Bug 1222358 (CVE-2024-26672) - VUL-0: CVE-2024-26672: kernel: drm/amdgpu: variable 'mca_funcs' dereferenced before NULL check in 'amdgpu_mca_smu_get_mca_entry()'
Summary: VUL-0: CVE-2024-26672: kernel: drm/amdgpu: variable 'mca_funcs' dereferenced ...
Status: RESOLVED FIXED
Alias: CVE-2024-26672
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents (show other bugs)
Version: unspecified
Hardware: Other Other
: P3 - Medium : Normal
Target Milestone: ---
Assignee: Security Team bot
QA Contact: Security Team bot
URL: https://smash.suse.de/issue/399980/
Whiteboard: CVSSv3.1:SUSE:CVE-2024-26672:5.5:(AV:...
Keywords:
Depends on:
Blocks:
 
Reported: 2024-04-05 09:03 UTC by SMASH SMASH
Modified: 2024-06-25 18:24 UTC (History)
2 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description SMASH SMASH 2024-04-05 09:03:55 UTC 
In the Linux kernel, the following vulnerability has been resolved:

drm/amdgpu: Fix variable 'mca_funcs' dereferenced before NULL check in 'amdgpu_mca_smu_get_mca_entry()'

Fixes the below:

drivers/gpu/drm/amd/amdgpu/amdgpu_mca.c:377 amdgpu_mca_smu_get_mca_entry() warn: variable dereferenced before check 'mca_funcs' (see line 368)

357 int amdgpu_mca_smu_get_mca_entry(struct amdgpu_device *adev,
				     enum amdgpu_mca_error_type type,
358                                  int idx, struct mca_bank_entry *entry)
359 {
360         const struct amdgpu_mca_smu_funcs *mca_funcs =
						adev->mca.mca_funcs;
361         int count;
362
363         switch (type) {
364         case AMDGPU_MCA_ERROR_TYPE_UE:
365                 count = mca_funcs->max_ue_count;

mca_funcs is dereferenced here.

366                 break;
367         case AMDGPU_MCA_ERROR_TYPE_CE:
368                 count = mca_funcs->max_ce_count;

mca_funcs is dereferenced here.

369                 break;
370         default:
371                 return -EINVAL;
372         }
373
374         if (idx >= count)
375                 return -EINVAL;
376
377         if (mca_funcs && mca_funcs->mca_get_mca_entry)
	        ^^^^^^^^^

Checked too late!

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2024-26672
https://git.kernel.org/stable/c/4f32504a2f85a7b40fe149436881381f48e9c0c0
https://git.kernel.org/stable/c/7b5d58c07024516c0e81b95e98f37710cf402c53
https://www.cve.org/CVERecord?id=CVE-2024-26672
https://bugzilla.redhat.com/show_bug.cgi?id=2272814
Comment 4 Oscar Salvador 2024-04-17 03:49:31 UTC 
@Thomas:Can you please check

./scripts/check-kernel-fix CVE-2024-26672
4f32504a2f85 ("drm/amdgpu: Fix variable 'mca_funcs' dereferenced before NULL check in 'amdgpu_mca_smu_get_mca_entry()'") merged v6.8-rc1~111^2~1^2~19
Security fix for CVE-2024-26672 bsc#1222358 with CVSS 5.5
..............................
ACTION NEEDED!
SLE15-SP5: MANUAL: might need backport of 4f32504a2f85a7b40fe149436881381f48e9c0c0 ()
SLE12-SP5: MANUAL: might need backport of 4f32504a2f85a7b40fe149436881381f48e9c0c0 ()
SLE12-SP3-TD: MANUAL: might need backport of 4f32504a2f85a7b40fe149436881381f48e9c0c0 ()
Comment 5 Thomas Zimmermann 2024-04-18 13:11:47 UTC 
> SLE15-SP5: MANUAL: might need backport of
> 4f32504a2f85a7b40fe149436881381f48e9c0c0 ()

Not affected as the patches functionality is not present. I blacklisted the fix.

> SLE12-SP5: MANUAL: might need backport of
> 4f32504a2f85a7b40fe149436881381f48e9c0c0 ()

Not affected as the patches functionality is not present. I blacklisted the fix.

> SLE12-SP3-TD: MANUAL: might need backport of
> 4f32504a2f85a7b40fe149436881381f48e9c0c0 ()

Not affected as the patches functionality is not present. I blacklisted the fix.
Comment 16 Gabriele Sonnu 2024-06-10 12:44:41 UTC 
All done, closing.