mirror of
https://github.com/0xMarcio/cve.git
synced 2025-11-28 18:48:49 +00:00
25 lines
2.3 KiB
Markdown
25 lines
2.3 KiB
Markdown
### [CVE-2024-57876](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-57876)
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
### Description
|
|
|
|
In the Linux kernel, the following vulnerability has been resolved:drm/dp_mst: Fix resetting msg rx state after topology removalIf the MST topology is removed during the reception of an MST down replyor MST up request sideband message, thedrm_dp_mst_topology_mgr::up_req_recv/down_rep_recv states could be resetfrom one thread via drm_dp_mst_topology_mgr_set_mst(false), racing withthe reading/parsing of the message from another thread viadrm_dp_mst_handle_down_rep() or drm_dp_mst_handle_up_req(). The race ispossible since the reader/parser doesn't hold any lock while accessingthe reception state. This in turn can lead to a memory corruption in thereader/parser as described by commit bd2fccac61b4 ("drm/dp_mst: Fix MSTsideband message body length check").Fix the above by resetting the message reception state if needed beforereading/parsing a message. Another solution would be to hold thedrm_dp_mst_topology_mgr::lock for the whole duration of the messagereception/parsing in drm_dp_mst_handle_down_rep() anddrm_dp_mst_handle_up_req(), however this would require a bigger change.Since the fix is also needed for stable, opting for the simpler solutionin this patch.
|
|
|
|
### POC
|
|
|
|
#### Reference
|
|
No PoCs from references.
|
|
|
|
#### Github
|
|
- https://github.com/ARPSyndicate/cve-scores
|
|
- https://github.com/w4zu/Debian_security
|
|
|