{"dataType":"CVE_RECORD","dataVersion":"5.2","cveMetadata":{"cveId":"CVE-2024-47720","assignerOrgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","state":"PUBLISHED","assignerShortName":"Linux","dateReserved":"2024-09-30T16:00:12.950Z","datePublished":"2024-10-21T11:53:50.178Z","dateUpdated":"2025-11-03T22:21:20.641Z"},"containers":{"cna":{"providerMetadata":{"orgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","shortName":"Linux","dateUpdated":"2025-05-04T09:38:15.217Z"},"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd/display: Add null check for set_output_gamma in dcn30_set_output_transfer_func\n\nThis commit adds a null check for the set_output_gamma function pointer\nin the  dcn30_set_output_transfer_func function. Previously,\nset_output_gamma was being checked for nullity at line 386, but then it\nwas being dereferenced without any nullity check at line 401. This\ncould potentially lead to a null pointer dereference error if\nset_output_gamma is indeed null.\n\nTo fix this, we now ensure that set_output_gamma is not null before\ndereferencing it. We do this by adding a nullity check for\nset_output_gamma before the call to set_output_gamma at line 401. If\nset_output_gamma is null, we log an error message and do not call the\nfunction.\n\nThis fix prevents a potential null pointer dereference error.\n\ndrivers/gpu/drm/amd/amdgpu/../display/dc/hwss/dcn30/dcn30_hwseq.c:401 dcn30_set_output_transfer_func()\nerror: we previously assumed 'mpc->funcs->set_output_gamma' could be null (see line 386)\n\ndrivers/gpu/drm/amd/amdgpu/../display/dc/hwss/dcn30/dcn30_hwseq.c\n    373 bool dcn30_set_output_transfer_func(struct dc *dc,\n    374                                 struct pipe_ctx *pipe_ctx,\n    375                                 const struct dc_stream_state *stream)\n    376 {\n    377         int mpcc_id = pipe_ctx->plane_res.hubp->inst;\n    378         struct mpc *mpc = pipe_ctx->stream_res.opp->ctx->dc->res_pool->mpc;\n    379         const struct pwl_params *params = NULL;\n    380         bool ret = false;\n    381\n    382         /* program OGAM or 3DLUT only for the top pipe*/\n    383         if (pipe_ctx->top_pipe == NULL) {\n    384                 /*program rmu shaper and 3dlut in MPC*/\n    385                 ret = dcn30_set_mpc_shaper_3dlut(pipe_ctx, stream);\n    386                 if (ret == false && mpc->funcs->set_output_gamma) {\n                                            ^^^^^^^^^^^^^^^^^^^^^^^^^^^^ If this is NULL\n\n    387                         if (stream->out_transfer_func.type == TF_TYPE_HWPWL)\n    388                                 params = &stream->out_transfer_func.pwl;\n    389                         else if (pipe_ctx->stream->out_transfer_func.type ==\n    390                                         TF_TYPE_DISTRIBUTED_POINTS &&\n    391                                         cm3_helper_translate_curve_to_hw_format(\n    392                                         &stream->out_transfer_func,\n    393                                         &mpc->blender_params, false))\n    394                                 params = &mpc->blender_params;\n    395                          /* there are no ROM LUTs in OUTGAM */\n    396                         if (stream->out_transfer_func.type == TF_TYPE_PREDEFINED)\n    397                                 BREAK_TO_DEBUGGER();\n    398                 }\n    399         }\n    400\n--> 401         mpc->funcs->set_output_gamma(mpc, mpcc_id, params);\n                ^^^^^^^^^^^^^^^^^^^^^^^^^^^^ Then it will crash\n\n    402         return ret;\n    403 }"}],"affected":[{"product":"Linux","vendor":"Linux","defaultStatus":"unaffected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["drivers/gpu/drm/amd/display/dc/hwss/dcn30/dcn30_hwseq.c"],"versions":[{"version":"d99f13878d6f9c286b13860d8bf0b4db9ffb189a","lessThan":"44948d3cb943602ba4a0b5ed3c91ae0525838fb1","status":"affected","versionType":"git"},{"version":"d99f13878d6f9c286b13860d8bf0b4db9ffb189a","lessThan":"64886a4e6f1dce843c0889505cf0673b5211e16a","status":"affected","versionType":"git"},{"version":"d99f13878d6f9c286b13860d8bf0b4db9ffb189a","lessThan":"ddf9ff244d704e1903533f7be377615ed34b83e7","status":"affected","versionType":"git"},{"version":"d99f13878d6f9c286b13860d8bf0b4db9ffb189a","lessThan":"84edd5a3f5fa6aafa4afcaf9f101f46426c620c9","status":"affected","versionType":"git"},{"version":"d99f13878d6f9c286b13860d8bf0b4db9ffb189a","lessThan":"72ee32d0907364104fbcf4f68dd5ae63cd8eae9e","status":"affected","versionType":"git"},{"version":"d99f13878d6f9c286b13860d8bf0b4db9ffb189a","lessThan":"08ae395ea22fb3d9b318c8bde28c0dfd2f5fa4d2","status":"affected","versionType":"git"}]},{"product":"Linux","vendor":"Linux","defaultStatus":"affected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["drivers/gpu/drm/amd/display/dc/hwss/dcn30/dcn30_hwseq.c"],"versions":[{"version":"5.9","status":"affected"},{"version":"0","lessThan":"5.9","status":"unaffected","versionType":"semver"},{"version":"5.15.168","lessThanOrEqual":"5.15.*","status":"unaffected","versionType":"semver"},{"version":"6.1.113","lessThanOrEqual":"6.1.*","status":"unaffected","versionType":"semver"},{"version":"6.6.54","lessThanOrEqual":"6.6.*","status":"unaffected","versionType":"semver"},{"version":"6.10.13","lessThanOrEqual":"6.10.*","status":"unaffected","versionType":"semver"},{"version":"6.11.2","lessThanOrEqual":"6.11.*","status":"unaffected","versionType":"semver"},{"version":"6.12","lessThanOrEqual":"*","status":"unaffected","versionType":"original_commit_for_fix"}]}],"cpeApplicability":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.9","versionEndExcluding":"5.15.168"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.9","versionEndExcluding":"6.1.113"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.9","versionEndExcluding":"6.6.54"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.9","versionEndExcluding":"6.10.13"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.9","versionEndExcluding":"6.11.2"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.9","versionEndExcluding":"6.12"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/44948d3cb943602ba4a0b5ed3c91ae0525838fb1"},{"url":"https://git.kernel.org/stable/c/64886a4e6f1dce843c0889505cf0673b5211e16a"},{"url":"https://git.kernel.org/stable/c/ddf9ff244d704e1903533f7be377615ed34b83e7"},{"url":"https://git.kernel.org/stable/c/84edd5a3f5fa6aafa4afcaf9f101f46426c620c9"},{"url":"https://git.kernel.org/stable/c/72ee32d0907364104fbcf4f68dd5ae63cd8eae9e"},{"url":"https://git.kernel.org/stable/c/08ae395ea22fb3d9b318c8bde28c0dfd2f5fa4d2"}],"title":"drm/amd/display: Add null check for set_output_gamma in dcn30_set_output_transfer_func","x_generator":{"engine":"bippy-1.2.0"}},"adp":[{"metrics":[{"other":{"type":"ssvc","content":{"id":"CVE-2024-47720","role":"CISA Coordinator","options":[{"Exploitation":"none"},{"Automatable":"no"},{"Technical Impact":"partial"}],"version":"2.0.3","timestamp":"2024-10-21T13:02:07.747616Z"}}}],"title":"CISA ADP Vulnrichment","providerMetadata":{"orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP","dateUpdated":"2024-10-21T13:04:17.600Z"}},{"title":"CVE Program Container","references":[{"url":"https://lists.debian.org/debian-lts-announce/2025/01/msg00001.html"}],"providerMetadata":{"orgId":"af854a3a-2127-422b-91ae-364da2661108","shortName":"CVE","dateUpdated":"2025-11-03T22:21:20.641Z"}}]}}