NULL check before dereferencing the perf_trace member
>  (dc->ctx->perf_trace),
>  causing a kernel null pointer dereference crash
> 
> Signed-off-by: jackysliu <Security@tencent.com>
> ---
>  drivers/gpu/drm/amd/display/dc/core/dc.c | 20 ++++++++++++--------
>  1 file changed, 12 insertions(+), 8 deletions(-)

You should disclose that you used some AI tool for that... and that
other report(s) was really fake finding.  People should know you
generated it with AI, so they could make informed decision whether to
even allocate time here.

Best regards,
Krzysztof

Re: [PATCH v2] drm/amd/display:fix a Null pointer dereference vulnerability

[Mario Limonciello]

On 7/15/2025 5:44 AM, Krzysztof Kozlowski wrote:
> On 04/07/2025 05:16, jackysliu wrote:
>> From: jackysliu <Security@tencent.com>
>>
>> A null pointer dereference vulnerability exists in the AMD display driver's
>>   (DC module) cleanup function dc_destruct().
>>   When display control context (dc->ctx) construction fails
>>   (due to memory allocation failure), this pointer remains NULL.
>> During subsequent error handling when dc_destruct() is called,
>> there's no NULL check before dereferencing the perf_trace member
>>   (dc->ctx->perf_trace),
>>   causing a kernel null pointer dereference crash
>>
>> Signed-off-by: jackysliu <Security@tencent.com>
>> ---
>>   drivers/gpu/drm/amd/display/dc/core/dc.c | 20 ++++++++++++--------
>>   1 file changed, 12 insertions(+), 8 deletions(-)
> 
> You should disclose that you used some AI tool for that... and that
> other report(s) was really fake finding.  People should know you
> generated it with AI, so they could make informed decision whether to
> even allocate time here.
> 
> Best regards,
> Krzysztof

Failure paths are so rarely executed that it sometimes takes years or 
static analyzers to find and fix issues.

In this case I think it's a real problem.  During init the following 
sequence happens:

dc_create()
->dc_construct_ctx()

If dc_construct_ctx() fails then it jumps to a label that calls 
dc_destruct().  So if the context wasn't set up then yeah there could be 
a NULL pointer deref.

So to me this makes sense.

Reviewed-by: Mario Limonciello <mario.limonciello@amd.com>

Harry, do you agree?

Re: [PATCH] scsi:bfa: Double-free vulnerability fix

[jackysliu]

On Tue, Jul 15 2025 12:45:00 +0200 Krzysztof Kozlowski wrote:
>You should disclose that you used some AI tool for that... and that
>other report(s) was really fake finding.  People should know you
>generated it with AI, so they could make informed decision whether to
>even allocate time here.

Although this problem was detected with the help of ai and static methods,
I checked the trigger path by myself and verified this problem. 
I'll describe the ways of detection if I find other issues in the future.
Anyway, thanks for your review.

Siyang Liu

Re: [PATCH v2] drm/amd/display:fix a Null pointer dereference vulnerability

[jackysliu]

On Tue, Jul 15 2025 12:44:40 +0200  Krzysztof Kozlowski wrote:
>You should disclose that you used some AI tool for that... and that
>other report(s) was really fake finding.  People should know you
>generated it with AI, so they could make informed decision whether to
>even allocate time here.

Although this problem was detected with the help of ai and static methods,
I checked the trigger path by myself and verified this problem. 
I'll describe the ways of detection if I find other issues in the future.
Anyway, thanks for your review.

Siyang Liu