CVE-2024-26721

drm/i915/dsc: Fix the macro that calculates DSCC_/DSCA_ PPS reg address

Severity Score

"-"

*CVSS v-

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

Track

*SSVC

Descriptions

In the Linux kernel, the following vulnerability has been resolved:

drm/i915/dsc: Fix the macro that calculates DSCC_/DSCA_ PPS reg address

Commit bd077259d0a9 ("drm/i915/vdsc: Add function to read any PPS
register") defines a new macro to calculate the DSC PPS register
addresses with PPS number as an input. This macro correctly calculates
the addresses till PPS 11 since the addresses increment by 4. So in that
case the following macro works correctly to give correct register
address:

_MMIO(_DSCA_PPS_0 + (pps) * 4)

However after PPS 11, the register address for PPS 12 increments by 12
because of RC Buffer memory allocation in between. Because of this
discontinuity in the address space, the macro calculates wrong addresses
for PPS 12 - 16 resulting into incorrect DSC PPS parameter value
read/writes causing DSC corruption.

This fixes it by correcting this macro to add the offset of 12 for PPS
>=12.

v3: Add correct paranthesis for pps argument (Jani Nikula)

(cherry picked from commit 6074be620c31dc2ae11af96a1a5ea95580976fb5)

En el kernel de Linux se ha resuelto la siguiente vulnerabilidad: drm/i915/dsc: corrige la macro que calcula la dirección de registro DSCC_/DSCA_ PPS Commit bd077259d0a9 ("drm/i915/vdsc: Agregar función para leer cualquier registro PPS") define un Nueva macro para calcular las direcciones de registro DSC PPS con el número PPS como entrada. Esta macro calcula correctamente las direcciones hasta PPS 11 ya que las direcciones se incrementan en 4. Entonces, en ese caso, la siguiente macro funciona correctamente para proporcionar la dirección de registro correcta: _MMIO(_DSCA_PPS_0 + (pps) * 4) Sin embargo, después de PPS 11, la dirección de registro para PPS 12 se incrementa en 12 debido a la asignación de memoria del búfer RC en el medio. Debido a esta discontinuidad en el espacio de direcciones, la macro calcula direcciones incorrectas para PPS 12 - 16, lo que genera lecturas/escrituras incorrectas del valor del parámetro PPS de DSC, lo que provoca corrupción de DSC. Esto se soluciona corrigiendo esta macro para agregar el desplazamiento de 12 para PPS >=12. v3: agregue paréntesis correcto para el argumento pps (Jani Nikula) (seleccionado del commit 6074be620c31dc2ae11af96a1a5ea95580976fb5)

*Credits: N/A

CVSS Scores

Attack Vector

Attack Complexity

Privileges Required

User Interaction

Scope

Confidentiality

Integrity

Availability

* Common Vulnerability Scoring System

SSVC

Decision:Track

Exploitation

None

Automatable

Tech. Impact

Partial

* Organization's Worst-case Scenario

Timeline

2024-02-19 CVE Reserved
2024-04-03 CVE Published
2024-04-04 EPSS Updated
2024-09-11 CVE Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CAPEC

References (3)

URL	Tag	Source
https://git.kernel.org/stable/c/bd077259d0a9c9bf453e7e9751bf41f1996e6585	Vuln. Introduced

URL	Date	SRC

URL	Date	SRC
https://git.kernel.org/stable/c/ff5999fb03f467e1e7159f0ddb199c787f7512b9	2024-02-23
https://git.kernel.org/stable/c/962ac2dce56bb3aad1f82a4bbe3ada57a020287c	2024-02-12

URL	Date	SRC

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 6.7 < 6.7.6 Search vendor "Linux" for product "Linux Kernel" and version " >= 6.7 < 6.7.6"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 6.7 < 6.8 Search vendor "Linux" for product "Linux Kernel" and version " >= 6.7 < 6.8"		en		Affected