| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <2025022621-CVE-2022-49221-353c@gregkh> Date: Wed, 26 Feb 2025 02:57:06 +0100 From: Greg Kroah-Hartman <gregkh@...uxfoundation.org> To: linux-cve-announce@...r.kernel.org Cc: Greg Kroah-Hartman <gregkh@...uxfoundation.org>, Kuogee Hsieh <quic_khsieh@...cinc.com> Subject: CVE-2022-49221: drm/msm/dp: populate connector of struct dp_panel Description =========== In the Linux kernel, the following vulnerability has been resolved: drm/msm/dp: populate connector of struct dp_panel DP CTS test case 4.2.2.6 has valid edid with bad checksum on purpose and expect DP source return correct checksum. During drm edid read, correct edid checksum is calculated and stored at connector::real_edid_checksum. The problem is struct dp_panel::connector never be assigned, instead the connector is stored in struct msm_dp::connector. When we run compliance testing test case 4.2.2.6 dp_panel_handle_sink_request() won't have a valid edid set in struct dp_panel::edid so we'll try to use the connectors real_edid_checksum and hit a NULL pointer dereference error because the connector pointer is never assigned. Changes in V2: -- populate panel connector at msm_dp_modeset_init() instead of at dp_panel_read_sink_caps() Changes in V3: -- remove unhelpful kernel crash trace commit text -- remove renaming dp_display parameter to dp Changes in V4: -- add more details to commit text Changes in v10: -- group into one series Changes in v11: -- drop drm/msm/dp: dp_link_parse_sink_count() return immediately if aux read Signee-off-by: Kuogee Hsieh <quic_khsieh@...cinc.com> The Linux kernel CVE team has assigned CVE-2022-49221 to this issue. Affected and fixed versions =========================== Issue introduced in 5.10.67 with commit f86bc4a1a401d3691bad41e67f9db0c2ea94da32 and fixed in 5.10.110 with commit 413c62697b61226a236c8b1f5cd64dcf42bcc12f Issue introduced in 5.15 with commit 7948fe12d47a946fb8025a0534c900e3dd4b5839 and fixed in 5.15.33 with commit 9525b8bcae8b99188990b56484799cf4b1b43786 Issue introduced in 5.15 with commit 7948fe12d47a946fb8025a0534c900e3dd4b5839 and fixed in 5.16.19 with commit fbba600f432a360b42452fee79d1fb35d3aa8aeb Issue introduced in 5.15 with commit 7948fe12d47a946fb8025a0534c900e3dd4b5839 and fixed in 5.17.2 with commit 104074ebc0c3f358dd1ee944fbcde92c6e5a21dd Issue introduced in 5.15 with commit 7948fe12d47a946fb8025a0534c900e3dd4b5839 and fixed in 5.18 with commit 5e602f5156910c7b19661699896cb6e3fb94fab9 Issue introduced in 5.13.19 with commit ab1ccd1e2584b268784518f838f7cc72faec576b Issue introduced in 5.14.6 with commit 08a96864a45b65ee406a344c78dd761b2fd66887 Please see https://www.kernel.org for a full list of currently supported kernel versions by the kernel community. Unaffected versions might change over time as fixes are backported to older supported kernel versions. The official CVE entry at https://cve.org/CVERecord/?id=CVE-2022-49221 will be updated if fixes are backported, please check that for the most up to date information about this issue. Affected files ============== The file(s) affected by this issue are: drivers/gpu/drm/msm/dp/dp_display.c Mitigation ========== The Linux kernel CVE team recommends that you update to the latest stable kernel version for this, and many other bugfixes. Individual changes are never tested alone, but rather are part of a larger kernel release. Cherry-picking individual commits is not recommended or supported by the Linux kernel community at all. If however, updating to the latest release is impossible, the individual changes to resolve this issue can be found at these commits: https://git.kernel.org/stable/c/413c62697b61226a236c8b1f5cd64dcf42bcc12f https://git.kernel.org/stable/c/9525b8bcae8b99188990b56484799cf4b1b43786 https://git.kernel.org/stable/c/fbba600f432a360b42452fee79d1fb35d3aa8aeb https://git.kernel.org/stable/c/104074ebc0c3f358dd1ee944fbcde92c6e5a21dd https://git.kernel.org/stable/c/5e602f5156910c7b19661699896cb6e3fb94fab9
Powered by blists - more mailing lists