diff options
| author | Ashutosh Desai <ashutoshdesai993@gmail.com> | 2026-04-10 07:19:01 +0300 |
|---|---|---|
| committer | Lyude Paul <lyude@redhat.com> | 2026-05-07 21:20:59 +0300 |
| commit | 55bd5e685bda455b9b50c835f8c8442d52a344a3 (patch) | |
| tree | 83fc599230cd1e166a7b8013707cd672e5d349be /include/linux | |
| parent | 9175f49330d199c03eb970f799526c9d479b5f1a (diff) | |
| download | linux-55bd5e685bda455b9b50c835f8c8442d52a344a3.tar.xz | |
drm/dp/mst: fix buffer overflows in sideband chunk accumulation
drm_dp_sideband_append_payload() has three related bugs when processing
device-provided sideband reply data:
1. Zero-length curchunk_len underflow: msg_len is a 6-bit field taken
directly from the DP sideband header. If a device sends msg_len=0,
curchunk_len is set to zero. The condition (curchunk_idx >= curchunk_len)
is immediately true, and curchunk_len-1 wraps to 255 (u8 underflow).
drm_dp_msg_data_crc4() reads 255 bytes from chunk[48], then memcpy()
writes 255 bytes into msg[], both far out of bounds.
2. chunk[48] overflow: curchunk_len can reach 63 (6-bit field). chunk[] is
only 48 bytes. Multi-iteration payload assembly appends 16-byte blocks
until curchunk_idx reaches curchunk_len, writing up to 15 bytes past
the end of chunk[] into msg[].
3. msg[256] overflow: each chunk contributes (curchunk_len-1) bytes to
msg[]. No check ensures curlen + (curchunk_len-1) stays within msg[256],
so the memcpy can spill into adjacent struct fields.
All three are reachable from any DP MST device that can forge sideband
reply messages on a physical connection.
Fixes: ad7f8a1f9ced ("drm/helper: add Displayport multi-stream helper (v0.6)")
Cc: <stable@vger.kernel.org> # v3.17+
Signed-off-by: Ashutosh Desai <ashutoshdesai993@gmail.com>
Reviewed-by: Lyude Paul <lyude@redhat.com>
Signed-off-by: Lyude Paul <lyude@redhat.com>
Link: https://patch.msgid.link/20260410041901.2438960-1-ashutoshdesai993@gmail.com
Diffstat (limited to 'include/linux')
0 files changed, 0 insertions, 0 deletions
