Srinivasan Shanmugam

**Name of the Vulnerable Software and Affected Versions** Linux kernel versions prior to 6.8.0 **Description** An issue was identified in the `dcn21 link encoder create` function where an out-of-bounds access could occur when the `hpd source` index was used to reference the `link enc hpd regs` array. This array has a fixed size and the index was not being checked against the array's bounds before accessing it. The fix adds a conditional check to ensure that the `hpd source` index is within the valid range of the `link enc hpd regs` array. If the index is out of bounds, the function now returns NULL to prevent undefined behavior. **Recommendations** As a temporary workaround, consider disabling the `dcn21 link encoder create` function until a patch is available. Update the Linux kernel to a version that includes the fix for this issue.

Name of the Vulnerable Software and Affected Versions: Linux kernel versions prior to 6.6.58 Description: The issue is a null pointer dereference in the `commit planes for stream` function at line 4140, which could occur when `top pipe to program` is null. The fix adds a check to ensure `top pipe to program` is not null before accessing its stream res, preventing a null pointer dereference. This issue was reported by smatch. Recommendations: For Linux kernel versions prior to 6.6.58, update to version 6.6.58 or later to resolve the issue. As a temporary workaround, consider adding a null check for `top pipe to program` in the `commit planes for stream` function to prevent null pointer dereferences.

Name of the Vulnerable Software and Affected Versions: Linux kernel versions prior to 6.6.58 Description: The issue is related to an index out of bounds problem in the `cm3 helper translate curve to hw format` function within the DCN30 color management module. This could occur when the index `i` exceeds the number of transfer function points. The fix involves adding a check to ensure `i` is within bounds before accessing the transfer function points, returning false to indicate an error if `i` is out of bounds. Buffer overflows could occur in `output tf->tf pts.red`, `output tf->tf pts.green`, and `output tf->tf pts.blue` due to the index issue. Recommendations: For Linux kernel versions prior to 6.6.58, update to version 6.6.58 or later to resolve the issue. As a temporary workaround, consider restricting access to the DCN30 color management module until the update can be applied.

Name of the Vulnerable Software and Affected Versions: Linux kernel versions prior to 6.6.58 Description: The issue is related to an index out of bounds problem in the `cm helper translate curve to degamma hw format` function, which could occur when the index 'i' exceeds the number of transfer function points (TRANSFER FUNC POINTS). This could lead to a buffer overflow error, as reported by smatch, affecting 'output tf->tf pts.red', 'output tf->tf pts.green', and 'output tf->tf pts.blue'. The fix adds a check to ensure 'i' is within bounds before accessing the transfer function points, returning false to indicate an error if 'i' is out of bounds. Recommendations: For Linux kernel versions prior to 6.6.58, update to version 6.6.58 or later to resolve the issue. As a temporary workaround, consider restricting access to the `cm helper translate curve to degamma hw format` function until a patch is available.

Name of the Vulnerable Software and Affected Versions: Linux kernel (affected versions not specified) Description: A potential null pointer dereference issue was found in the `dcn32 init hw` function. This issue could occur when `dc->clk mgr` is null. The problem is addressed by adding a check to ensure `dc->clk mgr` is not null before accessing its functions, thus preventing a potential null pointer dereference. The issue was reported by smatch in the file drivers/gpu/drm/amd/amdgpu/../display/dc/hwss/dcn32/dcn32 hwseq.c. Recommendations: At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Name of the Vulnerable Software and Affected Versions: Linux kernel (affected versions not specified) Description: A potential null pointer dereference issue was found in the `dcn201 acquire free pipe for layer` function. This issue could occur when the `head pipe` is null. The problem is addressed by adding a null check for `head pipe` to prevent a potential null pointer dereference. If `head pipe` is null, the function returns NULL. Recommendations: At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Name of the Vulnerable Software and Affected Versions: Linux kernel (affected versions not specified) Description: A buffer overflow error has been resolved in the Linux kernel, specifically in the `dcn401 stream encoder create` function. The issue arises from an out-of-bounds access on the `stream enc regs` array, which is initialized with four elements and has valid indices of 0, 1, 2, and 3. If the `eng id` is used as an index and is set to 5, it results in an out-of-bounds access, leading to undefined behavior. The error was found by smatch in the `dcn401 resource.c` file. Recommendations: At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Name of the Vulnerable Software and Affected Versions: Linux kernel (affected versions not specified) Description: The issue is related to a potential null pointer dereference in the dc dmub srv module of the Linux kernel's AMD display driver. This could lead to a null pointer dereference if the `dc dmub srv` variable is null. The fix involves checking if `dc dmub srv` is null before dereferencing it, thus preventing a potential null pointer dereference. The vulnerability is associated with the `dc dmub srv cmd list queue execute()` and `dc dmub srv is hw pwr up()` functions. Recommendations: At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Linux kernel (affected versions not specified) **Description** The issue is related to a null pointer dereference in the `edp set replay allow active()` function. This occurs because the `replay` variable is not checked for null before calling `replay->funcs->replay set power opt()`. If `replay` is null, this will cause a null pointer dereference, potentially leading to a denial of service. The vulnerability is in the `drm/amd/display` component of the Linux kernel. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Name of the Vulnerable Software and Affected Versions: Linux kernel (affected versions not specified) Description: The issue is related to a buffer overflow error in the `dcn301 stream encoder create` function, which is part of the Direct Rendering Manager (DRM) subsystem in the Linux kernel. The error occurs when the `eng id` is used as an index to access the `stream enc regs` array, and if `eng id` is 5, it results in an out-of-bounds access on the `stream enc regs` array. This could lead to undefined behavior. The vulnerability is related to the lack of bounds checking for stream encoder creation in DCN301. Recommendations: At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Linux kernel (affected versions not specified) **Description** The issue arises when the array `adev->vcn.vcn config` is accessed before checking if the index `adev->vcn.num vcn inst` is within the bounds of the array. The fix involves moving the bounds check before the array access. This ensures that `adev->vcn.num vcn inst` is within the bounds of the array before it is used as an index. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Name of the Vulnerable Software and Affected Versions: Linux kernel (affected versions not specified) Description: The issue is related to a potential NULL pointer dereference in the `dcn10 set output transfer func()` function. The `stream` pointer is used before checking if it is NULL, which could lead to a denial of service. The vulnerability is located in the `drivers/gpu/drm/amd/amdgpu/../display/dc/hwss/dcn10/dcn10 hwseq.c` file at line 1892. Recommendations: At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Name of the Vulnerable Software and Affected Versions: Linux kernel (affected versions not specified) Description: The issue is related to a potential buffer overflow in the `dp dsc clock en read()` function in the Linux kernel's drm/amd/display component. This could allow an attacker to cause a denial of service. The problem arises from the `snprintf()` function printing too much data, 30 bytes instead of 10, in the output buffer. Recommendations: At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Linux kernel (affected versions not specified) **Description** The issue is related to the function `amdgpu mca smu get mca entry()` in the Linux kernel, where the variable `mca funcs` is dereferenced before a NULL check. This can lead to a denial of service. The vulnerability is caused by the dereference of `mca funcs` in the lines where `max ue count` and `max ce count` are accessed. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Name of the Vulnerable Software and Affected Versions: Linux kernel (affected versions not specified) Description: The issue is related to a possible NULL dereference in the `amdgpu ras query error status helper()` function. This could allow an attacker to cause a denial of service. The error occurs because it was previously assumed that the `info` variable could be null. The function now returns an invalid error code `-EINVAL` for invalid block ids. Recommendations: At the moment, there is no information about a newer version that contains a fix for this vulnerability.