2.3 KiB
CVE-2024-57876
Description
In the Linux kernel, the following vulnerability has been resolved:drm/dp_mst: Fix resetting msg rx state after topology removalIf the MST topology is removed during the reception of an MST down replyor MST up request sideband message, thedrm_dp_mst_topology_mgr::up_req_recv/down_rep_recv states could be resetfrom one thread via drm_dp_mst_topology_mgr_set_mst(false), racing withthe reading/parsing of the message from another thread viadrm_dp_mst_handle_down_rep() or drm_dp_mst_handle_up_req(). The race ispossible since the reader/parser doesn't hold any lock while accessingthe reception state. This in turn can lead to a memory corruption in thereader/parser as described by commit bd2fccac61b4 ("drm/dp_mst: Fix MSTsideband message body length check").Fix the above by resetting the message reception state if needed beforereading/parsing a message. Another solution would be to hold thedrm_dp_mst_topology_mgr::lock for the whole duration of the messagereception/parsing in drm_dp_mst_handle_down_rep() anddrm_dp_mst_handle_up_req(), however this would require a bigger change.Since the fix is also needed for stable, opting for the simpler solutionin this patch.
POC
Reference
No PoCs from references.