CVE-2023-53784

Root

Cause

The vulnerability is a NULL pointer dereference in the dw-hdmi bridge driver within the Linux kernel's Direct Rendering Manager (DRM) subsystem. A commit (5d844091f237) changed the SCDC (Source Content Data Channel) helper interface to retrieve an I2C adapter from a connector. However, but the dw-hdmi driver was using its embedded connector structure, which is only populated when the bridge attachment callback explicitly requests it. In cases where the connector is created by another component (e.g., drm-meson), the embedded connector remains uninitialized, leading to a NULL pointer dereference when SCDC functions attempt to access it [1].

Exploitation

An attacker would need to trigger the SCDC functionality on a system using the dw-hdmi bridge with a display driver that does not populate the bridge's embedded connector (such as drm-meson). This can occur during normal display operations, such as hot-plug events or mode setting, when the kernel attempts to use SCDC for HDMI 2.0 features. No special privileges are required beyond local access to the display subsystem, but the attack surface is limited to systems with specific hardware configurations [1].

Impact

Successful exploitation results in a kernel NULL pointer dereference, causing a system crash (denial of service). An attacker can cause a denial of service by crashing the kernel, potentially leading to system unavailability. The vulnerability does not allow arbitrary code execution or privilege escalation based on the provided information [1].

Mitigation

The fix is included in the Linux kernel stable tree (commit 552f79aa9e801ed4f74d6b3221af78042ba4f235). The patch changes the SCDC functions to use dw-hdmi's current connector pointer, which is assigned during the bridge enablement stage, instead of the unpopulated embedded connector. Users should update to a kernel version containing this commit [1].