CVE-2024-56616 - Fixing Linux Kernel Vulnerability in drm/dp_mst: MST Sideband Message Body Length Check

A new vulnerability, identified as CVE-2024-56616, has been discovered and fixed in the Linux kernel. The issue is related to the drm/dp_mst (Direct Rendering Manager/DisplayPort Multi-Stream Transport) subsystem, specifically the MST sideband message body length check. In this post, we will discuss the details of this vulnerability, provide code snippets, and point to the original references.

Exploit Details

The Linux kernel drm/dp_mst subsystem is responsible for handling DisplayPort Multi-Stream Transport functionality. This vulnerability arises when an MST branch device returns a header with a correct Header CRC, but the message body length is incorrectly set to . Such a situation can lead to memory corruption in drm_dp_sideband_append_payload() function and produce errors in dmesg log messages:

UBSAN: array-index-out-of-bounds in drivers/gpu/drm/display/drm_dp_mst_topology.c:786:25
index -1 is out of range for type 'u8 [48]'

Call Trace

drm_dp_sideband_append_payload+x33d/x350 [drm_display_helper]
drm_dp_get_one_sb_msg+x3ce/x5f [drm_display_helper]
drm_dp_mst_hpd_irq_handle_event+xc8/x158 [drm_display_helper]

memcpy: detected field-spanning write (size 18446744073709551615) of single field "&msg->msg[msg->curlen]" at drivers/gpu/drm/display/drm_dp_mst_topology.c:791 (size 256)

Call Trace

drm_dp_sideband_append_payload+x324/x350 [drm_display_helper]
drm_dp_get_one_sb_msg+x3ce/x5f [drm_display_helper]
drm_dp_mst_hpd_irq_handle_event+xc8/x158 [drm_display_helper]

Fix:

The fix for this vulnerability involves modifying the MST sideband message body length check, which must be at least one byte. This accounts for the message body CRC (also known as message data CRC) at the end of the message. The patch required to fix this issue can be seen here:

Link: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=665d3f3bc81f342df50d82e9c8bfd9d912f57ffd

Conclusion

The introduction of the patch mentioned above addresses the vulnerability CVE-2024-56616 in the Linux kernel's drm/dp_mst subsystem. System administrators and developers should ensure they apply the latest kernel updates to prevent potential exploitation of this vulnerability. By addressing this issue, the Linux community continues to work together to ensure the system's security and stability.

Timeline

Published on: 12/27/2024 15:15:21 UTC
Last modified on: 01/20/2025 06:24:13 UTC