Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
ubuntucveUbuntu.comUB:CVE-2024-39291
HistoryJun 25, 2024 - 12:00 a.m.

CVE-2024-39291

2024-06-2500:00:00
ubuntu.com
ubuntu.com
2
linux kernel
vulnerability
buffer size
snprintf function
potential truncation
amdgpu
microcode
chip_name
buffer overflow
gcc warning

7.8 High

CVSS3

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

7.7 High

AI Score

Confidence

High

0.0004 Low

EPSS

Percentile

5.1%

JSON

In the Linux kernel, the following vulnerability has been resolved:
drm/amdgpu: Fix buffer size in gfx_v9_4_3_init_ cp_compute_microcode() and
rlc_microcode()
The function gfx_v9_4_3_init_microcode in gfx_v9_4_3.c was generating
about potential truncation of output when using the snprintf function.
The issue was due to the size of the buffer β€˜ucode_prefix’ being too
small to accommodate the maximum possible length of the string being
written into it.
The string being written is β€œamdgpu/%s_mec.bin” or β€œamdgpu/%s_rlc.bin”,
where %s is replaced by the value of β€˜chip_name’. The length of this
string without the %s is 16 characters. The warning message indicated
that β€˜chip_name’ could be up to 29 characters long, resulting in a total
of 45 characters, which exceeds the buffer size of 30 characters.
To resolve this issue, the size of the β€˜ucode_prefix’ buffer has been
reduced from 30 to 15. This ensures that the maximum possible length of
the string being written into the buffer will not exceed its size, thus
preventing potential buffer overflow and truncation issues.
Fixes the below with gcc W=1:
drivers/gpu/drm/amd/amdgpu/gfx_v9_4_3.c: In function
β€˜gfx_v9_4_3_early_init’:
drivers/gpu/drm/amd/amdgpu/gfx_v9_4_3.c:379:52: warning: β€˜%s’ directive
output may be truncated writing up to 29 bytes into a region of size 23
[-Wformat-truncation=]
379 | snprintf(fw_name, sizeof(fw_name), β€œamdgpu/%s_rlc.bin”,
chip_name);
| ^~
…
439 | r = gfx_v9_4_3_init_rlc_microcode(adev, ucode_prefix);
| ~~~~~~~~~~~~
drivers/gpu/drm/amd/amdgpu/gfx_v9_4_3.c:379:9: note: β€˜snprintf’ output
between 16 and 45 bytes into a destination of size 30
379 | snprintf(fw_name, sizeof(fw_name), β€œamdgpu/%s_rlc.bin”,
chip_name);
|
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
drivers/gpu/drm/amd/amdgpu/gfx_v9_4_3.c:413:52: warning: β€˜%s’ directive
output may be truncated writing up to 29 bytes into a region of size 23
[-Wformat-truncation=]
413 | snprintf(fw_name, sizeof(fw_name), β€œamdgpu/%s_mec.bin”,
chip_name);
| ^~
…
443 | r = gfx_v9_4_3_init_cp_compute_microcode(adev,
ucode_prefix);
| ~~~~~~~~~~~~
drivers/gpu/drm/amd/amdgpu/gfx_v9_4_3.c:413:9: note: β€˜snprintf’ output
between 16 and 45 bytes into a destination of size 30
413 | snprintf(fw_name, sizeof(fw_name), β€œamdgpu/%s_mec.bin”,
chip_name);
|
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Related

cvelist 1
redhatcve 1
debiancve 1
nvd 1
cve 1
cvelist
cvelist
CVE-2024-39291 drm/amdgpu: Fix buffer size in gfx_v9_4_3_init_ cp_compute_microcode() and rlc_microcode()
2024-06-24 13:52:26
redhatcve
redhatcve
CVE-2024-39291
2024-06-25 13:52:43
debiancve
debiancve
CVE-2024-39291
2024-06-24 14:15:12
nvd
nvd
CVE-2024-39291
2024-06-24 14:15:12
cve
cve
CVE-2024-39291
2024-06-24 14:15:12

7.8 High

CVSS3

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

7.7 High

AI Score

Confidence

High

0.0004 Low

EPSS

Percentile

5.1%

JSON
Related for UB:CVE-2024-39291
cvelist1redhatcve1debiancve1nvd1cve1