summaryrefslogtreecommitdiff
path: root/include/linux
diff options
context:
space:
mode:
authorAshutosh Desai <ashutoshdesai993@gmail.com>2026-04-10 07:19:01 +0300
committerLyude Paul <lyude@redhat.com>2026-05-07 21:20:59 +0300
commit55bd5e685bda455b9b50c835f8c8442d52a344a3 (patch)
tree83fc599230cd1e166a7b8013707cd672e5d349be /include/linux
parent9175f49330d199c03eb970f799526c9d479b5f1a (diff)
downloadlinux-55bd5e685bda455b9b50c835f8c8442d52a344a3.tar.xz
drm/dp/mst: fix buffer overflows in sideband chunk accumulation
drm_dp_sideband_append_payload() has three related bugs when processing device-provided sideband reply data: 1. Zero-length curchunk_len underflow: msg_len is a 6-bit field taken directly from the DP sideband header. If a device sends msg_len=0, curchunk_len is set to zero. The condition (curchunk_idx >= curchunk_len) is immediately true, and curchunk_len-1 wraps to 255 (u8 underflow). drm_dp_msg_data_crc4() reads 255 bytes from chunk[48], then memcpy() writes 255 bytes into msg[], both far out of bounds. 2. chunk[48] overflow: curchunk_len can reach 63 (6-bit field). chunk[] is only 48 bytes. Multi-iteration payload assembly appends 16-byte blocks until curchunk_idx reaches curchunk_len, writing up to 15 bytes past the end of chunk[] into msg[]. 3. msg[256] overflow: each chunk contributes (curchunk_len-1) bytes to msg[]. No check ensures curlen + (curchunk_len-1) stays within msg[256], so the memcpy can spill into adjacent struct fields. All three are reachable from any DP MST device that can forge sideband reply messages on a physical connection. Fixes: ad7f8a1f9ced ("drm/helper: add Displayport multi-stream helper (v0.6)") Cc: <stable@vger.kernel.org> # v3.17+ Signed-off-by: Ashutosh Desai <ashutoshdesai993@gmail.com> Reviewed-by: Lyude Paul <lyude@redhat.com> Signed-off-by: Lyude Paul <lyude@redhat.com> Link: https://patch.msgid.link/20260410041901.2438960-1-ashutoshdesai993@gmail.com
Diffstat (limited to 'include/linux')
0 files changed, 0 insertions, 0 deletions