From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from smtp.kernel.org (aws-us-west-2-korg-mail-alma10-1.taild15c8.ts.net [100.103.45.18]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 4DE432F9D85; Thu, 28 May 2026 20:20:33 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=100.103.45.18 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1779999634; cv=none; b=QVuyV8uSoHWdFRFxRbxgcd6cdoPmrHQhr/0qhPdwsb494SAQemtB+FE3zUTv3mkb9vddi6ndrxpJQltxYY+1obsXxhCBsG6DyhiI9j0C0iHzoQ8E2mQWiLr+5Wj6Rb4Zhztl6SNUp2GRVtrgVPd0uv0Xbp+PXXh1lR5kqPYIW8c= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1779999634; c=relaxed/simple; bh=n+hoKIZTHVs0iIEuKYUyeJGmwE5WLNq/L0yYPLDyD60=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=oEaELQ4/Ls3aBohIU463yey6d78ogcvJlY7880oAszNMPTU2o0lCis0Q1+11Afpz9TkbZsAnhui0B8vp4MyM1qxFmvq9yZ1uK1vubhPaw6c+sd6iSB1qKk7lOKi2/6kzraf7GZzT7wpf8ACeubF6Ci/aMEOqMMJHzKGpRRX+BxQ= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=linuxfoundation.org header.i=@linuxfoundation.org header.b=BWOC1A6I; arc=none smtp.client-ip=100.103.45.18 Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=linuxfoundation.org header.i=@linuxfoundation.org header.b="BWOC1A6I" Received: by smtp.kernel.org (Postfix) with ESMTPSA id AB5F91F000E9; Thu, 28 May 2026 20:20:32 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linuxfoundation.org; s=korg; t=1779999633; bh=WCWYtAS36Z1rj3jPbeBESGZvj6jNn4rQFXSGzWQkWN0=; h=From:To:Cc:Subject:Date:In-Reply-To:References; b=BWOC1A6IdTaefkkZT3BD1UJvSnc0Saz4prr4w4IkI0t5Lu0OB+3ZKZgLCJ8TXdsKu fhGvBGDpI1PQBcvZ7KT63fqr+VcqnC4HCw0O0w67BMtK6u80ezyzxSVIvh5gaUFdlY kBhhzIZk7ozkjLsV7e4i9KB2LAem0nWUd6hGJ9Ls= From: Greg Kroah-Hartman To: stable@vger.kernel.org Cc: Greg Kroah-Hartman , patches@lists.linux.dev, Alex Hung , Harry Wentland , Ivan Lipski , Dan Wheeler , Alex Deucher Subject: [PATCH 6.18 136/377] drm/amd/display: Validate payload length and link_index in dc_process_dmub_aux_transfer_async Date: Thu, 28 May 2026 21:46:14 +0200 Message-ID: <20260528194642.313190719@linuxfoundation.org> X-Mailer: git-send-email 2.54.0 In-Reply-To: <20260528194638.371537336@linuxfoundation.org> References: <20260528194638.371537336@linuxfoundation.org> User-Agent: quilt/0.69 X-stable: review X-Patchwork-Hint: ignore Precedence: bulk X-Mailing-List: stable@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: 8bit 6.18-stable review patch. If anyone has any objections, please let me know. ------------------ From: Harry Wentland commit 6c92f6d9600efa3ef0d9e560a2b52776d9803c29 upstream. [Why&How] dc_process_dmub_aux_transfer_async() copies payload->length bytes into a 16-byte stack buffer (dpaux.data[16]) guarded only by an ASSERT(), which is a no-op in release builds. If a caller ever passes length > 16 this results in a stack buffer overflow via memcpy. Additionally, link_index is used to dereference dc->links[] without bounds checking against dc->link_count, risking an out-of-bounds access. Replace the ASSERT with a hard runtime check that returns false when payload->length exceeds the destination buffer size, and add a bounds check for link_index before it is used. Assisted-by: GitHub Copilot:Claude claude-4-opus Reviewed-by: Alex Hung Signed-off-by: Harry Wentland Signed-off-by: Ivan Lipski Tested-by: Dan Wheeler Signed-off-by: Alex Deucher (cherry picked from commit ba4caa9fecdf7a38f98c878ad05a8a64148b6881) Cc: stable@vger.kernel.org Signed-off-by: Greg Kroah-Hartman --- drivers/gpu/drm/amd/display/dc/core/dc.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) --- a/drivers/gpu/drm/amd/display/dc/core/dc.c +++ b/drivers/gpu/drm/amd/display/dc/core/dc.c @@ -5884,7 +5884,11 @@ bool dc_process_dmub_aux_transfer_async( uint8_t action; union dmub_rb_cmd cmd = {0}; - ASSERT(payload->length <= 16); + if (link_index >= dc->link_count || !dc->links[link_index]) + return false; + + if (payload->length > sizeof(cmd.dp_aux_access.aux_control.dpaux.data)) + return false; cmd.dp_aux_access.header.type = DMUB_CMD__DP_AUX_ACCESS; cmd.dp_aux_access.header.payload_bytes = 0;