AZL-70376

In the Linux kernel, the following vulnerability has been resolved:

drm/amd/display: Fix slab-use-after-free in hdcp

The HDCP code in amdgpudmhdcp.c copies pointers to amdgpudmconnector objects without incrementing the kref reference counts. When using a USB-C dock, and the dock is unplugged, the corresponding amdgpudmconnector objects are freed, creating dangling pointers in the HDCP code. When the dock is plugged back, the dangling pointers are dereferenced, resulting in a slab-use-after-free:

[ 66.775837] BUG: KASAN: slab-use-after-free in eventpropertyvalidate+0x42f/0x6c0 [amdgpu] [ 66.776171] Read of size 4 at addr ffff888127804120 by task kworker/0:1/10

[ 66.776179] CPU: 0 UID: 0 PID: 10 Comm: kworker/0:1 Not tainted 6.14.0-rc7-00180-g54505f727a38-dirty #233 [ 66.776183] Hardware name: HP HP Pavilion Aero Laptop 13-be0xxx/8916, BIOS F.17 12/18/2024 [ 66.776186] Workqueue: events eventpropertyvalidate [amdgpu] [ 66.776494] Call Trace: [ 66.776496] <TASK> [ 66.776497] dumpstacklvl+0x70/0xa0 [ 66.776504] print_report+0x175/0x555 [ 66.776507] ? __virtaddrvalid+0x243/0x450 [ 66.776510] ? kasancompletemodereportinfo+0x66/0x1c0 [ 66.776515] kasanreport+0xeb/0x1c0 [ 66.776518] ? eventpropertyvalidate+0x42f/0x6c0 [amdgpu] [ 66.776819] ? eventproperty_validate+0x42f/0x6c0 [amdgpu] [ 66.777121] __asanreportload4noabort+0x14/0x20 [ 66.777124] eventproperty_validate+0x42f/0x6c0 [amdgpu] [ 66.777342] ? __lockacquire+0x6b40/0x6b40 [ 66.777347] ? enableassr+0x250/0x250 [amdgpu] [ 66.777571] processonework+0x86b/0x1510 [ 66.777575] ? pwqdecnrinflight+0xcf0/0xcf0 [ 66.777578] ? assignwork+0x16b/0x280 [ 66.777580] ? lockisheldtype+0xa3/0x130 [ 66.777583] workerthread+0x5c0/0xfa0 [ 66.777587] ? processonework+0x1510/0x1510 [ 66.777588] kthread+0x3a2/0x840 [ 66.777591] ? kthreadispercpu+0xd0/0xd0 [ 66.777594] ? tracehardirqson+0x4f/0x60 [ 66.777597] ? rawspinunlockirq+0x27/0x60 [ 66.777599] ? calculatesigpending+0x77/0xa0 [ 66.777602] ? kthreadispercpu+0xd0/0xd0 [ 66.777605] retfromfork+0x40/0x90 [ 66.777607] ? kthreadispercpu+0xd0/0xd0 [ 66.777609] retfromforkasm+0x11/0x20 [ 66.777614] </TASK>

[ 66.777643] Allocated by task 10: [ 66.777646] kasansavestack+0x39/0x60 [ 66.777649] kasansavetrack+0x14/0x40 [ 66.777652] kasansavealloc_info+0x37/0x50 [ 66.777655] __kasan_kmalloc+0xbb/0xc0 [ 66.777658] __kmalloccachenoprof+0x1c8/0x4b0 [ 66.777661] dmdpaddmstconnector+0xdd/0x5c0 [amdgpu] [ 66.777880] drmdpmstportaddconnector+0x47e/0x770 [drmdisplayhelper] [ 66.777892] drmdpsendlinkaddress+0x1554/0x2bf0 [drmdisplayhelper] [ 66.777901] drmdpcheckandsendlinkaddress+0x187/0x1f0 [drmdisplayhelper] [ 66.777909] drmdpmstlinkprobework+0x2b8/0x410 [drmdisplayhelper] [ 66.777917] processonework+0x86b/0x1510 [ 66.777919] workerthread+0x5c0/0xfa0 [ 66.777922] kthread+0x3a2/0x840 [ 66.777925] retfromfork+0x40/0x90 [ 66.777927] retfromforkasm+0x11/0x20

[ 66.777932] Freed by task 1713: [ 66.777935] kasansavestack+0x39/0x60 [ 66.777938] kasansavetrack+0x14/0x40 [ 66.777940] kasansavefree_info+0x3b/0x60 [ 66.777944] __kasanslabfree+0x52/0x70 [ 66.777946] kfree+0x13f/0x4b0 [ 66.777949] dmdpmstconnectordestroy+0xfa/0x150 [amdgpu] [ 66.778179] drmconnectorfree+0x7d/0xb0 [ 66.778184] drmmodeobjectput.part.0+0xee/0x160 [ 66.778188] drmmodeobjectput+0x37/0x50 [ 66.778191] drmatomicstatedefaultclear+0x220/0xd60 [ 66.778194] __drmatomicstate_free+0x16e/0x2a0 [ 66.778197] drmmodeatomicioctl+0x15ed/0x2ba0 [ 66.778200] drmioctlkernel+0x17a/0x310 [ 66.778203] drmioctl+0x584/0xd10 [ 66.778206] amdgpudrmioctl+0xd2/0x1c0 [amdgpu] [ 66.778375] __x64sysioctl+0x139/0x1a0 [ 66.778378] x64syscall+0xee7/0xfb0 [ 66.778381] ---truncated---