Bug 1191949 - (CVE-2021-42327) VUL-1: CVE-2021-42327: kernel-source: dp_link_settings_write in drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_debugfs.c
(CVE-2021-42327)
VUL-1: CVE-2021-42327: kernel-source: dp_link_settings_write in drivers/gpu/d...
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P4 - Low : Minor
: ---
Assigned To: Security Team bot
Security Team bot
https://smash.suse.de/issue/313292/
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2021-10-22 10:03 UTC by Alexander Bergmann
Modified: 2022-07-21 20:17 UTC (History)
5 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Alexander Bergmann 2021-10-22 10:03:45 UTC
CVE-2021-42327

dp_link_settings_write in
drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_debugfs.c in the Linux kernel
through 5.14.14 allows a heap-based buffer overflow by an attacker who can write
a string to the AMD GPU display drivers debug filesystem. There are no checks on
size within parse_write_buffer_into_params when it uses the size of
copy_from_user to copy a userspace buffer into a 40-byte heap buffer.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-42327
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-42327
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/log/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_debugfs.c
https://www.mail-archive.com/amd-gfx@lists.freedesktop.org/msg69080.html
Comment 1 Alexander Bergmann 2021-10-22 13:53:47 UTC
Looks like this is already fixed:

https://github.com/openSUSE/kernel/commit/79b81d09a83b47333fbbd33e4fea01ea261cceaa
Comment 5 Patrik Jakobsson 2021-10-27 15:38:19 UTC
Affected branches:
- SLE15-SP4
- SLE15-SP4-AZURE
- SLE15-SP4-RT

The bug got introduced in:
918698d5c2b5 drm/amd/display: Return the number of bytes parsed than allocated

I will backport the fix found in:
f23750b5b3d9 drm/amdgpu: fix out of bounds write

As Marcus mentioned, there are more bugs of the same type. I've sent a patch to fix these to upstream (amd-gfx mailing list). I will also backport this patch when it is accepted.
Comment 6 Patrik Jakobsson 2021-10-29 13:02:38 UTC
I have now backported the following upstream patches to SLE15-SP4:

commit 5afa7898ab7a0ec9c28556a91df714bf3c2f725e
Author: Thelford Williams <tdwilliamsiv@gmail.com>
Date:   Wed Oct 13 16:04:13 2021 -0400

    drm/amdgpu: fix out of bounds write

commit 3f4e54bd312d3dafb59daf2b97ffa08abebe60f5
Author: Patrik Jakobsson <patrik.r.jakobsson@gmail.com>
Date:   Wed Oct 27 16:27:30 2021 +0200

    drm/amdgpu: Fix even more out of bound writes from debugfs

The bug is considered done and I'm assigning back to security team
Comment 11 Carlos López 2022-06-09 11:23:20 UTC
Done, closing.