cve/published/2022/CVE-2022-49221.mbox - pub/scm/linux/security/vulns - Git at Google

 From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
 From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 To: <linux-cve-announce@vger.kernel.org>
 Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
 Subject: CVE-2022-49221: drm/msm/dp: populate connector of struct dp_panel

 Description
 ===========

 In the Linux kernel, the following vulnerability has been resolved:

 drm/msm/dp: populate connector of struct dp_panel

 DP CTS test case 4.2.2.6 has valid edid with bad checksum on purpose
 and expect DP source return correct checksum. During drm edid read,
 correct edid checksum is calculated and stored at
 connector::real_edid_checksum.

 The problem is struct dp_panel::connector never be assigned, instead the
 connector is stored in struct msm_dp::connector. When we run compliance
 testing test case 4.2.2.6 dp_panel_handle_sink_request() won't have a valid
 edid set in struct dp_panel::edid so we'll try to use the connectors
 real_edid_checksum and hit a NULL pointer dereference error because the
 connector pointer is never assigned.

 Changes in V2:
 -- populate panel connector at msm_dp_modeset_init() instead of at dp_panel_read_sink_caps()

 Changes in V3:
 -- remove unhelpful kernel crash trace commit text
 -- remove renaming dp_display parameter to dp

 Changes in V4:
 -- add more details to commit text

 Changes in v10:
 --  group into one series

 Changes in v11:
 -- drop drm/msm/dp: dp_link_parse_sink_count() return immediately if aux read

 Signee-off-by: Kuogee Hsieh <quic_khsieh@quicinc.com>

 The Linux kernel CVE team has assigned CVE-2022-49221 to this issue.


 Affected and fixed versions
 ===========================

 	Issue introduced in 5.10.67 with commit f86bc4a1a401d3691bad41e67f9db0c2ea94da32 and fixed in 5.10.110 with commit 413c62697b61226a236c8b1f5cd64dcf42bcc12f
 	Issue introduced in 5.15 with commit 7948fe12d47a946fb8025a0534c900e3dd4b5839 and fixed in 5.15.33 with commit 9525b8bcae8b99188990b56484799cf4b1b43786
 	Issue introduced in 5.15 with commit 7948fe12d47a946fb8025a0534c900e3dd4b5839 and fixed in 5.16.19 with commit fbba600f432a360b42452fee79d1fb35d3aa8aeb
 	Issue introduced in 5.15 with commit 7948fe12d47a946fb8025a0534c900e3dd4b5839 and fixed in 5.17.2 with commit 104074ebc0c3f358dd1ee944fbcde92c6e5a21dd
 	Issue introduced in 5.15 with commit 7948fe12d47a946fb8025a0534c900e3dd4b5839 and fixed in 5.18 with commit 5e602f5156910c7b19661699896cb6e3fb94fab9
 	Issue introduced in 5.13.19 with commit ab1ccd1e2584b268784518f838f7cc72faec576b
 	Issue introduced in 5.14.6 with commit 08a96864a45b65ee406a344c78dd761b2fd66887

 Please see https://www.kernel.org for a full list of currently supported
 kernel versions by the kernel community.

 Unaffected versions might change over time as fixes are backported to
 older supported kernel versions.  The official CVE entry at
 	https://cve.org/CVERecord/?id=CVE-2022-49221
 will be updated if fixes are backported, please check that for the most
 up to date information about this issue.


 Affected files
 ==============

 The file(s) affected by this issue are:
 	drivers/gpu/drm/msm/dp/dp_display.c


 Mitigation
 ==========

 The Linux kernel CVE team recommends that you update to the latest
 stable kernel version for this, and many other bugfixes.  Individual
 changes are never tested alone, but rather are part of a larger kernel
 release.  Cherry-picking individual commits is not recommended or
 supported by the Linux kernel community at all.  If however, updating to
 the latest release is impossible, the individual changes to resolve this
 issue can be found at these commits:
 	https://git.kernel.org/stable/c/413c62697b61226a236c8b1f5cd64dcf42bcc12f
 	https://git.kernel.org/stable/c/9525b8bcae8b99188990b56484799cf4b1b43786
 	https://git.kernel.org/stable/c/fbba600f432a360b42452fee79d1fb35d3aa8aeb
 	https://git.kernel.org/stable/c/104074ebc0c3f358dd1ee944fbcde92c6e5a21dd
 	https://git.kernel.org/stable/c/5e602f5156910c7b19661699896cb6e3fb94fab9
	From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
	From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	To: <linux-cve-announce@vger.kernel.org>
	Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
	Subject: CVE-2022-49221: drm/msm/dp: populate connector of struct dp_panel

	Description
	===========

	In the Linux kernel, the following vulnerability has been resolved:

	drm/msm/dp: populate connector of struct dp_panel

	DP CTS test case 4.2.2.6 has valid edid with bad checksum on purpose
	and expect DP source return correct checksum. During drm edid read,
	correct edid checksum is calculated and stored at
	connector::real_edid_checksum.

