git.ipfire.org Git - thirdparty/kernel/linux.git/commit

author	Harry Wentland <harry.wentland@amd.com>
	Thu, 7 May 2026 20:26:31 +0000 (16:26 -0400)
committer	Alex Deucher <alexander.deucher@amd.com>
	Tue, 19 May 2026 16:13:56 +0000 (12:13 -0400)
commit	6c92f6d9600efa3ef0d9e560a2b52776d9803c29
tree	bd38d029a944075b28c0aa92517b25ef960d3e7f	tree \| snapshot
parent	86d2b20644b11d21fe52c596e6e922b4590a3e3f	commit \| diff

drm/amd/display: Validate payload length and link_index in dc_process_dmub_aux_transfer_async

[Why&How]
dc_process_dmub_aux_transfer_async() copies payload->length bytes into a
16-byte stack buffer (dpaux.data[16]) guarded only by an ASSERT(), which
is a no-op in release builds. If a caller ever passes length > 16 this
results in a stack buffer overflow via memcpy.

Additionally, link_index is used to dereference dc->links[] without
bounds checking against dc->link_count, risking an out-of-bounds access.

Replace the ASSERT with a hard runtime check that returns false when
payload->length exceeds the destination buffer size, and add a bounds
check for link_index before it is used.

Assisted-by: GitHub Copilot:Claude claude-4-opus
Reviewed-by: Alex Hung <alex.hung@amd.com>
Signed-off-by: Harry Wentland <harry.wentland@amd.com>
Signed-off-by: Ivan Lipski <ivan.lipski@amd.com>
Tested-by: Dan Wheeler <daniel.wheeler@amd.com>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
(cherry picked from commit ba4caa9fecdf7a38f98c878ad05a8a64148b6881)
Cc: stable@vger.kernel.org