CVE-2024-57876 - Fixing Memory Corruption Vulnerability in Linux kernel's drm/dp_mst

In the Linux kernel, a vulnerability was discovered in the drm/dp_mst subsystem. It was found that if the MST topology is removed during the reception of certain sideband messages, it could lead to a race condition and ultimately, memory corruption. This vulnerability has now been fixed with the patch described below.

The vulnerability was resolved with the following change

drm/dp_mst: Fix resetting msg rx state after topology removal

The issue occurs when the MST topology is removed while receiving either an MST down reply or MST up request sideband message in the drm_dp_mst_topology_mgr subsystem. Specifically, the up_req_recv and down_rep_recv states could be reset concurrently from one thread with drm_dp_mst_topology_mgr_set_mst(false), racing with the message reading or parsing from another thread via drm_dp_mst_handle_down_rep() or drm_dp_mst_handle_up_req().

As the reader or parser does not hold any lock while accessing the reception state, this could lead to the race condition mentioned earlier, causing memory corruption as described by commit bd2fccac61b4 ("drm/dp_mst: Fix MST sideband message body length check").

To fix this issue, the patch resets the message reception state before reading or parsing a message. Another possible solution would be to hold the drm_dp_mst_topology_mgr::lock for the entire duration of the message reception and parsing in drm_dp_mst_handle_down_rep() and drm_dp_mst_handle_up_req(). However, this would require more significant changes. As the fix is also necessary for the stable kernel releases, the simpler solution is chosen for this patch.

Code Snippet

Here's a code example of the fix applied in the Linux kernel.

+static void drm_dp_mst_reset_rx.msg(struct drm_dp_mst_topology_mgr *mgr,
+                                      struct drm_dp_sideband_msg_rx *msg)
+{
+    DRM_DEBUG_MST("Resetting sideband msg reception - %p\n", msg);
+    mutex_lock(&mgr->lock);
+    memset(msg, , sizeof(*msg));
+    mutex_unlock(&mgr->lock);

+}

Original References

You can find more information and discussions related to this vulnerability and its fix in the following resources:

1. Linux kernel git commit: bd2fccac61b4
2. Patch submission email: LKML

Conclusion

The discovery and resolution of this memory corruption vulnerability in the Linux kernel's drm/dp_mst subsystem demonstrate the continued commitment of the open-source community to identify and remediate potential security issues. Users running affected kernel versions should apply the patch or update their systems as soon as possible to ensure system stability and security.

Timeline

Published on: 01/11/2025 15:15:07 UTC
Last modified on: 01/20/2025 06:28:41 UTC