CVE-2021-47046: Fixing Off by One Vulnerability in the Linux Kernel's drm/amd/display

A recently discovered vulnerability in the Linux kernel, specifically within the drm/amd/display subsystem, has been identified and fixed. The issue, designated as CVE-2021-47046, refers to an off-by-one read overflow in the "hdmi_14_process_transaction()" function. This post will discuss the details of the vulnerability, the fix implemented, and its potential impact on systems utilizing the affected kernel module.

Exploit Details

The vulnerability stems from the "hdcp_i2c_offsets[]" array, which did not have an entry for "HDCP_MESSAGE_ID_WRITE_CONTENT_STREAM_TYPE." This oversight led to an off-by-one read overflow, which happens when a program reads data outside the intended bounds of an array. The missing entry caused data to be accessed from the subsequent memory location, leading to possible data corruption or undefined behavior.

The following code snippet highlights the vulnerable code segment in the "hdmi_14_process_transaction()" function:

static int hdmi_14_process_transaction(struct hdcp_context_transaction *trans)
{
  ...
  switch (trans->msg_id) {
    ...
    case HDCP_MESSAGE_ID_WRITE_CONTENT_STREAM_TYPE:
      msg_offset = hdcp_i2c_offsets[HDCP_MESSAGE_ID_WRITE_CONTENT_STREAM_TYPE - 1];
      break;
    ...
  }
  ...
}

Original References

The vulnerable code can be found in the following source file of the Linux kernel: drivers/gpu/drm/amd/display/dc/hdmi/hdmi_hdcp.c

The code segment where the similar array is correctly populated in the hdcp_ddc.c file can be found here: drivers/gpu/drm/amd/display/modules/hdcp/hdcp_ddc.c

Fix Implementation

To resolve the issue, an entry has been added to the "hdcp_i2c_offsets[]" array, and the value x has been copied from the similar code in "drivers/gpu/drm/amd/display/modules/hdcp/hdcp_ddc.c." Additionally, to protect against potential future issues, several arrays have been declared as having "HDCP_MESSAGE_ID_MAX" entries.

The following code snippet shows the corrected version of the affected code

static const uint8_t hdcp_i2c_offsets[HDCP_MESSAGE_ID_MAX - 1] = {
  ...
  [HDCP_MESSAGE_ID_WRITE_CONTENT_STREAM_TYPE] = x, // Now added with x value
  ...
};

static int hdmi_14_process_transaction(struct hdcp_context_transaction *trans)
{
  ...
  switch (trans->msg_id) {
    ...
    case HDCP_MESSAGE_ID_WRITE_CONTENT_STREAM_TYPE:
      msg_offset = hdcp_i2c_offsets[HDCP_MESSAGE_ID_WRITE_CONTENT_STREAM_TYPE - 1];
      break;
    ...
  }
  ...
}

Impact and Mitigations

The vulnerability's impact is limited to systems using the affected Linux kernel drm/amd/display module. System administrators and users should keep their kernels up-to-date to ensure that they are protected against both this vulnerability and any other security issues that may be discovered in the future. If possible, implement the fixed code and recompile the kernel module to ensure the vulnerability is resolved.

Conclusion

The Linux kernel's drm/amd/display vulnerability, CVE-2021-47046, has been identified and addressed. The off-by-one read overflow in the "hdmi_14_process_transaction()" function posed a risk to systems using the module, but the appropriate fix has been implemented to mitigate the potential impact. Maintaining an updated kernel and staying aware of similar security flaws are essential steps in ensuring the security and stability of any Linux system.

Timeline

Published on: 02/28/2024 09:15:40 UTC
Last modified on: 12/09/2024 19:02:52 UTC