Linux Kernel NULL Pointer Dereference Vulnerability in AMD Display Driver

A vulnerability in the Linux kernel's AMD display driver can lead to a NULL pointer dereference. This issue occurs when the ASIC does not support the DMUB (Display Microcontroller Unit Block) service. In such cases, the DMUB service pointer is set to NULL, but it is improperly dereferenced in the 'dmub_hw_lock_mgr_cmd' function if the 'should_use_dmub_lock' function returns true. This vulnerability has been present since DMUB support was introduced for PSR1 (Panel Self Refresh 1). The issue can be exploited during the cursor lock management process, leading to a kernel panic.

Impact

Exploitation of this vulnerability causes a kernel NULL pointer dereference, which triggers a page fault error. This type of error is a common cause of system crashes, as it disrupts the normal operation of the kernel by attempting to access a memory address that is not valid or available.

Reproduction

The vulnerability can be reproduced by using a graphics card and driver configuration that relies on DMUB services, such as AMD GPUs with Display Stream Compression (DSC) support. When the 'dmub_hw_lock_mgr_cmd' function is called, it will attempt to use the DMUB service pointer without checking if it is NULL, leading to a dereference of a non-existent memory address. This can be triggered through standard graphics operations that involve cursor management, such as moving or updating the cursor on the screen.

Remediation

Users can upgrade to the latest stable version of the Linux kernel, where this vulnerability has been addressed. Instructions for upgrading the kernel can be found in the official documentation for the Linux distribution in use.