diff --git a/blacklist.conf b/blacklist.conf index 6d0941d..2016fc4 100644 --- a/blacklist.conf +++ b/blacklist.conf @@ -859,3 +859,5 @@ a909d629ae77b97b6288bc3cfe68560454bf79c6 # cleanup designed to break kABI 0522b9a1653048440da5f21747f21e498b9220d1 # relevant only on specific systems and wrecks kABI 74622f0a81d0c2bcfc39f9192b788124e8c7f0af # relevant only on specific systems and wrecks kABI 2996e9fc00c378987c18ecbafe5624581b18c0d6 # cleanup designed to break kABI +e96fddb32931d007db12b1fce9b5e8e4c080401b # bsc#1222324 CVE-2024-26662: not affected: drm/amd/display: Fix 'panel_cntl' could be null in 'dcn21_set_backlight_level()' +4f32504a2f85a7b40fe149436881381f48e9c0c0 # bsc#1222358 CVE-2024-26672: not affected: drm/amdgpu: Fix variable 'mca_funcs' dereferenced before NULL check in 'amdgpu_mca_smu_get_mca_entry()' diff --git a/patches.suse/0001-drm-amd-display-Implement-bounds-check-for-stream-en.patch b/patches.suse/0001-drm-amd-display-Implement-bounds-check-for-stream-en.patch new file mode 100644 index 0000000..c100680 --- /dev/null +++ b/patches.suse/0001-drm-amd-display-Implement-bounds-check-for-stream-en.patch @@ -0,0 +1,49 @@ +From 58fca355ad37dcb5f785d9095db5f748b79c5dc2 Mon Sep 17 00:00:00 2001 +From: Srinivasan Shanmugam +Date: Wed, 7 Feb 2024 10:20:57 +0530 +Subject: drm/amd/display: Implement bounds check for stream encoder creation + in DCN301 +Git-commit: 58fca355ad37dcb5f785d9095db5f748b79c5dc2 +Patch-mainline: v6.8-rc4 +References: bsc#1222266 CVE-2024-26660 + +'stream_enc_regs' array is an array of dcn10_stream_enc_registers +structures. The array is initialized with four elements, corresponding +to the four calls to stream_enc_regs() in the array initializer. This +means that valid indices for this array are 0, 1, 2, and 3. + +The error message 'stream_enc_regs' 4 <= 5 below, is indicating that +there is an attempt to access this array with an index of 5, which is +out of bounds. This could lead to undefined behavior + +Here, eng_id is used as an index to access the stream_enc_regs array. If +eng_id is 5, this would result in an out-of-bounds access on the +stream_enc_regs array. + +Thus fixing Buffer overflow error in dcn301_stream_encoder_create +reported by Smatch: +drivers/gpu/drm/amd/amdgpu/../display/dc/resource/dcn301/dcn301_resource.c:1011 dcn301_stream_encoder_create() error: buffer overflow 'stream_enc_regs' 4 <= 5 + +Fixes: 3a83e4e64bb1 ("drm/amd/display: Add dcn3.01 support to DC (v2)") +Cc: Roman Li +Cc: Rodrigo Siqueira +Cc: Aurabindo Pillai +Signed-off-by: Srinivasan Shanmugam +Reviewed-by: Roman Li +Signed-off-by: Alex Deucher +Acked-by: Thomas Zimmermann +--- + drivers/gpu/drm/amd/display/dc/dcn301/dcn301_resource.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/gpu/drm/amd/display/dc/dcn301/dcn301_resource.c ++++ b/drivers/gpu/drm/amd/display/dc/dcn301/dcn301_resource.c +@@ -1014,7 +1014,7 @@ static struct stream_encoder *dcn301_str + vpg = dcn301_vpg_create(ctx, vpg_inst); + afmt = dcn301_afmt_create(ctx, afmt_inst); + +- if (!enc1 || !vpg || !afmt) { ++ if (!enc1 || !vpg || !afmt || eng_id >= ARRAY_SIZE(stream_enc_regs)) { + kfree(enc1); + kfree(vpg); + kfree(afmt); diff --git a/series.conf b/series.conf index 213c380..9fb24c2 100644 --- a/series.conf +++ b/series.conf @@ -45677,6 +45677,7 @@ patches.suse/drm-amdgpu-skip-to-program-GFXDEC-registers-for-susp.patch patches.suse/drm-amdgpu-reset-gpu-for-s3-suspend-abort-case.patch patches.suse/drm-amd-display-Increase-frame-larger-than-for-all-d.patch + patches.suse/0001-drm-amd-display-Implement-bounds-check-for-stream-en.patch patches.suse/drm-msms-dp-fixed-link-clock-divider-bits-be-over-wr.patch patches.suse/drm-msm-dp-return-correct-Colorimetry-for-DP_TEST_DY.patch patches.suse/drm-msm-dpu-check-for-valid-hw_pp-in-dpu_encoder_hel.patch