CVE-2024-57876
drm/dp_mst: Fix resetting msg rx state after topology removal
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
0Exploited in Wild
-Decision
Descriptions
In the Linux kernel, the following vulnerability has been resolved: drm/dp_mst: Fix resetting msg rx state after topology removal If the MST topology is removed during the reception of an MST down reply
or MST up request sideband message, the
drm_dp_mst_topology_mgr::up_req_recv/down_rep_recv states could be reset
from one thread via drm_dp_mst_topology_mgr_set_mst(false), racing with
the reading/parsing of the message from another thread via
drm_dp_mst_handle_down_rep() or drm_dp_mst_handle_up_req(). The race is
possible since the reader/parser doesn't hold any lock while accessing
the reception state. This in turn can lead to a memory corruption in the
reader/parser as described by commit bd2fccac61b4 ("drm/dp_mst: Fix MST
sideband message body length check"). Fix the above by resetting the message reception state if needed before
reading/parsing a message. Another solution would be to hold the
drm_dp_mst_topology_mgr::lock for the whole duration of the message
reception/parsing in drm_dp_mst_handle_down_rep() and
drm_dp_mst_handle_up_req(), however this would require a bigger change.
Since the fix is also needed for stable, opting for the simpler solution
in this patch.
CVSS Scores
SSVC
- Decision:-
Timeline
- 2025-01-11 CVE Reserved
- 2025-01-11 CVE Published
- 2025-01-11 CVE Updated
- ---------- EPSS Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
CAPEC
References (9)
| URL | Tag | Source |
|---|---|---|
| https://git.kernel.org/stable/c/b30fcedeba643ca16eaa6212c1245598b7cd830d | Vuln. Introduced | |
| https://git.kernel.org/stable/c/1d082618bbf3b6755b8cc68c0a8122af2842d593 | Vuln. Introduced | |
| https://git.kernel.org/stable/c/ee4a4282d78d96e07e714c28ca54679713fa2157 | Vuln. Introduced | |
| https://git.kernel.org/stable/c/db35e49413a4d03ea0c003598803e49956f59324 | Vuln. Introduced | |
| https://git.kernel.org/stable/c/a579ed4613b5a64074963988ad481e43cf3b917b | Vuln. Introduced |
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| Linux Search vendor "Linux" | Linux Kernel Search vendor "Linux" for product "Linux Kernel" | >= 6.1.18 < 6.1.120 Search vendor "Linux" for product "Linux Kernel" and version " >= 6.1.18 < 6.1.120" | en |
Affected
| ||||||
| Linux Search vendor "Linux" | Linux Kernel Search vendor "Linux" for product "Linux Kernel" | >= 6.3 < 6.6.66 Search vendor "Linux" for product "Linux Kernel" and version " >= 6.3 < 6.6.66" | en |
Affected
| ||||||
| Linux Search vendor "Linux" | Linux Kernel Search vendor "Linux" for product "Linux Kernel" | >= 6.3 < 6.12.5 Search vendor "Linux" for product "Linux Kernel" and version " >= 6.3 < 6.12.5" | en |
Affected
| ||||||
| Linux Search vendor "Linux" | Linux Kernel Search vendor "Linux" for product "Linux Kernel" | >= 6.3 < 6.13-rc2 Search vendor "Linux" for product "Linux Kernel" and version " >= 6.3 < 6.13-rc2" | en |
Affected
| ||||||
| Linux Search vendor "Linux" | Linux Kernel Search vendor "Linux" for product "Linux Kernel" | 5.10.173 Search vendor "Linux" for product "Linux Kernel" and version "5.10.173" | en |
Affected
| ||||||
| Linux Search vendor "Linux" | Linux Kernel Search vendor "Linux" for product "Linux Kernel" | 5.15.100 Search vendor "Linux" for product "Linux Kernel" and version "5.15.100" | en |
Affected
| ||||||
| Linux Search vendor "Linux" | Linux Kernel Search vendor "Linux" for product "Linux Kernel" | 6.2.5 Search vendor "Linux" for product "Linux Kernel" and version "6.2.5" | en |
Affected
| ||||||