From nobody Sat Jun 13 04:19:36 2026 Received: from mail-qv1-f42.google.com (mail-qv1-f42.google.com [209.85.219.42]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 6F7412D8DC2 for ; Sun, 10 May 2026 20:32:13 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.219.42 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1778445134; cv=none; b=G+5j88/Fq3iatkLuMcoaWv1+Y1wuArAoX02El3vIJyBEX/gcr5KTY3FEgMsAmbJxg/pQ14t/DRMnnj75Wq/zUB41oSezwa8TB1vDFZ3SNaxGG4c65b819jjZ0Xhc/faDrzilMxByM6AXUZ2pjpkn4WOqFypvMpzJq4L/IX7/eEc= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1778445134; c=relaxed/simple; bh=p7VqSN2UpsNMNe8MEGLukrdN+9KxN+Fp71w4tceNRFo=; h=From:To:Cc:Subject:Date:Message-Id:MIME-Version; b=Btn2G6fWbupH197ft0HySx7+HUNvohopF9ZEm6btSYcjolihkNwn9rKXBAC9E0VOdUKo2w4ntmFq1lnVfXS0OYcN6U7opmTZUXSbi7mn67YoRqdVPl3J6zymS2gxu3a2XuqYjC/iyLNFXINlyKGjU7S5+WKKK2V459USiTGUu/8= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=q+HSqjha; arc=none smtp.client-ip=209.85.219.42 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="q+HSqjha" Received: by mail-qv1-f42.google.com with SMTP id 6a1803df08f44-8b7105dfb35so38044236d6.3 for ; Sun, 10 May 2026 13:32:13 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20251104; t=1778445132; x=1779049932; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:from:to:cc:subject:date:message-id:reply-to; bh=GH0BIPUR5p8mIEZWyU6SEUzThcS+ZdasVBlkjfRz1DA=; b=q+HSqjhabRI88lWxRTy/z9TL4aQSGtvs8jVOsjJCIw8oAWuvES6J+sNbfSszTtD9zH sJGisgNbbh/9inZPFrMLhOFJuuobgRQXim1eXfM/vfNrR7RE0qAiSRDAAqhyE1c8KhTm uHwJnl5UKA9KFYd1N/1c4++VPOSaY/hx0ydIAtYrJaWQ8SNreYPTV+LVK+jBE90/mgud nLpJTHvYNyxKdRdtO34r7kR+Ih/ROOd3b+WrafSOSu+r/DZE+ltW1KCcPdzJW9ZyjYhn pWdjGetm+wuR8Xl7qZZ/MDdWXKjt6Q9h+WS7yA7H7bvggmvfUxa7DADuhSe8MuY3KHzW UoMg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1778445132; x=1779049932; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:x-gm-gg:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=GH0BIPUR5p8mIEZWyU6SEUzThcS+ZdasVBlkjfRz1DA=; b=Qzx03Be+R83Lz1S3hLqt1QcX0hVYUxbSwEbwzgAU/pkCCZUqwbxmfJTUti92tUzLow r0reVcQBHsORNLiDcqPy+R+xfcvPt2pcbkdLrBErwnGOf62ARWHr0TEpM5oKblMn9i/9 3AutxgE5ZP8qUxmgd9jRq1l6m0+VDMW4fbQZ21IX57G3z4yGcImxJaveeRGmis8kWKQg AHo/F/mSAZQTe+fcy6jOxPkqlgFqZeAh6b7gVeP792/Tcr26PR0lkT3eKd8QXYTyaekC PGsnKk6qOSUCt5ZTAHagcJMGl8ZwfvARXydnwX2De1gtVR6e4l5KSUVh0NVO90eArKsq VI7A== X-Forwarded-Encrypted: i=1; AFNElJ/wYyq7ios6RssAGYcZyi0fVse8H/CNi0yMrdWSvnqhOQSe632QJD9vHfnX5Nq88kzRE6reT1dUct02mhM=@vger.kernel.org X-Gm-Message-State: AOJu0Yw7jcAg8yGflRN/OyTtjIm/+1uJdFxPKSi/tX1uxyU2TwDyV/H2 WBqYD0VZr6Tg/pygoMMTyU9Khb3UGQOct2UYi0LjLQNo6Zf+TKQV7jkZ X-Gm-Gg: Acq92OGyHliwgPXtd2sY5Cb13l3gkp85xrg9rpjcEyByb87Yjp5QwmXQxVK4fa0mJla HcPn96anP6S6tXj+tLxstjjbjXQHEtk8lastJ8RJdM7oyexwYAfEofr7RZLdjyNImump5RUORPr /9HCbVofOxJjW8p2SB+N6MGGdozGXfAYESyPnS1vw9VVVLM3Mk4qIntEadFQ4LVt7km6eUuIJ6W CAf63QG5SdPeBMDB//EtM5/SDAJ49UOwJTgGj5odTMCHDDaJYoVwCbtIB0C54pZFcFn9lIuvomR 5sAm196Swiy9LI30cldim9Kf/gZ+nDxYMGi1nYB205A2hnHiZkxFVb7u1m9SdgY6lJ5h4J8Tsfa TTEngvWAtT51ESAWNgdO2a2mVuR0EJoiMloxMB9JWwzmo+kDQ7Jl13uX65twRgF/F+RZN2Elq9s 3SWYTCUg7XR7hrD2W93hdRlgvwjpV6WEKaDF1+oaWKqEXVO9fiRqJx41G83iaFqKsuK56veWcsM LNsy8q2KKtYd8+LaKLj8Tjg8VQKQiEDBSn9/Nk= X-Received: by 2002:a05:6214:3111:b0:8ac:ab13:8f15 with SMTP id 6a1803df08f44-8bc41cc2ea6mr361413956d6.7.1778445132299; Sun, 10 May 2026 13:32:12 -0700 (PDT) Received: from TDC4045031631.e0cglfehwr0e5gttmepj3hi3hf.ux.internal.cloudapp.net ([20.63.37.123]) by smtp.gmail.com with ESMTPSA id 6a1803df08f44-8bf3addb3aasm76968056d6.10.2026.05.10.13.32.10 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sun, 10 May 2026 13:32:10 -0700 (PDT) From: Ashutosh Desai To: dri-devel@lists.freedesktop.org Cc: stable@vger.kernel.org, lyude@redhat.com, airlied@gmail.com, daniel@ffwll.ch, maarten.lankhorst@linux.intel.com, mripard@kernel.org, tzimmermann@suse.de, simona@ffwll.ch, linux-kernel@vger.kernel.org, Ashutosh Desai Subject: [PATCH v2] drm/dp/mst: fix OOB reads on 2-byte fields in sideband reply parsers Date: Sun, 10 May 2026 20:31:28 +0000 Message-Id: <20260510203128.2884846-1-ashutoshdesai993@gmail.com> X-Mailer: git-send-email 2.34.1 Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" Three sideband reply parsers read 16-bit fields as: val =3D (raw->msg[idx] << 8) | (raw->msg[idx+1]); and check bounds only after the fact. When idx =3D=3D raw->curlen, raw->msg[idx+1] reads one byte past the received message data into the following struct fields (curchunk_len, curchunk_idx, curlen). Affected functions: - drm_dp_sideband_parse_enum_path_resources_ack() full_payload_bw_number and avail_payload_bw_number fields - drm_dp_sideband_parse_allocate_payload_ack() allocated_pbn field - drm_dp_sideband_parse_query_payload_ack() allocated_pbn field Fix by using a single combined check (idx + 2 > curlen) before each 2-byte read. Since the check is strictly tighter than idx > curlen, no separate step is needed. Cc: stable@vger.kernel.org Signed-off-by: Ashutosh Desai Reviewed-by: Lyude Paul --- Changes in v2: - Drop separate idx > curlen check immediately before idx + 2 > curlen; the combined check strictly subsumes it (Lyude Paul) drivers/gpu/drm/display/drm_dp_mst_topology.c | 17 ++++------------- 1 file changed, 4 insertions(+), 13 deletions(-) diff --git a/drivers/gpu/drm/display/drm_dp_mst_topology.c b/drivers/gpu/dr= m/display/drm_dp_mst_topology.c index 9416a48804c8..6e7896193772 100644 --- a/drivers/gpu/drm/display/drm_dp_mst_topology.c +++ b/drivers/gpu/drm/display/drm_dp_mst_topology.c @@ -925,16 +925,13 @@ static bool drm_dp_sideband_parse_enum_path_resources= _ack(struct drm_dp_sideband repmsg->u.path_resources.port_number =3D (raw->msg[idx] >> 4) & 0xf; repmsg->u.path_resources.fec_capable =3D raw->msg[idx] & 0x1; idx++; - if (idx > raw->curlen) + if (idx + 2 > raw->curlen) goto fail_len; repmsg->u.path_resources.full_payload_bw_number =3D (raw->msg[idx] << 8) = | (raw->msg[idx+1]); idx +=3D 2; - if (idx > raw->curlen) + if (idx + 2 > raw->curlen) goto fail_len; repmsg->u.path_resources.avail_payload_bw_number =3D (raw->msg[idx] << 8)= | (raw->msg[idx+1]); - idx +=3D 2; - if (idx > raw->curlen) - goto fail_len; return true; fail_len: DRM_DEBUG_KMS("enum resource parse length fail %d %d\n", idx, raw->curlen= ); @@ -952,12 +949,9 @@ static bool drm_dp_sideband_parse_allocate_payload_ack= (struct drm_dp_sideband_ms goto fail_len; repmsg->u.allocate_payload.vcpi =3D raw->msg[idx]; idx++; - if (idx > raw->curlen) + if (idx + 2 > raw->curlen) goto fail_len; repmsg->u.allocate_payload.allocated_pbn =3D (raw->msg[idx] << 8) | (raw-= >msg[idx+1]); - idx +=3D 2; - if (idx > raw->curlen) - goto fail_len; return true; fail_len: DRM_DEBUG_KMS("allocate payload parse length fail %d %d\n", idx, raw->cur= len); @@ -971,12 +965,9 @@ static bool drm_dp_sideband_parse_query_payload_ack(st= ruct drm_dp_sideband_msg_r =20 repmsg->u.query_payload.port_number =3D (raw->msg[idx] >> 4) & 0xf; idx++; - if (idx > raw->curlen) + if (idx + 2 > raw->curlen) goto fail_len; repmsg->u.query_payload.allocated_pbn =3D (raw->msg[idx] << 8) | (raw->ms= g[idx + 1]); - idx +=3D 2; - if (idx > raw->curlen) - goto fail_len; return true; fail_len: DRM_DEBUG_KMS("query payload parse length fail %d %d\n", idx, raw->curlen= ); --=20 2.34.1