CVE-2024-26667

The commit 8b45a26f2ba9 ("drm/msm/dpu: reserve cdm blocks for writeback in case of YUV output") introduced a smatch warning about another conditional block in dpuencoderhelperphyscleanup() which had assumed hw_pp will always be valid which may not necessarily be true.

Lets fix the other conditional block by making sure hw_pp is valid before dereferencing it.

Patchwork: https://patchwork.freedesktop.org/patch/574878/

References

Affected packages

Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git

Affected ranges

Type: GIT
Repo: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events: Introduced

ae4d721ce10057a4aa9f0d253e0d460518a9ef75

Fixed

fb8bfc6ea3cd8c5ac3d35711d064e2f6646aec17

Type: GIT
Repo: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events: Introduced

ae4d721ce10057a4aa9f0d253e0d460518a9ef75

Fixed

79592a6e7bdc1d05460c95f891f5e5263a107af8

Type: GIT
Repo: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events: Introduced

ae4d721ce10057a4aa9f0d253e0d460518a9ef75

Fixed

eb4f56f3ff5799ca754ae6d811803a63fe25a4a2

Type: GIT
Repo: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events: Introduced

ae4d721ce10057a4aa9f0d253e0d460518a9ef75

Fixed

7f3d03c48b1eb6bc45ab20ca98b8b11be25f9f52

Affected versions

v5.*

v5.18

v5.18-rc3

v5.18-rc4

v5.18-rc5

v5.18-rc6

v5.18-rc7

v5.19

v5.19-rc1

v5.19-rc2

v5.19-rc3

v5.19-rc4

v5.19-rc5

v5.19-rc6

v5.19-rc7

v5.19-rc8

v6.*

v6.0

v6.0-rc1

v6.0-rc2

v6.0-rc3

v6.0-rc4

v6.0-rc5

v6.0-rc6

v6.0-rc7

v6.1

v6.1-rc1

v6.1-rc2

v6.1-rc3

v6.1-rc4

v6.1-rc5

v6.1-rc6

v6.1-rc7

v6.1-rc8

v6.1.1

v6.1.10

v6.1.11

v6.1.12

v6.1.13

v6.1.14

v6.1.15

v6.1.16

v6.1.17

v6.1.18

v6.1.19

v6.1.2

v6.1.20

v6.1.21

v6.1.22

v6.1.23

v6.1.24

v6.1.25

v6.1.26

v6.1.27

v6.1.28

v6.1.29

v6.1.3

v6.1.30

v6.1.31

v6.1.32

v6.1.33

v6.1.34

v6.1.35

v6.1.36

v6.1.37

v6.1.38

v6.1.39

v6.1.4

v6.1.40

v6.1.41

v6.1.42

v6.1.43

v6.1.44

v6.1.45

v6.1.46

v6.1.47

v6.1.48

v6.1.49

v6.1.5

v6.1.50

v6.1.51

v6.1.52

v6.1.53

v6.1.54

v6.1.55

v6.1.56

v6.1.57

v6.1.58

v6.1.59

v6.1.6

v6.1.60

v6.1.61

v6.1.62

v6.1.63

v6.1.64

v6.1.65

v6.1.66

v6.1.67

v6.1.68

v6.1.69

v6.1.7

v6.1.70

v6.1.71

v6.1.72

v6.1.73

v6.1.74

v6.1.75

v6.1.76

v6.1.77

v6.1.8

v6.1.9

v6.2

v6.2-rc1

v6.2-rc2

v6.2-rc3

v6.2-rc4

v6.2-rc5

v6.2-rc6

v6.2-rc7

v6.2-rc8

v6.3

v6.3-rc1

v6.3-rc2

v6.3-rc3

v6.3-rc4

v6.3-rc5

v6.3-rc6

v6.3-rc7

v6.4

v6.4-rc1

v6.4-rc2

v6.4-rc3

v6.4-rc4

v6.4-rc5

v6.4-rc6

v6.4-rc7

v6.5

v6.5-rc1

v6.5-rc2

v6.5-rc3

v6.5-rc4

v6.5-rc5

v6.5-rc6

v6.5-rc7

v6.6

v6.6-rc1

v6.6-rc2

v6.6-rc3

v6.6-rc4

v6.6-rc5

v6.6-rc6

v6.6-rc7

v6.6.1

v6.6.10

v6.6.11

v6.6.12

v6.6.13

v6.6.14

v6.6.15

v6.6.16

v6.6.2

v6.6.3

v6.6.4

v6.6.5

v6.6.6

v6.6.7

v6.6.8

v6.6.9

v6.7

v6.7-rc1

v6.7-rc2

v6.7-rc3

v6.7-rc4

v6.7-rc5

v6.7-rc6

v6.7-rc7

v6.7-rc8

v6.7.1

v6.7.2

v6.7.3

v6.7.4

Database specific

vanir_signatures

[
    {
        "signature_version": "v1",
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@fb8bfc6ea3cd8c5ac3d35711d064e2f6646aec17",
        "deprecated": false,
        "id": "CVE-2024-26667-281e191d",
        "target": {
            "file": "drivers/gpu/drm/msm/disp/dpu1/dpu_encoder.c"
        },
        "digest": {
            "threshold": 0.9,
            "line_hashes": [
                "94427818710657712654554968813804235758",
                "40042483034328788693839192030065045887",
                "34493872285323001288392538034255414644",
                "185581475364599266500760137438395913392",
                "310510218989026585699821473431933334613",
                "257311050774167179814362705330912613794",
                "326079767230551459140872066215527838918",
                "139566313839784768379756950611286387873"
            ]
        },
        "signature_type": "Line"
    },
    {
        "signature_version": "v1",
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@eb4f56f3ff5799ca754ae6d811803a63fe25a4a2",
        "deprecated": false,
        "id": "CVE-2024-26667-3598420a",
        "target": {
            "file": "drivers/gpu/drm/msm/disp/dpu1/dpu_encoder.c"
        },
        "digest": {
            "threshold": 0.9,
            "line_hashes": [
                "94427818710657712654554968813804235758",
                "40042483034328788693839192030065045887",
                "34493872285323001288392538034255414644",
                "185581475364599266500760137438395913392",
