{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2024-47720", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2024-09-30T16:00:12.950Z", "datePublished": "2024-10-21T11:53:50.178Z", "dateUpdated": "2026-05-11T20:39:28.989Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2026-05-11T20:39:28.989Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd/display: Add null check for set_output_gamma in dcn30_set_output_transfer_func\n\nThis commit adds a null check for the set_output_gamma function pointer\nin the dcn30_set_output_transfer_func function. Previously,\nset_output_gamma was being checked for nullity at line 386, but then it\nwas being dereferenced without any nullity check at line 401. This\ncould potentially lead to a null pointer dereference error if\nset_output_gamma is indeed null.\n\nTo fix this, we now ensure that set_output_gamma is not null before\ndereferencing it. We do this by adding a nullity check for\nset_output_gamma before the call to set_output_gamma at line 401. If\nset_output_gamma is null, we log an error message and do not call the\nfunction.\n\nThis fix prevents a potential null pointer dereference error.\n\ndrivers/gpu/drm/amd/amdgpu/../display/dc/hwss/dcn30/dcn30_hwseq.c:401 dcn30_set_output_transfer_func()\nerror: we previously assumed 'mpc->funcs->set_output_gamma' could be null (see line 386)\n\ndrivers/gpu/drm/amd/amdgpu/../display/dc/hwss/dcn30/dcn30_hwseq.c\n 373 bool dcn30_set_output_transfer_func(struct dc *dc,\n 374 struct pipe_ctx *pipe_ctx,\n 375 const struct dc_stream_state *stream)\n 376 {\n 377 int mpcc_id = pipe_ctx->plane_res.hubp->inst;\n 378 struct mpc *mpc = pipe_ctx->stream_res.opp->ctx->dc->res_pool->mpc;\n 379 const struct pwl_params *params = NULL;\n 380 bool ret = false;\n 381\n 382 /* program OGAM or 3DLUT only for the top pipe*/\n 383 if (pipe_ctx->top_pipe == NULL) {\n 384 /*program rmu shaper and 3dlut in MPC*/\n 385 ret = dcn30_set_mpc_shaper_3dlut(pipe_ctx, stream);\n 386 if (ret == false && mpc->funcs->set_output_gamma) {\n ^^^^^^^^^^^^^^^^^^^^^^^^^^^^ If this is NULL\n\n 387 if (stream->out_transfer_func.type == TF_TYPE_HWPWL)\n 388 params = &stream->out_transfer_func.pwl;\n 389 else if (pipe_ctx->stream->out_transfer_func.type ==\n 390 TF_TYPE_DISTRIBUTED_POINTS &&\n 391 cm3_helper_translate_curve_to_hw_format(\n 392 &stream->out_transfer_func,\n 393 &mpc->blender_params, false))\n 394 params = &mpc->blender_params;\n 395 /* there are no ROM LUTs in OUTGAM */\n 396 if (stream->out_transfer_func.type == TF_TYPE_PREDEFINED)\n 397 BREAK_TO_DEBUGGER();\n 398 }\n 399 }\n 400\n--> 401 mpc->funcs->set_output_gamma(mpc, mpcc_id, params);\n ^^^^^^^^^^^^^^^^^^^^^^^^^^^^ Then it will crash\n\n 402 return ret;\n 403 }"}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["drivers/gpu/drm/amd/display/dc/hwss/dcn30/dcn30_hwseq.c"], "versions": [{"version": "d99f13878d6f9c286b13860d8bf0b4db9ffb189a", "lessThan": "44948d3cb943602ba4a0b5ed3c91ae0525838fb1", "status": "affected", "versionType": "git"}, {"version": "d99f13878d6f9c286b13860d8bf0b4db9ffb189a", "lessThan": "64886a4e6f1dce843c0889505cf0673b5211e16a", "status": "affected", "versionType": "git"}, {"version": "d99f13878d6f9c286b13860d8bf0b4db9ffb189a", "lessThan": "ddf9ff244d704e1903533f7be377615ed34b83e7", "status": "affected", "versionType": "git"}, {"version": "d99f13878d6f9c286b13860d8bf0b4db9ffb189a", "lessThan": "84edd5a3f5fa6aafa4afcaf9f101f46426c620c9", "status": "affected", "versionType": "git"}, {"version": "d99f13878d6f9c286b13860d8bf0b4db9ffb189a", "lessThan": "72ee32d0907364104fbcf4f68dd5ae63cd8eae9e", "status": "affected", "versionType": "git"}, {"version": "d99f13878d6f9c286b13860d8bf0b4db9ffb189a", "lessThan": "08ae395ea22fb3d9b318c8bde28c0dfd2f5fa4d2", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["drivers/gpu/drm/amd/display/dc/hwss/dcn30/dcn30_hwseq.c"], "versions": [{"version": "5.9", "status": "affected"}, {"version": "0", "lessThan": "5.9", "status": "unaffected", "versionType": "semver"}, {"version": "5.15.168", "lessThanOrEqual": "5.15.