CVE-2024-50177

See a problem?
Please try reporting it to the source first.
Source
https://nvd.nist.gov/vuln/detail/CVE-2024-50177
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-50177.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2024-50177
Downstream
Related
Published
2024-11-08T06:15:15Z
Modified
2025-01-16T20:00:05Z
Severity
  • 5.5 (Medium) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVSS Calculator
Summary
[none]
Details

In the Linux kernel, the following vulnerability has been resolved:

drm/amd/display: fix a UBSAN warning in DML2.1

When programming phantom pipe, since cursor_width is explicity set to 0, this causes calculation logic to trigger overflow for an unsigned int triggering the kernel's UBSAN check as below:

[ 40.962845] UBSAN: shift-out-of-bounds in /tmp/amd.EfpumTkO/amd/amdgpu/../display/dc/dml2/dml21/src/dml2core/dml2coredcn4calcs.c:3312:34 [ 40.962849] shift exponent 4294967170 is too large for 32-bit type 'unsigned int' [ 40.962852] CPU: 1 PID: 1670 Comm: gnome-shell Tainted: G W OE 6.5.0-41-generic #41~22.04.2-Ubuntu [ 40.962854] Hardware name: Gigabyte Technology Co., Ltd. X670E AORUS PRO X/X670E AORUS PRO X, BIOS F21 01/10/2024 [ 40.962856] Call Trace: [ 40.962857] <TASK> [ 40.962860] dumpstacklvl+0x48/0x70 [ 40.962870] dumpstack+0x10/0x20 [ 40.962872] _ubsanhandleshiftoutofbounds+0x1ac/0x360 [ 40.962878] calculatecursorreqattributes.cold+0x1b/0x28 [amdgpu] [ 40.963099] dmlcoremodesupport+0x6b91/0x16bc0 [amdgpu] [ 40.963327] ? srsoaliasreturnthunk+0x5/0x7f [ 40.963331] ? CalculateWatermarksMALLUseAndDRAMSpeedChangeSupport+0x18b8/0x2790 [amdgpu] [ 40.963534] ? srsoaliasreturnthunk+0x5/0x7f [ 40.963536] ? dmlcoremodesupport+0xb3db/0x16bc0 [amdgpu] [ 40.963730] dml2corecalcsmodesupportex+0x2c/0x90 [amdgpu] [ 40.963906] ? srsoaliasreturnthunk+0x5/0x7f [ 40.963909] ? dml2corecalcsmodesupportex+0x2c/0x90 [amdgpu] [ 40.964078] coredcn4modesupport+0x72/0xbf0 [amdgpu] [ 40.964247] dml2topoptimizationperformoptimizationphase+0x1d3/0x2a0 [amdgpu] [ 40.964420] dml2buildmodeprogramming+0x23d/0x750 [amdgpu] [ 40.964587] dml21validate+0x274/0x770 [amdgpu] [ 40.964761] ? srsoaliasreturnthunk+0x5/0x7f [ 40.964763] ? resourceappenddpppipesforplanecomposition+0x27c/0x3b0 [amdgpu] [ 40.964942] dml2validate+0x504/0x750 [amdgpu] [ 40.965117] ? dml21copy+0x95/0xb0 [amdgpu] [ 40.965291] ? srsoaliasreturnthunk+0x5/0x7f [ 40.965295] dcn401validatebandwidth+0x4e/0x70 [amdgpu] [ 40.965491] updateplanesandstreamstate+0x38d/0x5c0 [amdgpu] [ 40.965672] updateplanesandstreamv3+0x52/0x1e0 [amdgpu] [ 40.965845] ? srsoaliasreturnthunk+0x5/0x7f [ 40.965849] dcupdateplanesandstream+0x71/0xb0 [amdgpu]

Fix this by adding a guard for checking cursor width before triggering the size calculation.

References

Affected packages

Debian:13 / linux

Package

Name
linux
Purl
pkg:deb/debian/linux?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
6.11.4-1

Ecosystem specific 

{
    "urgency": "not yet assigned"
}