We use these services and cookies to improve your user experience. You may opt out if you wish, however, this may limit some features on this site.
Please see our statement on Data Privacy.
In the Linux kernel, the following vulnerability has been resolved: drm/dp_mst: Fix MST sideband message body length check Fix the MST sideband message body length check, which must be at least 1 byte accounting for the message body CRC (aka message data CRC) at the end of the message. This fixes a case where an MST branch device returns a header with a correct header CRC (indicating a correctly received body length), with the body length being incorrectly set to 0. This will later lead to a memory corruption in drm_dp_sideband_append_payload() and the following errors in dmesg: UBSAN: array-index-out-of-bounds in drivers/gpu/drm/display/drm_dp_mst_topology.c:786:25 index -1 is out of range for type 'u8 [48]' Call Trace: drm_dp_sideband_append_payload+0x33d/0x350 [drm_display_helper] drm_dp_get_one_sb_msg+0x3ce/0x5f0 [drm_display_helper] drm_dp_mst_hpd_irq_handle_event+0xc8/0x1580 [drm_display_helper] memcpy: detected field-spanning write (size 18446744073709551615) of single field "&msg->msg[msg->curlen]" at drivers/gpu/drm/display/drm_dp_mst_topology.c:791 (size 256) Call Trace: drm_dp_sideband_append_payload+0x324/0x350 [drm_display_helper] drm_dp_get_one_sb_msg+0x3ce/0x5f0 [drm_display_helper] drm_dp_mst_hpd_irq_handle_event+0xc8/0x1580 [drm_display_helper]
Reserved 2024-12-27 | Published 2024-12-27 | Updated 2025-01-20 | Assigner Linuxgit.kernel.org/...c/109f91d8b9335b0f3714ef9920eae5a8b21d56af
git.kernel.org/...c/70e7166612f4e6da8d7d0305c47c465d88d037e5
git.kernel.org/...c/780fa184d4dc38ad6c4fded345ab8f9be7a63e96
git.kernel.org/...c/c58947a8d4a500902597ee1dbadf0518d7ff8801
git.kernel.org/...c/1fc1f32c4a3421b9d803f18ec3ef49db2fb5d5ef
git.kernel.org/...c/bd2fccac61b40eaf08d9546acc9fef958bfe4763
Support options