Bug 1191949 (CVE-2021-42327)

Summary: VUL-1: CVE-2021-42327: kernel-source: dp_link_settings_write in drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_debugfs.c
Product: [Novell Products] SUSE Security Incidents Reporter: Alexander Bergmann <abergmann>
Component: IncidentsAssignee: Security Team bot <security-team>
Status: RESOLVED FIXED QA Contact: Security Team bot <security-team>
Severity: Minor    
Priority: P4 - Low CC: abergmann, bpetkov, carlos.lopez, meissner, smash_bz
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/313292/
Whiteboard:
Found By: Security Response Team Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description Alexander Bergmann 2021-10-22 10:03:45 UTC
CVE-2021-42327

dp_link_settings_write in
drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_debugfs.c in the Linux kernel
through 5.14.14 allows a heap-based buffer overflow by an attacker who can write
a string to the AMD GPU display drivers debug filesystem. There are no checks on
size within parse_write_buffer_into_params when it uses the size of
copy_from_user to copy a userspace buffer into a 40-byte heap buffer.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-42327
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-42327
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/log/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_debugfs.c
https://www.mail-archive.com/amd-gfx@lists.freedesktop.org/msg69080.html
Comment 1 Alexander Bergmann 2021-10-22 13:53:47 UTC
Looks like this is already fixed:

https://github.com/openSUSE/kernel/commit/79b81d09a83b47333fbbd33e4fea01ea261cceaa
Comment 5 Patrik Jakobsson 2021-10-27 15:38:19 UTC
Affected branches:
- SLE15-SP4
- SLE15-SP4-AZURE
- SLE15-SP4-RT

The bug got introduced in:
918698d5c2b5 drm/amd/display: Return the number of bytes parsed than allocated

I will backport the fix found in:
f23750b5b3d9 drm/amdgpu: fix out of bounds write

As Marcus mentioned, there are more bugs of the same type. I've sent a patch to fix these to upstream (amd-gfx mailing list). I will also backport this patch when it is accepted.
Comment 6 Patrik Jakobsson 2021-10-29 13:02:38 UTC
I have now backported the following upstream patches to SLE15-SP4:

commit 5afa7898ab7a0ec9c28556a91df714bf3c2f725e
Author: Thelford Williams <tdwilliamsiv@gmail.com>
Date:   Wed Oct 13 16:04:13 2021 -0400

    drm/amdgpu: fix out of bounds write

commit 3f4e54bd312d3dafb59daf2b97ffa08abebe60f5
Author: Patrik Jakobsson <patrik.r.jakobsson@gmail.com>
Date:   Wed Oct 27 16:27:30 2021 +0200

    drm/amdgpu: Fix even more out of bound writes from debugfs

The bug is considered done and I'm assigning back to security team
Comment 11 Carlos López 2022-06-09 11:23:20 UTC
Done, closing.