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.1.113", "lessThanOrEqual": "6.1.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.6.54", "lessThanOrEqual": "6.6.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.10.13", "lessThanOrEqual": "6.10.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.11.2", "lessThanOrEqual": "6.11.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.12", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.9", "versionEndExcluding": "5.15.168"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.9", "versionEndExcluding": "6.1.113"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.9", "versionEndExcluding": "6.6.54"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.9", "versionEndExcluding": "6.10.13"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.9", "versionEndExcluding": "6.11.2"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.9", "versionEndExcluding": "6.12"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/44948d3cb943602ba4a0b5ed3c91ae0525838fb1"}, {"url": "https://git.kernel.org/stable/c/64886a4e6f1dce843c0889505cf0673b5211e16a"}, {"url": "https://git.kernel.org/stable/c/ddf9ff244d704e1903533f7be377615ed34b83e7"}, {"url": "https://git.kernel.org/stable/c/84edd5a3f5fa6aafa4afcaf9f101f46426c620c9"}, {"url": "https://git.kernel.org/stable/c/72ee32d0907364104fbcf4f68dd5ae63cd8eae9e"}, {"url": "https://git.kernel.org/stable/c/08ae395ea22fb3d9b318c8bde28c0dfd2f5fa4d2"}], "title": "drm/amd/display: Add null check for set_output_gamma in dcn30_set_output_transfer_func", "x_generator": {"engine": "bippy-1.2.0"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-47720", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-10-21T13:02:07.747616Z"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-10-21T13:04:17.600Z"}}, {"title": "CVE Program Container", "references": [{"url": "https://lists.debian.org/debian-lts-announce/2025/01/msg00001.html"}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2025-11-03T22:21:20.641Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-47720", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-10-21T13:02:07.747616Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-10-21T13:02:10.851Z"}}], "cna": {"title": "drm/amd/display: Add null check for set_output_gamma in dcn30_set_output_transfer_func", "affected": [{"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "product": "Linux", "versions": [{"status": "affected", "version": "d99f13878d6f9c286b13860d8bf0b4db9ffb189a", "lessThan": "44948d3cb943602ba4a0b5ed3c91ae0525838fb1", "versionType": "git"}, {"status": "affected", "version": "d99f13878d6f9c286b13860d8bf0b4db9ffb189a", "lessThan": "64886a4e6f1dce843c0889505cf0673b5211e16a", "versionType": "git"}, {"status": "affected", "version": "d99f13878d6f9c286b13860d8bf0b4db9ffb189a", "lessThan": "ddf9ff244d704e1903533f7be377615ed34b83e7", "versionType": "git"}, {"status": "affected", "version": "d99f13878d6f9c286b13860d8bf0b4db9ffb189a", "lessThan": "84edd5a3f5fa6aafa4afcaf9f101f46426c620c9", "versionType": "git"}, {"status": "affected", "version": "d99f13878d6f9c286b13860d8bf0b4db9ffb189a", "lessThan": "72ee32d0907364104fbcf4f68dd5ae63cd8eae9e", "versionType": "git"}, {"status": "affected", "version": "d99f13878d6f9c286b13860d8bf0b4db9ffb189a", "lessThan": "08ae395ea22fb3d9b318c8bde28c0dfd2f5fa4d2", "versionType": "git"}], "programFiles": ["drivers/gpu/drm/amd/display/dc/hwss/dcn30/dcn30_hwseq.c"], "defaultStatus": "unaffected"}, {"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "product": "Linux", "versions": [{"status": "affected", "version": "5.9"}, {"status": "unaffected", "version": "0", "lessThan": "5.9", "versionType": "semver"}, {"status": "unaffected", "version": "5.15.168", "versionType": "semver", "lessThanOrEqual": "5.15.