Bugzilla – Bug 1191949
VUL-1: CVE-2021-42327: kernel-source: dp_link_settings_write in drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_debugfs.c
Last modified: 2022-07-21 20:17:06 UTC
CVE-2021-42327 dp_link_settings_write in drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_debugfs.c in the Linux kernel through 5.14.14 allows a heap-based buffer overflow by an attacker who can write a string to the AMD GPU display drivers debug filesystem. There are no checks on size within parse_write_buffer_into_params when it uses the size of copy_from_user to copy a userspace buffer into a 40-byte heap buffer. References: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-42327 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-42327 https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/log/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_debugfs.c https://www.mail-archive.com/amd-gfx@lists.freedesktop.org/msg69080.html
Looks like this is already fixed: https://github.com/openSUSE/kernel/commit/79b81d09a83b47333fbbd33e4fea01ea261cceaa
Affected branches: - SLE15-SP4 - SLE15-SP4-AZURE - SLE15-SP4-RT The bug got introduced in: 918698d5c2b5 drm/amd/display: Return the number of bytes parsed than allocated I will backport the fix found in: f23750b5b3d9 drm/amdgpu: fix out of bounds write As Marcus mentioned, there are more bugs of the same type. I've sent a patch to fix these to upstream (amd-gfx mailing list). I will also backport this patch when it is accepted.
I have now backported the following upstream patches to SLE15-SP4: commit 5afa7898ab7a0ec9c28556a91df714bf3c2f725e Author: Thelford Williams <tdwilliamsiv@gmail.com> Date: Wed Oct 13 16:04:13 2021 -0400 drm/amdgpu: fix out of bounds write commit 3f4e54bd312d3dafb59daf2b97ffa08abebe60f5 Author: Patrik Jakobsson <patrik.r.jakobsson@gmail.com> Date: Wed Oct 27 16:27:30 2021 +0200 drm/amdgpu: Fix even more out of bound writes from debugfs The bug is considered done and I'm assigning back to security team
Done, closing.