Patch "drm/dp_mst: Fix MST sideband message body length check" has been added to the 5.15-stable tree

[Sasha Levin <sashal@xxxxxxxxxx>]

This is a note to let you know that I've just added the patch titled

    drm/dp_mst: Fix MST sideband message body length check

to the 5.15-stable tree which can be found at:
    http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary

The filename of the patch is:
     drm-dp_mst-fix-mst-sideband-message-body-length-chec.patch
and it can be found in the queue-5.15 subdirectory.

If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@xxxxxxxxxxxxxxx> know about it.



commit afdb2d8553cdfbfd9048a07e8a021722423334ec
Author: Imre Deak <imre.deak@xxxxxxxxx>
Date:   Mon Nov 25 22:53:14 2024 +0200

    drm/dp_mst: Fix MST sideband message body length check
    
    [ Upstream commit bd2fccac61b40eaf08d9546acc9fef958bfe4763 ]
    
    Fix the MST sideband message body length check, which must be at least 1
    byte accounting for the message body CRC (aka message data CRC) at the
    end of the message.
    
    This fixes a case where an MST branch device returns a header with a
    correct header CRC (indicating a correctly received body length), with
    the body length being incorrectly set to 0. This will later lead to a
    memory corruption in drm_dp_sideband_append_payload() and the following
    errors in dmesg:
    
       UBSAN: array-index-out-of-bounds in drivers/gpu/drm/display/drm_dp_mst_topology.c:786:25
       index -1 is out of range for type 'u8 [48]'
       Call Trace:
        drm_dp_sideband_append_payload+0x33d/0x350 [drm_display_helper]
        drm_dp_get_one_sb_msg+0x3ce/0x5f0 [drm_display_helper]
        drm_dp_mst_hpd_irq_handle_event+0xc8/0x1580 [drm_display_helper]
    
       memcpy: detected field-spanning write (size 18446744073709551615) of single field "&msg->msg[msg->curlen]" at drivers/gpu/drm/display/drm_dp_mst_topology.c:791 (size 256)
       Call Trace:
        drm_dp_sideband_append_payload+0x324/0x350 [drm_display_helper]
        drm_dp_get_one_sb_msg+0x3ce/0x5f0 [drm_display_helper]
        drm_dp_mst_hpd_irq_handle_event+0xc8/0x1580 [drm_display_helper]
    
    Cc: <stable@xxxxxxxxxxxxxxx>
    Cc: Lyude Paul <lyude@xxxxxxxxxx>
    Reviewed-by: Lyude Paul <lyude@xxxxxxxxxx>
    Signed-off-by: Imre Deak <imre.deak@xxxxxxxxx>
    Link: https://patchwork.freedesktop.org/patch/msgid/20241125205314.1725887-1-imre.deak@xxxxxxxxx
    Signed-off-by: Sasha Levin <sashal@xxxxxxxxxx>

diff --git a/drivers/gpu/drm/drm_dp_mst_topology.c b/drivers/gpu/drm/drm_dp_mst_topology.c
index f24667a003a2..f72b4ff169a8 100644
--- a/drivers/gpu/drm/drm_dp_mst_topology.c
+++ b/drivers/gpu/drm/drm_dp_mst_topology.c
@@ -319,6 +319,9 @@ static bool drm_dp_decode_sideband_msg_hdr(const struct drm_dp_mst_topology_mgr
 	hdr->broadcast = (buf[idx] >> 7) & 0x1;
 	hdr->path_msg = (buf[idx] >> 6) & 0x1;
 	hdr->msg_len = buf[idx] & 0x3f;
+	if (hdr->msg_len < 1)		/* min space for body CRC */
+		return false;
+
 	idx++;
 	hdr->somt = (buf[idx] >> 7) & 0x1;
 	hdr->eomt = (buf[idx] >> 6) & 0x1;