*"}, {"status": "unaffected", "version": "6.1.113", "versionType": "semver", "lessThanOrEqual": "6.1.*"}, {"status": "unaffected", "version": "6.6.54", "versionType": "semver", "lessThanOrEqual": "6.6.*"}, {"status": "unaffected", "version": "6.10.13", "versionType": "semver", "lessThanOrEqual": "6.10.*"}, {"status": "unaffected", "version": "6.11.2", "versionType": "semver", "lessThanOrEqual": "6.11.*"}, {"status": "unaffected", "version": "6.12", "versionType": "original_commit_for_fix", "lessThanOrEqual": "*"}], "programFiles": ["drivers/gpu/drm/amd/display/dc/hwss/dcn30/dcn30_hwseq.c"], "defaultStatus": "affected"}], "references": [{"url": "https://git.kernel.org/stable/c/44948d3cb943602ba4a0b5ed3c91ae0525838fb1"}, {"url": "https://git.kernel.org/stable/c/64886a4e6f1dce843c0889505cf0673b5211e16a"}, {"url": "https://git.kernel.org/stable/c/ddf9ff244d704e1903533f7be377615ed34b83e7"}, {"url": "https://git.kernel.org/stable/c/84edd5a3f5fa6aafa4afcaf9f101f46426c620c9"}, {"url": "https://git.kernel.org/stable/c/72ee32d0907364104fbcf4f68dd5ae63cd8eae9e"}, {"url": "https://git.kernel.org/stable/c/08ae395ea22fb3d9b318c8bde28c0dfd2f5fa4d2"}], "x_generator": {"engine": "bippy-1.2.0"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd/display: Add null check for set_output_gamma in dcn30_set_output_transfer_func\n\nThis commit adds a null check for the set_output_gamma function pointer\nin the dcn30_set_output_transfer_func function. Previously,\nset_output_gamma was being checked for nullity at line 386, but then it\nwas being dereferenced without any nullity check at line 401. This\ncould potentially lead to a null pointer dereference error if\nset_output_gamma is indeed null.\n\nTo fix this, we now ensure that set_output_gamma is not null before\ndereferencing it. We do this by adding a nullity check for\nset_output_gamma before the call to set_output_gamma at line 401. If\nset_output_gamma is null, we log an error message and do not call the\nfunction.\n\nThis fix prevents a potential null pointer dereference error.\n\ndrivers/gpu/drm/amd/amdgpu/../display/dc/hwss/dcn30/dcn30_hwseq.c:401 dcn30_set_output_transfer_func()\nerror: we previously assumed 'mpc->funcs->set_output_gamma' could be null (see line 386)\n\ndrivers/gpu/drm/amd/amdgpu/../display/dc/hwss/dcn30/dcn30_hwseq.c\n 373 bool dcn30_set_output_transfer_func(struct dc *dc,\n 374 struct pipe_ctx *pipe_ctx,\n 375 const struct dc_stream_state *stream)\n 376 {\n 377 int mpcc_id = pipe_ctx->plane_res.hubp->inst;\n 378 struct mpc *mpc = pipe_ctx->stream_res.opp->ctx->dc->res_pool->mpc;\n 379 const struct pwl_params *params = NULL;\n 380 bool ret = false;\n 381\n 382 /* program OGAM or 3DLUT only for the top pipe*/\n 383 if (pipe_ctx->top_pipe == NULL) {\n 384 /*program rmu shaper and 3dlut in MPC*/\n 385 ret = dcn30_set_mpc_shaper_3dlut(pipe_ctx, stream);\n 386 if (ret == false && mpc->funcs->set_output_gamma) {\n ^^^^^^^^^^^^^^^^^^^^^^^^^^^^ If this is NULL\n\n 387 if (stream->out_transfer_func.type == TF_TYPE_HWPWL)\n 388 params = &stream->out_transfer_func.pwl;\n 389 else if (pipe_ctx->stream->out_transfer_func.type ==\n 390 TF_TYPE_DISTRIBUTED_POINTS &&\n 391 cm3_helper_translate_curve_to_hw_format(\n 392 &stream->out_transfer_func,\n 393 &mpc->blender_params, false))\n 394 params = &mpc->blender_params;\n 395 /* there are no ROM LUTs in OUTGAM */\n 396 if (stream->out_transfer_func.type == TF_TYPE_PREDEFINED)\n 397 BREAK_TO_DEBUGGER();\n 398 }\n 399 }\n 400\n--> 401 mpc->funcs->set_output_gamma(mpc, mpcc_id, params);\n ^^^^^^^^^^^^^^^^^^^^^^^^^^^^ Then it will crash\n\n 402 return ret;\n 403 }"}], "cpeApplicability": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "versionEndExcluding": "5.15.168", "versionStartIncluding": "5.9"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "versionEndExcluding": "6.1.113", "versionStartIncluding": "5.9"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "versionEndExcluding": "6.6.54", "versionStartIncluding": "5.9"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "versionEndExcluding": "6.10.13", "versionStartIncluding": "5.9"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "versionEndExcluding": "6.11.2", "versionStartIncluding": "5.9"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "versionEndExcluding": "6.12", "versionStartIncluding": "5.9"}], "operator": "OR"}]}], "providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2025-05-04T09:38:15.217Z"}}}, "cveMetadata": {"cveId": "CVE-2024-47720", "state": "PUBLISHED", "dateUpdated": "2025-05-04T09:38:15.217Z", "dateReserved": "2024-09-30T16:00:12.950Z", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "datePublished": "2024-10-21T11:53:50.178Z", "assignerShortName": "Linux"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "643E292D-C242-4FEC-8A11-034AB46708C1", "versionEndExcluding": "5.15.168", "versionStartIncluding": "5.9", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "D01BD22E-ACD1-4618-9D01-6116570BE1EE", "versionEndExcluding": "6.1.113", "versionStartIncluding": "5.16", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "D448821D-C085-4CAF-88FA-2DDE7BE21976", "versionEndExcluding": "6.6.54", "versionStartIncluding": "6.2", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "CE94BB8D-B0AB-4563-9ED7-A12122B56EBE", "versionEndExcluding": "6.10.13", "versionStartIncluding": "6.7", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "AB755D26-97F4-43B6-8604-CD076811E181", "versionEndExcluding": "6.11.2", "versionStartIncluding": "6.11", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd/display: Add null check for set_output_gamma in dcn30_set_output_transfer_func\n\nThis commit adds a null check for the set_output_gamma function pointer\nin the dcn30_set_output_transfer_func function. Previously,\nset_output_gamma was being checked for nullity at line 386, but then it\nwas being dereferenced without any nullity check at line 401. This\ncould potentially lead to a null pointer dereference error if\nset_output_gamma is indeed null.\n\nTo fix this, we now ensure that set_output_gamma is not null before\ndereferencing it. We do this by adding a nullity check for\nset_output_gamma before the call to set_output_gamma at line 401. If\nset_output_gamma is null, we log an error message and do not call the\nfunction.\n\nThis fix prevents a potential null pointer dereference error.\n\ndrivers/gpu/drm/amd/amdgpu/../display/dc/hwss/dcn30/dcn30_hwseq.c:401 dcn30_set_output_transfer_func()\nerror: we previously assumed 'mpc->funcs->set_output_gamma' could be null (see line 386)\n\ndrivers/gpu/drm/amd/amdgpu/../display/dc/hwss/dcn30/dcn30_hwseq.c\n 373 bool dcn30_set_output_transfer_func(struct dc *dc,\n 374 struct pipe_ctx *pipe_ctx,\n 375 const struct dc_stream_state *stream)\n 376 {\n 377 int mpcc_id = pipe_ctx->plane_res.hubp->inst;\n 378 struct mpc *mpc = pipe_ctx->stream_res.opp->ctx->dc->res_pool->mpc;\n 379 const struct pwl_params *params = NULL;\n 380 bool ret = false;\n 381\n 382 /* program OGAM or 3DLUT only for the top pipe*/\n 383 if (pipe_ctx->top_pipe == NULL) {\n 384 /*program rmu shaper and 3dlut in MPC*/\n 385 ret = dcn30_set_mpc_shaper_3dlut(pipe_ctx, stream);\n 