7.8 CVE-2024-56608
Buffer Overflow Patch
In the Linux kernel, the following vulnerability has been resolved:
drm/amd/display: Fix out-of-bounds access in 'dcn21_link_encoder_create'
An issue was identified in the dcn21_link_encoder_create function where
an out-of-bounds access could occur when the hpd_source index was used
to reference the link_enc_hpd_regs array. This array has a fixed size
and the index was not being checked against the array's bounds before
accessing it.
This fix adds a conditional check to ensure that the hpd_source index is
within the valid range of the link_enc_hpd_regs array. If the index is
out of bounds, the function now returns NULL to prevent undefined
behavior.
References:
[ 65.920507] ------------[ cut here ]------------
[ 65.920510] UBSAN: array-index-out-of-bounds in drivers/gpu/drm/amd/amdgpu/../display/dc/resource/dcn21/dcn21_resource.c:1312:29
[ 65.920519] index 7 is out of range for type 'dcn10_link_enc_hpd_registers [5]'
[ 65.920523] CPU: 3 PID: 1178 Comm: modprobe Tainted: G OE 6.8.0-cleanershaderfeatureresetasdntipmi200nv2132 #13
[ 65.920525] Hardware name: AMD Majolica-RN/Majolica-RN, BIOS WMJ0429N_Weekly_20_04_2 04/29/2020
[ 65.920527] Call Trace:
[ 65.920529] <TASK>
[ 65.920532] dump_stack_lvl+0x48/0x70
[ 65.920541] dump_stack+0x10/0x20
[ 65.920543] __ubsan_handle_out_of_bounds+0xa2/0xe0
[ 65.920549] dcn21_link_encoder_create+0xd9/0x140 [amdgpu]
[ 65.921009] link_create+0x6d3/0xed0 [amdgpu]
[ 65.921355] create_links+0x18a/0x4e0 [amdgpu]
[ 65.921679] dc_create+0x360/0x720 [amdgpu]
[ 65.921999] ? dmi_matches+0xa0/0x220
[ 65.922004] amdgpu_dm_init+0x2b6/0x2c90 [amdgpu]
[ 65.922342] ? console_unlock+0x77/0x120
[ 65.922348] ? dev_printk_emit+0x86/0xb0
[ 65.922354] dm_hw_init+0x15/0x40 [amdgpu]
[ 65.922686] amdgpu_device_init+0x26a8/0x33a0 [amdgpu]
[ 65.922921] amdgpu_driver_load_kms+0x1b/0xa0 [amdgpu]
[ 65.923087] amdgpu_pci_probe+0x1b7/0x630 [amdgpu]
[ 65.923087] local_pci_probe+0x4b/0xb0
[ 65.923087] pci_device_probe+0xc8/0x280
[ 65.923087] really_probe+0x187/0x300
[ 65.923087] __driver_probe_device+0x85/0x130
[ 65.923087] driver_probe_device+0x24/0x110
[ 65.923087] __driver_attach+0xac/0x1d0
[ 65.923087] ? __pfx___driver_attach+0x10/0x10
[ 65.923087] bus_for_each_dev+0x7d/0xd0
[ 65.923087] driver_attach+0x1e/0x30
[ 65.923087] bus_add_driver+0xf2/0x200
[ 65.923087] driver_register+0x64/0x130
[ 65.923087] ? __pfx_amdgpu_init+0x10/0x10 [amdgpu]
[ 65.923087] __pci_register_driver+0x61/0x70
[ 65.923087] amdgpu_init+0x7d/0xff0 [amdgpu]
[ 65.923087] do_one_initcall+0x49/0x310
[ 65.923087] ? kmalloc_trace+0x136/0x360
[ 65.923087] do_init_module+0x6a/0x270
[ 65.923087] load_module+0x1fce/0x23a0
[ 65.923087] init_module_from_file+0x9c/0xe0
[ 65.923087] ? init_module_from_file+0x9c/0xe0
[ 65.923087] idempotent_init_module+0x179/0x230
[ 65.923087] __x64_sys_finit_module+0x5d/0xa0
[ 65.923087] do_syscall_64+0x76/0x120
[ 65.923087] entry_SYSCALL_64_after_hwframe+0x6e/0x76
[ 65.923087] RIP: 0033:0x7f2d80f1e88d
[ 65.923087] Code: 5b 41 5c c3 66 0f 1f 84 00 00 00 00 00 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 73 b5 0f 00 f7 d8 64 89 01 48
[ 65.923087] RSP: 002b:00007ffc7bc1aa78 EFLAGS: 00000246 ORIG_RAX: 0000000000000139
[ 65.923087] RAX: ffffffffffffffda RBX: 0000564c9c1db130 RCX: 00007f2d80f1e88d
[ 65.923087] RDX: 0000000000000000 RSI: 0000564c9c1e5480 RDI: 000000000000000f
[ 65.923087] RBP: 0000000000040000 R08: 0000000000000000 R09: 0000000000000002
[ 65.923087] R10: 000000000000000f R11: 0000000000000246 R12: 0000564c9c1e5480
[ 65.923087] R13: 0000564c9c1db260 R14: 0000000000000000 R15: 0000564c9c1e54b0
[ 65.923087] </TASK>
[ 65.923927] ---[ end trace ]---
https://nvd.nist.gov/vuln/detail/CVE-2024-56608
Categories
CWE-129 : Improper Validation of Array Index
