We use these services and cookies to improve your user experience. You may opt out if you wish, however, this may limit some features on this site.

Please see our statement on Data Privacy.

Crisp.chat (Helpdesk and Chat)

Ok

THREATINT
PUBLISHED

CVE-2024-56616

drm/dp_mst: Fix MST sideband message body length check



Description

In the Linux kernel, the following vulnerability has been resolved: drm/dp_mst: Fix MST sideband message body length check Fix the MST sideband message body length check, which must be at least 1 byte accounting for the message body CRC (aka message data CRC) at the end of the message. This fixes a case where an MST branch device returns a header with a correct header CRC (indicating a correctly received body length), with the body length being incorrectly set to 0. This will later lead to a memory corruption in drm_dp_sideband_append_payload() and the following errors in dmesg: UBSAN: array-index-out-of-bounds in drivers/gpu/drm/display/drm_dp_mst_topology.c:786:25 index -1 is out of range for type 'u8 [48]' Call Trace: drm_dp_sideband_append_payload+0x33d/0x350 [drm_display_helper] drm_dp_get_one_sb_msg+0x3ce/0x5f0 [drm_display_helper] drm_dp_mst_hpd_irq_handle_event+0xc8/0x1580 [drm_display_helper] memcpy: detected field-spanning write (size 18446744073709551615) of single field "&msg->msg[msg->curlen]" at drivers/gpu/drm/display/drm_dp_mst_topology.c:791 (size 256) Call Trace: drm_dp_sideband_append_payload+0x324/0x350 [drm_display_helper] drm_dp_get_one_sb_msg+0x3ce/0x5f0 [drm_display_helper] drm_dp_mst_hpd_irq_handle_event+0xc8/0x1580 [drm_display_helper]

Reserved 2024-12-27 | Published 2024-12-27 | Updated 2025-01-20 | Assigner Linux

Product status

Default status
unaffected

1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 before 109f91d8b9335b0f3714ef9920eae5a8b21d56af
affected

1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 before 70e7166612f4e6da8d7d0305c47c465d88d037e5
affected

1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 before 780fa184d4dc38ad6c4fded345ab8f9be7a63e96
affected

1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 before c58947a8d4a500902597ee1dbadf0518d7ff8801
affected

1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 before 1fc1f32c4a3421b9d803f18ec3ef49db2fb5d5ef
affected

1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 before bd2fccac61b40eaf08d9546acc9fef958bfe4763
affected

Default status
affected

5.10.233
unaffected

5.15.176
unaffected

6.1.120
unaffected

6.6.66
unaffected

6.12.5
unaffected

6.13
unaffected

References

git.kernel.org/...c/109f91d8b9335b0f3714ef9920eae5a8b21d56af

git.kernel.org/...c/70e7166612f4e6da8d7d0305c47c465d88d037e5

git.kernel.org/...c/780fa184d4dc38ad6c4fded345ab8f9be7a63e96

git.kernel.org/...c/c58947a8d4a500902597ee1dbadf0518d7ff8801

git.kernel.org/...c/1fc1f32c4a3421b9d803f18ec3ef49db2fb5d5ef

git.kernel.org/...c/bd2fccac61b40eaf08d9546acc9fef958bfe4763

cve.org (CVE-2024-56616)

nvd.nist.gov (CVE-2024-56616)

Download JSON

Share this page
https://cve.threatint.com/CVE/CVE-2024-56616

Support options

Helpdesk Chat, Email, Knowledgebase
Subscribe to our newsletter to learn more about our work.