	The problem is struct dp_panel::connector never be assigned, instead the
	connector is stored in struct msm_dp::connector. When we run compliance
	testing test case 4.2.2.6 dp_panel_handle_sink_request() won't have a valid
	edid set in struct dp_panel::edid so we'll try to use the connectors
	real_edid_checksum and hit a NULL pointer dereference error because the
	connector pointer is never assigned.

	Changes in V2:
	-- populate panel connector at msm_dp_modeset_init() instead of at dp_panel_read_sink_caps()

	Changes in V3:
	-- remove unhelpful kernel crash trace commit text
	-- remove renaming dp_display parameter to dp

	Changes in V4:
	-- add more details to commit text

	Changes in v10:
	-- group into one series

	Changes in v11:
	-- drop drm/msm/dp: dp_link_parse_sink_count() return immediately if aux read

	Signee-off-by: Kuogee Hsieh <quic_khsieh@quicinc.com>

	The Linux kernel CVE team has assigned CVE-2022-49221 to this issue.


	Affected and fixed versions
	===========================

	Issue introduced in 5.10.67 with commit f86bc4a1a401d3691bad41e67f9db0c2ea94da32 and fixed in 5.10.110 with commit 413c62697b61226a236c8b1f5cd64dcf42bcc12f
	Issue introduced in 5.15 with commit 7948fe12d47a946fb8025a0534c900e3dd4b5839 and fixed in 5.15.33 with commit 9525b8bcae8b99188990b56484799cf4b1b43786
	Issue introduced in 5.15 with commit 7948fe12d47a946fb8025a0534c900e3dd4b5839 and fixed in 5.16.19 with commit fbba600f432a360b42452fee79d1fb35d3aa8aeb
	Issue introduced in 5.15 with commit 7948fe12d47a946fb8025a0534c900e3dd4b5839 and fixed in 5.17.2 with commit 104074ebc0c3f358dd1ee944fbcde92c6e5a21dd
	Issue introduced in 5.15 with commit 7948fe12d47a946fb8025a0534c900e3dd4b5839 and fixed in 5.18 with commit 5e602f5156910c7b19661699896cb6e3fb94fab9
	Issue introduced in 5.13.19 with commit ab1ccd1e2584b268784518f838f7cc72faec576b
	Issue introduced in 5.14.6 with commit 08a96864a45b65ee406a344c78dd761b2fd66887

	Please see https://www.kernel.org for a full list of currently supported
	kernel versions by the kernel community.

	Unaffected versions might change over time as fixes are backported to
	older supported kernel versions. The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2022-49221
	will be updated if fixes are backported, please check that for the most
	up to date information about this issue.


	Affected files
	==============

	The file(s) affected by this issue are:
	drivers/gpu/drm/msm/dp/dp_display.c


	Mitigation
	==========

	The Linux kernel CVE team recommends that you update to the latest
	stable kernel version for this, and many other bugfixes. Individual
	changes are never tested alone, but rather are part of a larger kernel
	release. Cherry-picking individual commits is not recommended or
	supported by the Linux kernel community at all. If however, updating to
	the latest release is impossible, the individual changes to resolve this
	issue can be found at these commits:
	https://git.kernel.org/stable/c/413c62697b61226a236c8b1f5cd64dcf42bcc12f
	https://git.kernel.org/stable/c/9525b8bcae8b99188990b56484799cf4b1b43786
	https://git.kernel.org/stable/c/fbba600f432a360b42452fee79d1fb35d3aa8aeb
	https://git.kernel.org/stable/c/104074ebc0c3f358dd1ee944fbcde92c6e5a21dd
	https://git.kernel.org/stable/c/5e602f5156910c7b19661699896cb6e3fb94fab9