CVE-2025-37903

See a problem?
Please try reporting it to the source first.
Source
https://nvd.nist.gov/vuln/detail/CVE-2025-37903
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2025-37903.json
JSON Data
https://api.test.osv.dev/v1/vulns/CVE-2025-37903
Downstream
Related
Published
2025-05-20T16:15:26Z
Modified
2025-08-13T00:00:21Z
Summary
[none]
Details

In the Linux kernel, the following vulnerability has been resolved:

drm/amd/display: Fix slab-use-after-free in hdcp

The HDCP code in amdgpudmhdcp.c copies pointers to amdgpudmconnector objects without incrementing the kref reference counts. When using a USB-C dock, and the dock is unplugged, the corresponding amdgpudmconnector objects are freed, creating dangling pointers in the HDCP code. When the dock is plugged back, the dangling pointers are dereferenced, resulting in a slab-use-after-free:

[ 66.775837] BUG: KASAN: slab-use-after-free in eventpropertyvalidate+0x42f/0x6c0 [amdgpu] [ 66.776171] Read of size 4 at addr ffff888127804120 by task kworker/0:1/10

[ 66.776179] CPU: 0 UID: 0 PID: 10 Comm: kworker/0:1 Not tainted 6.14.0-rc7-00180-g54505f727a38-dirty #233 [ 66.776183] Hardware name: HP HP Pavilion Aero Laptop 13-be0xxx/8916, BIOS F.17 12/18/2024 [ 66.776186] Workqueue: events eventpropertyvalidate [amdgpu] [ 66.776494] Call Trace: [ 66.776496] <TASK> [ 66.776497] dumpstacklvl+0x70/0xa0 [ 66.776504] printreport+0x175/0x555 [ 66.776507] ? _virtaddrvalid+0x243/0x450 [ 66.776510] ? kasancompletemodereportinfo+0x66/0x1c0 [ 66.776515] kasanreport+0xeb/0x1c0 [ 66.776518] ? eventpropertyvalidate+0x42f/0x6c0 [amdgpu] [ 66.776819] ? eventpropertyvalidate+0x42f/0x6c0 [amdgpu] [ 66.777121] _asanreportload4noabort+0x14/0x20 [ 66.777124] eventpropertyvalidate+0x42f/0x6c0 [amdgpu] [ 66.777342] ? _lockacquire+0x6b40/0x6b40 [ 66.777347] ? enableassr+0x250/0x250 [amdgpu] [ 66.777571] processonework+0x86b/0x1510 [ 66.777575] ? pwqdecnrinflight+0xcf0/0xcf0 [ 66.777578] ? assignwork+0x16b/0x280 [ 66.777580] ? lockisheldtype+0xa3/0x130 [ 66.777583] workerthread+0x5c0/0xfa0 [ 66.777587] ? processonework+0x1510/0x1510 [ 66.777588] kthread+0x3a2/0x840 [ 66.777591] ? kthreadispercpu+0xd0/0xd0 [ 66.777594] ? tracehardirqson+0x4f/0x60 [ 66.777597] ? rawspinunlockirq+0x27/0x60 [ 66.777599] ? calculatesigpending+0x77/0xa0 [ 66.777602] ? kthreadispercpu+0xd0/0xd0 [ 66.777605] retfromfork+0x40/0x90 [ 66.777607] ? kthreadispercpu+0xd0/0xd0 [ 66.777609] retfromforkasm+0x11/0x20 [ 66.777614] </TASK>

[ 66.777643] Allocated by task 10: [ 66.777646] kasansavestack+0x39/0x60 [ 66.777649] kasansavetrack+0x14/0x40 [ 66.777652] kasansaveallocinfo+0x37/0x50 [ 66.777655] _kasankmalloc+0xbb/0xc0 [ 66.777658] _kmalloccachenoprof+0x1c8/0x4b0 [ 66.777661] dmdpaddmstconnector+0xdd/0x5c0 [amdgpu] [ 66.777880] drmdpmstportaddconnector+0x47e/0x770 [drmdisplayhelper] [ 66.777892] drmdpsendlinkaddress+0x1554/0x2bf0 [drmdisplayhelper] [ 66.777901] drmdpcheckandsendlinkaddress+0x187/0x1f0 [drmdisplayhelper] [ 66.777909] drmdpmstlinkprobework+0x2b8/0x410 [drmdisplayhelper] [ 66.777917] processonework+0x86b/0x1510 [ 66.777919] workerthread+0x5c0/0xfa0 [ 66.777922] kthread+0x3a2/0x840 [ 66.777925] retfromfork+0x40/0x90 [ 66.777927] retfromforkasm+0x11/0x20

[ 66.777932] Freed by task 1713: [ 66.777935] kasansavestack+0x39/0x60 [ 66.777938] kasansavetrack+0x14/0x40 [ 66.777940] kasansavefreeinfo+0x3b/0x60 [ 66.777944] _kasanslabfree+0x52/0x70 [ 66.777946] kfree+0x13f/0x4b0 [ 66.777949] dmdpmstconnectordestroy+0xfa/0x150 [amdgpu] [ 66.778179] drmconnectorfree+0x7d/0xb0 [ 66.778184] drmmodeobjectput.part.0+0xee/0x160 [ 66.778188] drmmodeobjectput+0x37/0x50 [ 66.778191] drmatomicstatedefaultclear+0x220/0xd60 [ 66.778194] _drmatomicstatefree+0x16e/0x2a0 [ 66.778197] drmmodeatomicioctl+0x15ed/0x2ba0 [ 66.778200] drmioctlkernel+0x17a/0x310 [ 66.778203] drmioctl+0x584/0xd10 [ 66.778206] amdgpudrmioctl+0xd2/0x1c0 [amdgpu] [ 66.778375] _x64sysioctl+0x139/0x1a0 [ 66.778378] x64sys_call+0xee7/0xfb0 [ 66.778381] ---truncated---

References

Affected packages