CVE-2024-56608

In the Linux kernel, the following vulnerability has been resolved:

drm/amd/display: Fix out-of-bounds access in 'dcn21linkencoder_create'

An issue was identified in the dcn21linkencodercreate function where an out-of-bounds access could occur when the hpdsource index was used to reference the linkenchpd_regs array. This array has a fixed size and the index was not being checked against the array's bounds before accessing it.

This fix adds a conditional check to ensure that the hpdsource index is within the valid range of the linkenchpdregs array. If the index is out of bounds, the function now returns NULL to prevent undefined behavior.

References:

[ 65.920507] ------------[ cut here ]------------ [ 65.920510] UBSAN: array-index-out-of-bounds in drivers/gpu/drm/amd/amdgpu/../display/dc/resource/dcn21/dcn21resource.c:1312:29 [ 65.920519] index 7 is out of range for type 'dcn10linkenchpdregisters [5]' [ 65.920523] CPU: 3 PID: 1178 Comm: modprobe Tainted: G OE 6.8.0-cleanershaderfeatureresetasdntipmi200nv2132 #13 [ 65.920525] Hardware name: AMD Majolica-RN/Majolica-RN, BIOS WMJ0429NWeekly20042 04/29/2020 [ 65.920527] Call Trace: [ 65.920529] <TASK> [ 65.920532] dumpstacklvl+0x48/0x70 [ 65.920541] dumpstack+0x10/0x20 [ 65.920543] __ubsanhandleoutofbounds+0xa2/0xe0 [ 65.920549] dcn21linkencodercreate+0xd9/0x140 [amdgpu] [ 65.921009] linkcreate+0x6d3/0xed0 [amdgpu] [ 65.921355] createlinks+0x18a/0x4e0 [amdgpu] [ 65.921679] dccreate+0x360/0x720 [amdgpu] [ 65.921999] ? dmimatches+0xa0/0x220 [ 65.922004] amdgpudminit+0x2b6/0x2c90 [amdgpu] [ 65.922342] ? consoleunlock+0x77/0x120 [ 65.922348] ? devprintkemit+0x86/0xb0 [ 65.922354] dmhwinit+0x15/0x40 [amdgpu] [ 65.922686] amdgpudeviceinit+0x26a8/0x33a0 [amdgpu] [ 65.922921] amdgpudriverloadkms+0x1b/0xa0 [amdgpu] [ 65.923087] amdgpupciprobe+0x1b7/0x630 [amdgpu] [ 65.923087] localpciprobe+0x4b/0xb0 [ 65.923087] pcideviceprobe+0xc8/0x280 [ 65.923087] reallyprobe+0x187/0x300 [ 65.923087] __driverprobedevice+0x85/0x130 [ 65.923087] driverprobedevice+0x24/0x110 [ 65.923087] __driverattach+0xac/0x1d0 [ 65.923087] ? pfxdriverattach+0x10/0x10 [ 65.923087] busforeachdev+0x7d/0xd0 [ 65.923087] driverattach+0x1e/0x30 [ 65.923087] busadddriver+0xf2/0x200 [ 65.923087] driverregister+0x64/0x130 [ 65.923087] ? __pfxamdgpuinit+0x10/0x10 [amdgpu] [ 65.923087] __pciregisterdriver+0x61/0x70 [ 65.923087] amdgpuinit+0x7d/0xff0 [amdgpu] [ 65.923087] doone_initcall+0x49/0x310 [ 65.923087] ? kmalloctrace+0x136/0x360 [ 65.923087] doinitmodule+0x6a/0x270 [ 65.923087] loadmodule+0x1fce/0x23a0 [ 65.923087] initmodulefromfile+0x9c/0xe0 [ 65.923087] ? initmodulefromfile+0x9c/0xe0 [ 65.923087] idempotentinitmodule+0x179/0x230 [ 65.923087] __x64sysfinitmodule+0x5d/0xa0 [ 65.923087] dosyscall64+0x76/0x120 [ 65.923087] entrySYSCALL64afterhwframe+0x6e/0x76 [ 65.923087] RIP: 0033:0x7f2d80f1e88d [ 65.923087] Code: 5b 41 5c c3 66 0f 1f 84 00 00 00 00 00 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 73 b5 0f 00 f7 d8 64 89 01 48 [ 65.923087] RSP: 002b:00007ffc7bc1aa78 EFLAGS: 00000246 ORIGRAX: 0000000000000139 [ 65.923087] RAX: ffffffffffffffda RBX: 0000564c9c1db130 RCX: 00007f2d80f1e88d [ 65.923087] RDX: 0000000000000000 RSI: 0000564c9c1e5480 RDI: 000000000000000f [ 65.923087] RBP: 0000000000040000 R08: 0000000000000000 R09: 0000000000000002 [ 65.923087] R10: 000000000000000f R11: 0000000000000246 R12: 0000564c9c1e5480 [ 65.923087] R13: 0000564c9c1db260 R14: 0000000000000000 R15: 0000564c9c1e54b0 [ 65.923087] </TASK> [ 65.923927] ---[ end trace ]---