CVE-2024-49917: 
Linux Kernel vulnerability analysis and mitigation

CVE-2024-49917 is a vulnerability in the Linux kernel affecting the AMD display driver (drm/amd/display). The issue was discovered and reported by the smatch static analyzer, which identified a potential null pointer dereference in the dcn30_init_hw function. The vulnerability was disclosed on October 21, 2024, and affects Linux kernel versions up to (excluding) 6.10.14 and versions from (including) 6.11 up to (excluding) 6.11.3 (NVD).

The vulnerability exists in the dcn30_init_hw function where a null pointer dereference could occur when accessing dc->clk_mgr or dc->clk_mgr->funcs. The issue arises because the code previously assumed dc->clk_mgr could be null at line 628 but attempted to access its members without proper validation. The vulnerability has been assigned a CVSS v3.1 Base Score of 5.5 (Medium) with vector string CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H (NVD).

If exploited, this vulnerability could lead to a denial of service condition through a kernel crash when the null pointer dereference occurs. The CVSS scoring indicates that while the vulnerability requires local access and low privileges, it can cause a high impact on system availability with no impact on confidentiality or integrity (NVD).

The vulnerability has been fixed by adding proper NULL checks for dc->clk_mgr and dc->clk_mgr->funcs before accessing their members. The fix has been implemented in various kernel versions, including 6.11.0-18.18 for Ubuntu 24.10 and 6.8.0-54.56 for Ubuntu 24.04 LTS. Users are advised to update their systems to the patched versions (Ubuntu).