                "310510218989026585699821473431933334613",
                "257311050774167179814362705330912613794",
                "326079767230551459140872066215527838918",
                "139566313839784768379756950611286387873"
            ]
        },
        "signature_type": "Line"
    },
    {
        "signature_version": "v1",
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@fb8bfc6ea3cd8c5ac3d35711d064e2f6646aec17",
        "deprecated": false,
        "id": "CVE-2024-26667-4c0e3e02",
        "target": {
            "function": "dpu_encoder_helper_phys_cleanup",
            "file": "drivers/gpu/drm/msm/disp/dpu1/dpu_encoder.c"
        },
        "digest": {
            "function_hash": "168128556814492205451145254755845733328",
            "length": 1746.0
        },
        "signature_type": "Function"
    },
    {
        "signature_version": "v1",
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@79592a6e7bdc1d05460c95f891f5e5263a107af8",
        "deprecated": false,
        "id": "CVE-2024-26667-8139d0b4",
        "target": {
            "file": "drivers/gpu/drm/msm/disp/dpu1/dpu_encoder.c"
        },
        "digest": {
            "threshold": 0.9,
            "line_hashes": [
                "94427818710657712654554968813804235758",
                "40042483034328788693839192030065045887",
                "34493872285323001288392538034255414644",
                "185581475364599266500760137438395913392",
                "310510218989026585699821473431933334613",
                "257311050774167179814362705330912613794",
                "326079767230551459140872066215527838918",
                "139566313839784768379756950611286387873"
            ]
        },
        "signature_type": "Line"
    },
    {
        "signature_version": "v1",
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@79592a6e7bdc1d05460c95f891f5e5263a107af8",
        "deprecated": false,
        "id": "CVE-2024-26667-9a951e47",
        "target": {
            "function": "dpu_encoder_helper_phys_cleanup",
            "file": "drivers/gpu/drm/msm/disp/dpu1/dpu_encoder.c"
        },
        "digest": {
            "function_hash": "158458898550282830060138502608491363847",
            "length": 1789.0
        },
        "signature_type": "Function"
    },
    {
        "signature_version": "v1",
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@eb4f56f3ff5799ca754ae6d811803a63fe25a4a2",
        "deprecated": false,
        "id": "CVE-2024-26667-cb5e98fc",
        "target": {
            "function": "dpu_encoder_helper_phys_cleanup",
            "file": "drivers/gpu/drm/msm/disp/dpu1/dpu_encoder.c"
        },
        "digest": {
            "function_hash": "158458898550282830060138502608491363847",
            "length": 1789.0
        },
        "signature_type": "Function"
    },
    {
        "signature_version": "v1",
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@7f3d03c48b1eb6bc45ab20ca98b8b11be25f9f52",
        "deprecated": false,
        "id": "CVE-2024-26667-dd6535f9",
        "target": {
            "function": "dpu_encoder_helper_phys_cleanup",
            "file": "drivers/gpu/drm/msm/disp/dpu1/dpu_encoder.c"
        },
        "digest": {
            "function_hash": "242514221824961999898722307166657508259",
            "length": 2119.0
        },
        "signature_type": "Function"
    },
    {
        "signature_version": "v1",
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@7f3d03c48b1eb6bc45ab20ca98b8b11be25f9f52",
        "deprecated": false,
        "id": "CVE-2024-26667-febdf8ca",
        "target": {
            "file": "drivers/gpu/drm/msm/disp/dpu1/dpu_encoder.c"
        },
        "digest": {
            "threshold": 0.9,
            "line_hashes": [
                "94427818710657712654554968813804235758",
                "40042483034328788693839192030065045887",
                "34493872285323001288392538034255414644",
                "185581475364599266500760137438395913392",
                "310510218989026585699821473431933334613",
                "257311050774167179814362705330912613794",
                "326079767230551459140872066215527838918",
                "139566313839784768379756950611286387873"
            ]
        },
        "signature_type": "Line"
    }
]

Linux / Kernel

Package

Name: Kernel

Affected ranges

Type: ECOSYSTEM
Events: Introduced

5.19.0

Fixed

6.1.78

Type: ECOSYSTEM
Events: Introduced

6.2.0

Fixed

6.6.17

Type: ECOSYSTEM
Events: Introduced

6.7.0

Fixed

6.7.5