In the Linux kernel, the following vulnerability has been resolved:
drm/dp_mst: Fix MST sideband message body length check
Fix the MST sideband message body length check, which must be at least 1 byte accounting for the message body CRC (aka message data CRC) at the end of the message.
This fixes a case where an MST branch device returns a header with a correct header CRC (indicating a correctly received body length), with the body length being incorrectly set to 0. This will later lead to a memory corruption in drmdpsidebandappendpayload() and the following errors in dmesg:
UBSAN: array-index-out-of-bounds in drivers/gpu/drm/display/drmdpmsttopology.c:786:25 index -1 is out of range for type 'u8 [48]' Call Trace: drmdpsidebandappendpayload+0x33d/0x350 [drmdisplayhelper] drmdpgetonesbmsg+0x3ce/0x5f0 [drmdisplayhelper] drmdpmsthpdirqhandleevent+0xc8/0x1580 [drmdisplayhelper]
memcpy: detected field-spanning write (size 18446744073709551615) of single field "&msg->msg[msg->curlen]" at drivers/gpu/drm/display/drmdpmsttopology.c:791 (size 256) Call Trace: drmdpsidebandappendpayload+0x324/0x350 [drmdisplayhelper] drmdpgetonesbmsg+0x3ce/0x5f0 [drmdisplayhelper] drmdpmsthpdirqhandleevent+0xc8/0x1580 [drmdisplayhelper]
[
{
"id": "CVE-2024-56616-08fcc06e",
"deprecated": false,
"signature_version": "v1",
"digest": {
"line_hashes": [
"255954982552805568670955489845403139350",
"5583844537523614365497181688822209091",
"116628728688768378168834515004117265476",
"240812705198919191738947854230310095707"
],
"threshold": 0.9
},
"target": {
"file": "drivers/gpu/drm/display/drm_dp_mst_topology.c"
},
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@1fc1f32c4a3421b9d803f18ec3ef49db2fb5d5ef",
"signature_type": "Line"
},
{
"id": "CVE-2024-56616-09942384",
"deprecated": false,
"signature_version": "v1",
"digest": {
"length": 1012.0,
"function_hash": "320956513389895280985227910194387128841"
},
"target": {
"function": "drm_dp_decode_sideband_msg_hdr",
"file": "drivers/gpu/drm/display/drm_dp_mst_topology.c"
},
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@c58947a8d4a500902597ee1dbadf0518d7ff8801",
"signature_type": "Function"
},
{
"id": "CVE-2024-56616-13801932",
"deprecated": false,
"signature_version": "v1",
"digest": {
"length": 1012.0,
"function_hash": "320956513389895280985227910194387128841"
},
"target": {
"function": "drm_dp_decode_sideband_msg_hdr",
"file": "drivers/gpu/drm/drm_dp_mst_topology.c"
},
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@70e7166612f4e6da8d7d0305c47c465d88d037e5",
"signature_type": "Function"
},
{
"id": "CVE-2024-56616-1e8cddf5",
"deprecated": false,
"signature_version": "v1",
"digest": {
"line_hashes": [
"255954982552805568670955489845403139350",
"5583844537523614365497181688822209091",
"116628728688768378168834515004117265476",
"240812705198919191738947854230310095707"
],
"threshold": 0.9
},
"target": {
"file": "drivers/gpu/drm/drm_dp_mst_topology.c"
},
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@70e7166612f4e6da8d7d0305c47c465d88d037e5",
"signature_type": "Line"
},
{
"id": "CVE-2024-56616-241cbb84",
"deprecated": false,
"signature_version": "v1",
"digest": {
"line_hashes": [
"255954982552805568670955489845403139350",
"5583844537523614365497181688822209091",
"116628728688768378168834515004117265476",
"240812705198919191738947854230310095707"
],
"threshold": 0.9
},
"target": {
"file": "drivers/gpu/drm/display/drm_dp_mst_topology.c"
},
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@780fa184d4dc38ad6c4fded345ab8f9be7a63e96",
"signature_type": "Line"
},
{
"id": "CVE-2024-56616-4630681b",
"deprecated": false,
"signature_version": "v1",
"digest": {
"length": 1012.0,
"function_hash": "320956513389895280985227910194387128841"
},
"target": {
"function": "drm_dp_decode_sideband_msg_hdr",
"file": "drivers/gpu/drm/display/drm_dp_mst_topology.c"
},
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@1fc1f32c4a3421b9d803f18ec3ef49db2fb5d5ef",
"signature_type": "Function"
},
{
"id": "CVE-2024-56616-47b45079",
"deprecated": false,
"signature_version": "v1",
"digest": {
"length": 975.0,
"function_hash": "171870790291958496679377314796930312160"
},
"target": {
"function": "drm_dp_decode_sideband_msg_hdr",
"file": "drivers/gpu/drm/drm_dp_mst_topology.c"
},
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@109f91d8b9335b0f3714ef9920eae5a8b21d56af",
"signature_type": "Function"
},
{
"id": "CVE-2024-56616-72e7e872",
"deprecated": false,
"signature_version": "v1",
"digest": {
"length": 1012.0,
"function_hash": "320956513389895280985227910194387128841"
},
"target": {
"function": "drm_dp_decode_sideband_msg_hdr",
"file": "drivers/gpu/drm/display/drm_dp_mst_topology.c"
},
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@bd2fccac61b40eaf08d9546acc9fef958bfe4763",
"signature_type": "Function"
},
{
"id": "CVE-2024-56616-848b506c",
"deprecated": false,
"signature_version": "v1",
"digest": {
"line_hashes": [
"255954982552805568670955489845403139350",
"5583844537523614365497181688822209091",
"116628728688768378168834515004117265476",
"240812705198919191738947854230310095707"
],
"threshold": 0.9
},
"target": {
"file": "drivers/gpu/drm/display/drm_dp_mst_topology.c"
},
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@c58947a8d4a500902597ee1dbadf0518d7ff8801",
"signature_type": "Line"
},
{
"id": "CVE-2024-56616-8a672ad3",
"deprecated": false,
"signature_version": "v1",
"digest": {
"line_hashes": [
"255954982552805568670955489845403139350",
"5583844537523614365497181688822209091",
"116628728688768378168834515004117265476",
"240812705198919191738947854230310095707"
],
"threshold": 0.9
},
"target": {
"file": "drivers/gpu/drm/display/drm_dp_mst_topology.c"
},
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@bd2fccac61b40eaf08d9546acc9fef958bfe4763",
"signature_type": "Line"
},
{
"id": "CVE-2024-56616-eb3055b3",
"deprecated": false,
"signature_version": "v1",
"digest": {
"line_hashes": [
"255954982552805568670955489845403139350",
"5583844537523614365497181688822209091",
"116628728688768378168834515004117265476",
"240812705198919191738947854230310095707"
],
"threshold": 0.9
},
"target": {
"file": "drivers/gpu/drm/drm_dp_mst_topology.c"
},
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@109f91d8b9335b0f3714ef9920eae5a8b21d56af",
"signature_type": "Line"
},
{
"id": "CVE-2024-56616-f97df2f0",
"deprecated": false,
"signature_version": "v1",
"digest": {
"length": 1012.0,
"function_hash": "320956513389895280985227910194387128841"
},
"target": {
"function": "drm_dp_decode_sideband_msg_hdr",
"file": "drivers/gpu/drm/display/drm_dp_mst_topology.c"
},
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@780fa184d4dc38ad6c4fded345ab8f9be7a63e96",
"signature_type": "Function"
}
]