drm/amd/display: Validate payload length and link_index in dc_process_dmub_aux_transf...

[Why&How]
dc_process_dmub_aux_transfer_async() copies payload->length bytes into a
16-byte stack buffer (dpaux.data[16]) guarded only by an ASSERT(), which
is a no-op in release builds. If a caller ever passes length > 16 this
results in a stack buffer overflow via memcpy.

Additionally, link_index is used to dereference dc->links[] without
bounds checking against dc->link_count, risking an out-of-bounds access.

Replace the ASSERT with a hard runtime check that returns false when
payload->length exceeds the destination buffer size, and add a bounds
check for link_index before it is used.

Assisted-by: GitHub Copilot:Claude claude-4-opus
Reviewed-by: Alex Hung <alex.hung@amd.com>
Signed-off-by: Harry Wentland <harry.wentland@amd.com>
Signed-off-by: Ivan Lipski <ivan.lipski@amd.com>
Tested-by: Dan Wheeler <daniel.wheeler@amd.com>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
(cherry picked from commit ba4caa9fecdf7a38f98c878ad05a8a64148b6881)
Cc: stable@vger.kernel.org

diff --git a/drivers/gpu/drm/amd/display/dc/core/dc.c b/drivers/gpu/drm/amd/display/dc/core/dc.c
index 419f894c87b03ad1c56d7c8cbd2098c0d4c3fc6c..b3530fbf32f7fe07482e819b9d9f4d0be681328d 100644 (file)
--- a/drivers/gpu/drm/amd/display/dc/core/dc.c
+++ b/drivers/gpu/drm/amd/display/dc/core/dc.c
@@ -6071,7 +6071,11 @@ bool dc_process_dmub_aux_transfer_async(struct dc *dc,
        uint8_t action;
        union dmub_rb_cmd cmd = {0};
 
-       ASSERT(payload->length <= 16);
+       if (link_index >= dc->link_count || !dc->links[link_index])
+               return false;
+
+       if (payload->length > sizeof(cmd.dp_aux_access.aux_control.dpaux.data))
+               return false;
 
        cmd.dp_aux_access.header.type = DMUB_CMD__DP_AUX_ACCESS;
        cmd.dp_aux_access.header.payload_bytes = 0;