Bug 1222425 (CVE-2024-26797)

Summary: VUL-0: CVE-2024-26797: kernel: drm/amd/display: Prevent potential buffer overflow in map_hw_resources
Product: [Novell Products] SUSE Security Incidents Reporter: SMASH SMASH <smash_bz>
Component: IncidentsAssignee: Security Team bot <security-team>
Status: RESOLVED FIXED QA Contact: Security Team bot <security-team>
Severity: Normal    
Priority: P5 - None CC: gianluca.gabrielli
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/400349/
Whiteboard: CVSSv3.1:SUSE:CVE-2024-26797:5.5:(AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H)
Found By: Security Response Team Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description SMASH SMASH 2024-04-08 07:05:34 UTC 
In the Linux kernel, the following vulnerability has been resolved:

drm/amd/display: Prevent potential buffer overflow in map_hw_resources

Adds a check in the map_hw_resources function to prevent a potential
buffer overflow. The function was accessing arrays using an index that
could potentially be greater than the size of the arrays, leading to a
buffer overflow.

Adds a check to ensure that the index is within the bounds of the
arrays. If the index is out of bounds, an error message is printed and
break it will continue execution with just ignoring extra data early to
prevent the buffer overflow.

Reported by smatch:
drivers/gpu/drm/amd/amdgpu/../display/dc/dml2/dml2_wrapper.c:79 map_hw_resources() error: buffer overflow 'dml2->v20.scratch.dml_to_dc_pipe_mapping.disp_cfg_to_stream_id' 6 <= 7
drivers/gpu/drm/amd/amdgpu/../display/dc/dml2/dml2_wrapper.c:81 map_hw_resources() error: buffer overflow 'dml2->v20.scratch.dml_to_dc_pipe_mapping.disp_cfg_to_plane_id' 6 <= 7

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2024-26797
https://www.cve.org/CVERecord?id=CVE-2024-26797
https://git.kernel.org/stable/c/0f8ca019544a252d1afb468ce840c6dcbac73af4
https://git.kernel.org/stable/c/50a6302cf881f67f1410461a68fe9eabd00ff31d
https://bugzilla.redhat.com/show_bug.cgi?id=2273436