386 if (ret == false && mpc->funcs->set_output_gamma) {\n ^^^^^^^^^^^^^^^^^^^^^^^^^^^^ If this is NULL\n\n 387 if (stream->out_transfer_func.type == TF_TYPE_HWPWL)\n 388 params = &stream->out_transfer_func.pwl;\n 389 else if (pipe_ctx->stream->out_transfer_func.type ==\n 390 TF_TYPE_DISTRIBUTED_POINTS &&\n 391 cm3_helper_translate_curve_to_hw_format(\n 392 &stream->out_transfer_func,\n 393 &mpc->blender_params, false))\n 394 params = &mpc->blender_params;\n 395 /* there are no ROM LUTs in OUTGAM */\n 396 if (stream->out_transfer_func.type == TF_TYPE_PREDEFINED)\n 397 BREAK_TO_DEBUGGER();\n 398 }\n 399 }\n 400\n--> 401 mpc->funcs->set_output_gamma(mpc, mpcc_id, params);\n ^^^^^^^^^^^^^^^^^^^^^^^^^^^^ Then it will crash\n\n 402 return ret;\n 403 }"}, {"lang": "es", "value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: drm/amd/display: Agregar comprobaci\u00f3n nula para set_output_gamma en dcn30_set_output_transfer_func Esta confirmaci\u00f3n agrega una comprobaci\u00f3n nula para el puntero de funci\u00f3n set_output_gamma en la funci\u00f3n dcn30_set_output_transfer_func. Anteriormente, se estaba comprobando la nulidad de set_output_gamma en la l\u00ednea 386, pero luego se estaba desreferenciando sin ninguna comprobaci\u00f3n de nulidad en la l\u00ednea 401. Esto podr\u00eda conducir potencialmente a un error de desreferencia de puntero nulo si set_output_gamma es de hecho nulo. Para solucionar esto, ahora nos aseguramos de que set_output_gamma no sea nulo antes de desreferenciarlo. Hacemos esto agregando una comprobaci\u00f3n de nulidad para set_output_gamma antes de la llamada a set_output_gamma en la l\u00ednea 401. Si set_output_gamma es nulo, registramos un mensaje de error y no llamamos a la funci\u00f3n. Esta correcci\u00f3n evita un posible error de desreferencia de puntero nulo. drivers/gpu/drm/amd/amdgpu/../display/dc/hwss/dcn30/dcn30_hwseq.c:401 error de dcn30_set_output_transfer_func(): anteriormente asumimos que 'mpc->funcs->set_output_gamma' podr\u00eda ser nulo (ver l\u00ednea 386) drivers/gpu/drm/amd/amdgpu/../display/dc/hwss/dcn30/dcn30_hwseq.c 373 bool dcn30_set_output_transfer_func(struct dc *dc, 374 struct pipe_ctx *pipe_ctx, 375 const struct dc_stream_state *stream) 376 { 377 int mpcc_id = pipe_ctx->plane_res.hubp->inst; 378 struct mpc *mpc = pipe_ctx->stream_res.opp->ctx->dc->res_pool->mpc; 379 const struct pwl_params *params = NULL; 380 bool ret = false; 381 382 /* programa OGAM o 3DLUT solo para la tuber\u00eda superior*/ 383 if (pipe_ctx->top_pipe == NULL) { 384 /*programa rmu shaper y 3dlut en MPC*/ 385 ret = dcn30_set_mpc_shaper_3dlut(pipe_ctx, stream); 386 si (ret == falso && mpc->funcs->set_output_gamma) { ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ Si esto es NULL 387 si (flujo->out_transfer_func.type == TF_TYPE_HWPWL) 388 par\u00e1metros = &flujo->out_transfer_func.pwl; 389 de lo contrario si (pipe_ctx->flujo->out_transfer_func.type == 390 TF_TYPE_DISTRIBUTED_POINTS && 391 cm3_helper_translate_curve_to_hw_format( 392 &flujo->out_transfer_func, 393 &mpc->blender_params, falso)) 394 par\u00e1metros = &mpc->blender_params; 395 /* no hay LUT de ROM en OUTGAM */ 396 if (stream->out_transfer_func.type == TF_TYPE_PREDEFINED) 397 BREAK_TO_DEBUGGER(); 398 } 399 } 400 --> 401 mpc->funcs->set_output_gamma(mpc, mpcc_id, params); ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ Entonces se bloquear\u00e1 402 return ret; 403 }"}], "id": "CVE-2024-47720", "lastModified": "2025-11-03T23:16:19.380", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 5.