From: Greg Kroah-Hartman Date: Mon, 15 Jun 2026 16:14:23 +0000 (+0200) Subject: 5.10-stable patches X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=f1dd82198fae9ac97acec96e12bdc229dd242171;p=thirdparty%2Fkernel%2Fstable-queue.git 5.10-stable patches added patches: drm-amd-display-clamp-hdmi-hdcp2-rx_id_list-read-to-buffer-size.patch drm-amd-display-fix-null-deref-and-buffer-over-read-in-sdp-debugfs.patch --- diff --git a/queue-5.10/drm-amd-display-clamp-hdmi-hdcp2-rx_id_list-read-to-buffer-size.patch b/queue-5.10/drm-amd-display-clamp-hdmi-hdcp2-rx_id_list-read-to-buffer-size.patch new file mode 100644 index 0000000000..4ba247d16f --- /dev/null +++ b/queue-5.10/drm-amd-display-clamp-hdmi-hdcp2-rx_id_list-read-to-buffer-size.patch @@ -0,0 +1,47 @@ +From f0f3981c43b32cadfe373d636d9e9ca522bb3702 Mon Sep 17 00:00:00 2001 +From: Harry Wentland +Date: Thu, 7 May 2026 15:38:37 -0400 +Subject: drm/amd/display: Clamp HDMI HDCP2 rx_id_list read to buffer size + +From: Harry Wentland + +commit f0f3981c43b32cadfe373d636d9e9ca522bb3702 upstream. + +[Why & How] +During HDCP 2.x repeater authentication over HDMI, the driver reads the +sink's RxStatus register and extracts a 10-bit message size field (max +value 1023). This value is used as the read length for the ReceiverID +list without being clamped to the size of the destination buffer +rx_id_list[177]. A malicious HDMI repeater could advertise a message +size larger than the buffer, causing an out-of-bounds write during the +I2C read. + +Clamp the read length in mod_hdcp_read_rx_id_list() to the size of the +rx_id_list buffer, matching the approach already used in the DP branch. + +Fixes: eff682f83c9c ("drm/amd/display: Add DDC handles for HDCP2.2") +Assisted-by: Copilot:claude-opus-4.6 +Reviewed-by: Alex Hung +Signed-off-by: Harry Wentland +Signed-off-by: Ray Wu +Tested-by: Daniel Wheeler +Signed-off-by: Alex Deucher +(cherry picked from commit 229212219e4247d9486f8ba41ef087358490be09) +Cc: stable@vger.kernel.org +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/amd/display/modules/hdcp/hdcp_ddc.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/gpu/drm/amd/display/modules/hdcp/hdcp_ddc.c ++++ b/drivers/gpu/drm/amd/display/modules/hdcp/hdcp_ddc.c +@@ -533,7 +533,8 @@ enum mod_hdcp_status mod_hdcp_read_rx_id + } else { + status = read(hdcp, MOD_HDCP_MESSAGE_ID_READ_REPEATER_AUTH_SEND_RECEIVERID_LIST, + hdcp->auth.msg.hdcp2.rx_id_list, +- hdcp->auth.msg.hdcp2.rx_id_list_size); ++ MIN(hdcp->auth.msg.hdcp2.rx_id_list_size, ++ sizeof(hdcp->auth.msg.hdcp2.rx_id_list))); + } + return status; + } diff --git a/queue-5.10/drm-amd-display-fix-null-deref-and-buffer-over-read-in-sdp-debugfs.patch b/queue-5.10/drm-amd-display-fix-null-deref-and-buffer-over-read-in-sdp-debugfs.patch new file mode 100644 index 0000000000..c31edd69a4 --- /dev/null +++ b/queue-5.10/drm-amd-display-fix-null-deref-and-buffer-over-read-in-sdp-debugfs.patch @@ -0,0 +1,53 @@ +From adf67034b1f61f7119295208085bfd43f85f56af Mon Sep 17 00:00:00 2001 +From: Harry Wentland +Date: Mon, 11 May 2026 16:46:25 -0400 +Subject: drm/amd/display: Fix NULL deref and buffer over-read in SDP debugfs + +From: Harry Wentland + +commit adf67034b1f61f7119295208085bfd43f85f56af upstream. + +[Why & How] +dp_sdp_message_debugfs_write() dereferences connector->base.state->crtc +without checking for NULL. A connector can be connected but not bound to +any CRTC (e.g. after hot-plug before the next atomic commit), causing a +kernel crash when writing to the sdp_message debugfs node. + +The function also ignores the user-provided size argument and always +passes 36 bytes to copy_from_user(), reading past the user buffer when +size < 36. + +Fix both issues by: +- Returning -ENODEV when connector->base.state or state->crtc is NULL +- Clamping write_size to min(size, sizeof(data)) + +Fixes: c7ba3653e977 ("drm/amd/display: Generic SDP message access in amdgpu") +Assisted-by: Copilot:claude-opus-4.6 +Reviewed-by: Alex Hung +Signed-off-by: Harry Wentland +Signed-off-by: Ray Wu +Tested-by: Daniel Wheeler +Signed-off-by: Alex Deucher +(cherry picked from commit 6ab4c36a522842ff70474a1c0af2e40e50fc8300) +Cc: stable@vger.kernel.org +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_debugfs.c | 5 +++++ + 1 file changed, 5 insertions(+) + +--- a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_debugfs.c ++++ b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_debugfs.c +@@ -895,8 +895,13 @@ static ssize_t dp_sdp_message_debugfs_wr + if (size == 0) + return 0; + ++ if (!connector->base.state || !connector->base.state->crtc) ++ return -ENODEV; ++ + acrtc_state = to_dm_crtc_state(connector->base.state->crtc->state); + ++ write_size = min_t(size_t, size, sizeof(data)); ++ + r = copy_from_user(data, buf, write_size); + + write_size -= r; diff --git a/queue-5.10/series b/queue-5.10/series index 702120dc90..d086829c0f 100644 --- a/queue-5.10/series +++ b/queue-5.10/series @@ -208,3 +208,5 @@ thunderbolt-reject-zero-length-property-entries-in-validator.patch thunderbolt-bound-root-directory-content-to-block-size.patch thunderbolt-clamp-xdomain-response-data-copy-to-allocation-size.patch thunderbolt-limit-xdomain-response-copy-to-actual-frame-size.patch +drm-amd-display-clamp-hdmi-hdcp2-rx_id_list-read-to-buffer-size.patch +drm-amd-display-fix-null-deref-and-buffer-over-read-in-sdp-debugfs.patch