The product uses untrusted input when calculating or using an array index, but the product does not validate or incorrectly validates the index to ensure the index references a valid position within the array. The most common condition situation leading to an out-of-bounds array index is the use of loop index variables as buffer indexes. If the end condition for the loop is subject to a flaw, the index can grow or shrink unbounded, therefore causing a buffer overflow or underflow. Another common situation leading to this condition is the use of a function's return value, or the resulting value of a calculation directly as an index in to a buffer. This weakness can be detected using dynamic tools and techniques that interact with the software using large test suites with many diverse inputs, such as fuzz testing (fuzzing), robustness testing, and fault injection. The software's operation may slow down, but it should not become unstable, crash, or generate incorrect results. Black box methods might not get the needed code coverage within limited time constraints, and a dynamic test might not produce any noticeable side effects even if it is successful. Use an input validation framework such as Struts or the OWASP ESAPI Validation API. Note that using a framework does not automatically address all input validation problems; be mindful of weaknesses that could arise from misusing the framework itself (CWE-1173). Be especially careful to validate all input when invoking code that crosses language boundaries, such as from an interpreted language to native code. This could create an unexpected interaction between the language boundaries. Ensure that you are not violating any of the expectations of the language with which you are interfacing. For example, even though Java may not be susceptible to buffer overflows, providing a large argument in a call to native code might trigger an overflow. Run your code using the lowest privileges that are required to accomplish the necessary tasks [REF-76]. If possible, create isolated accounts with limited privileges that are only used for a single task. That way, a successful attack will not immediately give the attacker access to the rest of the software or its environment. For example, database applications rarely need to run as the database administrator, especially in day-to-day operations. large ID in packet used as array index negative array index as argument to POP LIST command Integer signedness error leads to negative array index product does not properly track a count and a maximum number, which can lead to resultant array index overflow. Chain: device driver for packet-capturing software allows access to an unintended IOCTL with resultant array index error. Chain: array index error (CWE-129) leads to deadlock (CWE-833)
References
416baaa9-dc9f-4396-8d5f-8c081fb06d67 Patch
CPE
| cpe | start | end |
|---|---|---|
| Configuration 1 | ||
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | < 6.12.5 | |
REMEDIATION
Patch
| Url |
|---|
| https://git.kernel.org/stable/c/63de35a8fcfca59ae8750d469a7eb220c7557baf |
| https://git.kernel.org/stable/c/f01ddd589e162979421e6914b1c74018633f01e0 |
EXPLOITS
Exploit-db.com
| id | description | date | |
|---|---|---|---|
| No known exploits | |||
POC Github
| Url |
|---|
| No known exploits |
Other Nist (github, ...)
| Url |
|---|
| No known exploits |
CAPEC
Common Attack Pattern Enumerations and Classifications
| id | description | severity |
|---|---|---|
| 100 | Overflow Buffers |
Very High |
Cybersecurity needs ?
Strengthen software security from the outset with our DevSecOps expertise
Integrate security right from the start of the software development cycle for more robust applications and greater customer confidence.
Our team of DevSecOps experts can help you secure your APIs, data pipelines, CI/CD chains, Docker containers and Kubernetes deployments.