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2024-10-21T12:15:08.240", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/08ae395ea22fb3d9b318c8bde28c0dfd2f5fa4d2"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/44948d3cb943602ba4a0b5ed3c91ae0525838fb1"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/64886a4e6f1dce843c0889505cf0673b5211e16a"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/72ee32d0907364104fbcf4f68dd5ae63cd8eae9e"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/84edd5a3f5fa6aafa4afcaf9f101f46426c620c9"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/ddf9ff244d704e1903533f7be377615ed34b83e7"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://lists.debian.org/debian-lts-announce/2025/01/msg00001.html"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-476"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"bugzilla": {"description": "kernel: drm/amd/display: Add null check for set_output_gamma in dcn30_set_output_transfer_func", "id": "2320219", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2320219"}, "csaw": false, "cvss3": {"cvss3_base_score": "5.5", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "draft"}, "cwe": "CWE-476", "details": ["In the Linux kernel, the following vulnerability has been resolved:\ndrm/amd/display: Add null check for set_output_gamma in dcn30_set_output_transfer_func\nThis commit adds a null check for the set_output_gamma function pointer\nin the dcn30_set_output_transfer_func function. Previously,\nset_output_gamma was being checked for nullity at line 386, but then it\nwas being dereferenced without any nullity check at line 401. This\ncould potentially lead to a null pointer dereference error if\nset_output_gamma is indeed null.\nTo fix this, we now ensure that set_output_gamma is not null before\ndereferencing it. We do this by adding a nullity check for\nset_output_gamma before the call to set_output_gamma at line 401. If\nset_output_gamma is null, we log an error message and do not call the\nfunction.\nThis fix prevents a potential null pointer dereference error.\ndrivers/gpu/drm/amd/amdgpu/../display/dc/hwss/dcn30/dcn30_hwseq.c:401 dcn30_set_output_transfer_func()\nerror: we previously assumed 'mpc->funcs->set_output_gamma' could be null (see line 386)\ndrivers/gpu/drm/amd/amdgpu/../display/dc/hwss/dcn30/dcn30_hwseq.c\n373 bool dcn30_set_output_transfer_func(struct dc *dc,\n374 struct pipe_ctx *pipe_ctx,\n375 const struct dc_stream_state *stream)\n376 {\n377 int mpcc_id = pipe_ctx->plane_res.hubp->inst;\n378 struct mpc *mpc = pipe_ctx->stream_res.opp->ctx->dc->res_pool->mpc;\n379 const struct pwl_params *params = NULL;\n380 bool ret = false;\n381\n382 /* program OGAM or 3DLUT only for the top pipe*/\n383 if (pipe_ctx->top_pipe == NULL) {\n384 /*program rmu shaper and 3dlut in MPC*/\n385 ret = dcn30_set_mpc_shaper_3dlut(pipe_ctx, stream);\n386 if (ret == false && mpc->funcs->set_output_gamma) {\n^^^^^^^^^^^^^^^^^^^^^^^^^^^^ If this is NULL\n387 if (stream->out_transfer_func.type == TF_TYPE_HWPWL)\n388 params = &stream->out_transfer_func.pwl;\n389 else if (pipe_ctx->stream->out_transfer_func.type ==\n390 TF_TYPE_DISTRIBUTED_POINTS &&\n391 cm3_helper_translate_curve_to_hw_format(\n392 &stream->out_transfer_func,\n393 &mpc->blender_params, false))\n394 params = &mpc->blender_params;\n395 /* there are no ROM LUTs in OUTGAM */\n396 if (stream->out_transfer_func.type == TF_TYPE_PREDEFINED)\n397 BREAK_TO_DEBUGGER();\n398 }\n399 }\n400\n--> 401 mpc->funcs->set_output_gamma(mpc, mpcc_id, params);\n^^^^^^^^^^^^^^^^^^^^^^^^^^^^ Then it will crash\n402 return ret;\n403 }"], "name": "CVE-2024-47720", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2024-10-21T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2024-47720\nhttps://nvd.nist.gov/vuln/detail/CVE-2024-47720\nhttps://lore.kernel.org/linux-cve-announce/2024102121-CVE-2024-47720-c007@gregkh/T"], "threat_severity": "Moderate"}

{}