Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

CVE-2025-22093

Severity CVSS v4.0:
Pending analysis
Type:
CWE-476 NULL Pointer Dereference
Publication date:
16/04/2025
Last modified:
03/11/2025

Description

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> drm/amd/display: avoid NPD when ASIC does not support DMUB<br /> <br /> ctx-&gt;dmub_srv will de NULL if the ASIC does not support DMUB, which is<br /> tested in dm_dmub_sw_init.<br /> <br /> However, it will be dereferenced in dmub_hw_lock_mgr_cmd if<br /> should_use_dmub_lock returns true.<br /> <br /> This has been the case since dmub support has been added for PSR1.<br /> <br /> Fix this by checking for dmub_srv in should_use_dmub_lock.<br /> <br /> [ 37.440832] BUG: kernel NULL pointer dereference, address: 0000000000000058<br /> [ 37.447808] #PF: supervisor read access in kernel mode<br /> [ 37.452959] #PF: error_code(0x0000) - not-present page<br /> [ 37.458112] PGD 0 P4D 0<br /> [ 37.460662] Oops: Oops: 0000 [#1] PREEMPT SMP NOPTI<br /> [ 37.465553] CPU: 2 UID: 1000 PID: 1745 Comm: DrmThread Not tainted 6.14.0-rc1-00003-gd62e938120f0 #23 99720e1cb1e0fc4773b8513150932a07de3c6e88<br /> [ 37.478324] Hardware name: Google Morphius/Morphius, BIOS Google_Morphius.13434.858.0 10/26/2023<br /> [ 37.487103] RIP: 0010:dmub_hw_lock_mgr_cmd+0x77/0xb0<br /> [ 37.492074] Code: 44 24 0e 00 00 00 00 48 c7 04 24 45 00 00 0c 40 88 74 24 0d 0f b6 02 88 44 24 0c 8b 01 89 44 24 08 85 f6 75 05 c6 44 24 0e 01 8b 7f 58 48 89 e6 ba 01 00 00 00 e8 08 3c 2a 00 65 48 8b 04 5<br /> [ 37.510822] RSP: 0018:ffff969442853300 EFLAGS: 00010202<br /> [ 37.516052] RAX: 0000000000000000 RBX: ffff92db03000000 RCX: ffff969442853358<br /> [ 37.523185] RDX: ffff969442853368 RSI: 0000000000000001 RDI: 0000000000000000<br /> [ 37.530322] RBP: 0000000000000001 R08: 00000000000004a7 R09: 00000000000004a5<br /> [ 37.537453] R10: 0000000000000476 R11: 0000000000000062 R12: ffff92db0ade8000<br /> [ 37.544589] R13: ffff92da01180ae0 R14: ffff92da011802a8 R15: ffff92db03000000<br /> [ 37.551725] FS: 0000784a9cdfc6c0(0000) GS:ffff92db2af00000(0000) knlGS:0000000000000000<br /> [ 37.559814] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033<br /> [ 37.565562] CR2: 0000000000000058 CR3: 0000000112b1c000 CR4: 00000000003506f0<br /> [ 37.572697] Call Trace:<br /> [ 37.575152] <br /> [ 37.577258] ? __die_body+0x66/0xb0<br /> [ 37.580756] ? page_fault_oops+0x3e7/0x4a0<br /> [ 37.584861] ? exc_page_fault+0x3e/0xe0<br /> [ 37.588706] ? exc_page_fault+0x5c/0xe0<br /> [ 37.592550] ? asm_exc_page_fault+0x22/0x30<br /> [ 37.596742] ? dmub_hw_lock_mgr_cmd+0x77/0xb0<br /> [ 37.601107] dcn10_cursor_lock+0x1e1/0x240<br /> [ 37.605211] program_cursor_attributes+0x81/0x190<br /> [ 37.609923] commit_planes_for_stream+0x998/0x1ef0<br /> [ 37.614722] update_planes_and_stream_v2+0x41e/0x5c0<br /> [ 37.619703] dc_update_planes_and_stream+0x78/0x140<br /> [ 37.624588] amdgpu_dm_atomic_commit_tail+0x4362/0x49f0<br /> [ 37.629832] ? srso_return_thunk+0x5/0x5f<br /> [ 37.633847] ? mark_held_locks+0x6d/0xd0<br /> [ 37.637774] ? _raw_spin_unlock_irq+0x24/0x50<br /> [ 37.642135] ? srso_return_thunk+0x5/0x5f<br /> [ 37.646148] ? lockdep_hardirqs_on+0x95/0x150<br /> [ 37.650510] ? srso_return_thunk+0x5/0x5f<br /> [ 37.654522] ? _raw_spin_unlock_irq+0x2f/0x50<br /> [ 37.658883] ? srso_return_thunk+0x5/0x5f<br /> [ 37.662897] ? wait_for_common+0x186/0x1c0<br /> [ 37.666998] ? srso_return_thunk+0x5/0x5f<br /> [ 37.671009] ? drm_crtc_next_vblank_start+0xc3/0x170<br /> [ 37.675983] commit_tail+0xf5/0x1c0<br /> [ 37.679478] drm_atomic_helper_commit+0x2a2/0x2b0<br /> [ 37.684186] drm_atomic_commit+0xd6/0x100<br /> [ 37.688199] ? __cfi___drm_printfn_info+0x10/0x10<br /> [ 37.692911] drm_atomic_helper_update_plane+0xe5/0x130<br /> [ 37.698054] drm_mode_cursor_common+0x501/0x670<br /> [ 37.702600] ? __cfi_drm_mode_cursor_ioctl+0x10/0x10<br /> [ 37.707572] drm_mode_cursor_ioctl+0x48/0x70<br /> [ 37.711851] drm_ioctl_kernel+0xf2/0x150<br /> [ 37.715781] drm_ioctl+0x363/0x590<br /> [ 37.719189] ? __cfi_drm_mode_cursor_ioctl+0x10/0x10<br /> [ 37.724165] amdgpu_drm_ioctl+0x41/0x80<br /> [ 37.728013] __se_sys_ioctl+0x7f/0xd0<br /> [ 37.731685] do_syscall_64+0x87/0x100<br /> [ 37.735355] ? vma_end_read+0x12/0xe0<br /> [ 37.739024] ? srso_return_thunk+0x5/0x5f<br /> [ 37.743041] ? find_held_lock+0x47/0xf0<br /> [ 37.746884] ? vma_end_read+0x12/0xe0<br /> [ 37.750552] ? srso_return_thunk+0x5/0<br /> ---truncated---

Impact

Vector 3.x
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVSS v3.1 Severity and Metrics:

Base Score: 5.50 MEDIUM
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Attack Vector (AV): Local
Attack Complexity (AC): Low
Privileges Required (PR): Low
User Interaction (UI): None
Scope (S): Unchanged
Confidentiality (C): None
Integrity (I): None
Availability (A): High

Base Score 3.x
5.50
Severity 3.x
MEDIUM

Vulnerable products and versions

CPE From Up to
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 6.1.128 (including) 6.1.134 (excluding)
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 6.6.75 (including) 6.6.87 (excluding)
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 6.12.12 (including) 6.12.23 (excluding)
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 6.13.1 (including) 6.13.11 (excluding)
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 6.14 (including) 6.14.2 (excluding)
cpe:2.3:o:linux:linux_kernel:6.13:-:*:*:*:*:*:*

To consult the complete list of CPE names with products and versions, see this page


References to Advisories, Solutions, and Tools