Alex Deucher<alexdeucher@xxxxxxxxx> wrote:
> On Wed, Aug 21, 2024 at 3:45â?¯AM Ma Ke <make24@xxxxxxxxxxx> wrote:
> >
> > Instead of using state->fb->obj[0] directly, get object from framebuffer
> > by calling drm_gem_fb_get_obj() and return error code when object is
> > null to avoid using null object of framebuffer.
> >
> > Cc: stable@xxxxxxxxxxxxxxx
> > Fixes: 5d945cbcd4b1 ("drm/amd/display: Create a file dedicated to planes")
> > Signed-off-by: Ma Ke <make24@xxxxxxxxxxx>
> > ---
> > drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_plane.c | 9 +++++++--
> > 1 file changed, 7 insertions(+), 2 deletions(-)
> >
> > diff --git a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_plane.c b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_plane.c
> > index a83bd0331c3b..5cb11cc2d063 100644
> > --- a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_plane.c
> > +++ b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_plane.c
> > @@ -28,6 +28,7 @@
> > #include <drm/drm_blend.h>
> > #include <drm/drm_gem_atomic_helper.h>
> > #include <drm/drm_plane_helper.h>
> > +#include <drm/drm_gem_framebuffer_helper.h>
> > #include <drm/drm_fourcc.h>
> >
> > #include "amdgpu.h"
> > @@ -935,10 +936,14 @@ static int amdgpu_dm_plane_helper_prepare_fb(struct drm_plane *plane,
> > }
> >
> > afb = to_amdgpu_framebuffer(new_state->fb);
> > - obj = new_state->fb->obj[0];
> > + obj = drm_gem_fb_get_obj(new_state->fb, 0);
>
> Is it possible for obj to be NULL here?
>
> Alex
Thank you for your response to the vulnerability I submitted. Yes, we
believe there is a similar issue. As described in CVE-2024-41093, the obj
will return as NULL and lead to a dereferencing problem, and a similar
issue exists in this code. The discovery of this problem was confirmed
through manual review of the code and compilation testing.
--
Regards,
Ma Ke
