fkie_cve-2022-48898
Vulnerability from fkie_nvd
Published
2024-08-21 07:15
Modified
2024-09-11 16:19
Severity ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
drm/msm/dp: do not complete dp_aux_cmd_fifo_tx() if irq is not for aux transfer
There are 3 possible interrupt sources are handled by DP controller,
HPDstatus, Controller state changes and Aux read/write transaction.
At every irq, DP controller have to check isr status of every interrupt
sources and service the interrupt if its isr status bits shows interrupts
are pending. There is potential race condition may happen at current aux
isr handler implementation since it is always complete dp_aux_cmd_fifo_tx()
even irq is not for aux read or write transaction. This may cause aux read
transaction return premature if host aux data read is in the middle of
waiting for sink to complete transferring data to host while irq happen.
This will cause host's receiving buffer contains unexpected data. This
patch fixes this problem by checking aux isr and return immediately at
aux isr handler if there are no any isr status bits set.
Current there is a bug report regrading eDP edid corruption happen during
system booting up. After lengthy debugging to found that VIDEO_READY
interrupt was continuously firing during system booting up which cause
dp_aux_isr() to complete dp_aux_cmd_fifo_tx() prematurely to retrieve data
from aux hardware buffer which is not yet contains complete data transfer
from sink. This cause edid corruption.
Follows are the signature at kernel logs when problem happen,
EDID has corrupt header
panel-simple-dp-aux aux-aea0000.edp: Couldn't identify panel via EDID
Changes in v2:
-- do complete if (ret == IRQ_HANDLED) ay dp-aux_isr()
-- add more commit text
Changes in v3:
-- add Stephen suggested
-- dp_aux_isr() return IRQ_XXX back to caller
-- dp_ctrl_isr() return IRQ_XXX back to caller
Changes in v4:
-- split into two patches
Changes in v5:
-- delete empty line between tags
Changes in v6:
-- remove extra "that" and fixed line more than 75 char at commit text
Patchwork: https://patchwork.freedesktop.org/patch/516121/
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| linux | linux_kernel | * | |
| linux | linux_kernel | * | |
| linux | linux_kernel | * | |
| linux | linux_kernel | 6.2 | |
| linux | linux_kernel | 6.2 | |
| linux | linux_kernel | 6.2 |
{ configurations: [ { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", matchCriteriaId: "0A75A69A-4F89-495D-9990-0D27E9EA3748", versionEndExcluding: "5.10.164", versionStartIncluding: "5.10", vulnerable: true, }, { criteria: "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", matchCriteriaId: "E706841F-E788-4316-9B05-DA8EB60CE6B3", versionEndExcluding: "5.15.89", versionStartIncluding: "5.11", vulnerable: true, }, { criteria: "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", matchCriteriaId: "9275C81F-AE96-4CDB-AD20-7DBD36E5D909", versionEndExcluding: "6.1.7", versionStartIncluding: "5.16", vulnerable: true, }, { criteria: "cpe:2.3:o:linux:linux_kernel:6.2:rc1:*:*:*:*:*:*", matchCriteriaId: "FF501633-2F44-4913-A8EE-B021929F49F6", vulnerable: true, }, { criteria: "cpe:2.3:o:linux:linux_kernel:6.2:rc2:*:*:*:*:*:*", matchCriteriaId: "2BDA597B-CAC1-4DF0-86F0-42E142C654E9", vulnerable: true, }, { criteria: "cpe:2.3:o:linux:linux_kernel:6.2:rc3:*:*:*:*:*:*", matchCriteriaId: "725C78C9-12CE-406F-ABE8-0813A01D66E8", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, ], cveTags: [], descriptions: [ { lang: "en", value: "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/msm/dp: do not complete dp_aux_cmd_fifo_tx() if irq is not for aux transfer\n\nThere are 3 possible interrupt sources are handled by DP controller,\nHPDstatus, Controller state changes and Aux read/write transaction.\nAt every irq, DP controller have to check isr status of every interrupt\nsources and service the interrupt if its isr status bits shows interrupts\nare pending. There is potential race condition may happen at current aux\nisr handler implementation since it is always complete dp_aux_cmd_fifo_tx()\neven irq is not for aux read or write transaction. This may cause aux read\ntransaction return premature if host aux data read is in the middle of\nwaiting for sink to complete transferring data to host while irq happen.\nThis will cause host's receiving buffer contains unexpected data. This\npatch fixes this problem by checking aux isr and return immediately at\naux isr handler if there are no any isr status bits set.\n\nCurrent there is a bug report regrading eDP edid corruption happen during\nsystem booting up. After lengthy debugging to found that VIDEO_READY\ninterrupt was continuously firing during system booting up which cause\ndp_aux_isr() to complete dp_aux_cmd_fifo_tx() prematurely to retrieve data\nfrom aux hardware buffer which is not yet contains complete data transfer\nfrom sink. This cause edid corruption.\n\nFollows are the signature at kernel logs when problem happen,\nEDID has corrupt header\npanel-simple-dp-aux aux-aea0000.edp: Couldn't identify panel via EDID\n\nChanges in v2:\n-- do complete if (ret == IRQ_HANDLED) ay dp-aux_isr()\n-- add more commit text\n\nChanges in v3:\n-- add Stephen suggested\n-- dp_aux_isr() return IRQ_XXX back to caller\n-- dp_ctrl_isr() return IRQ_XXX back to caller\n\nChanges in v4:\n-- split into two patches\n\nChanges in v5:\n-- delete empty line between tags\n\nChanges in v6:\n-- remove extra \"that\" and fixed line more than 75 char at commit text\n\nPatchwork: https://patchwork.freedesktop.org/patch/516121/", }, { lang: "es", value: "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: drm/msm/dp: no complete dp_aux_cmd_fifo_tx() si irq no es para transferencia auxiliar. Hay 3 posibles fuentes de interrupción que son manejadas por el controlador DP, HPDstatus, los cambios de estado del controlador y Aux. transacción de lectura/escritura. En cada irq, el controlador DP debe verificar el estado isr de cada fuente de interrupción y atender la interrupción si sus bits de estado isr muestran que hay interrupciones pendientes. Existe una posible condición de ejecución que puede ocurrir en la implementación actual del controlador aux isr, ya que siempre está completo dp_aux_cmd_fifo_tx(), incluso irq no es para transacciones de lectura o escritura auxiliar. Esto puede causar que la transacción de lectura auxiliar regrese prematuramente si la lectura de datos auxiliares del host está en medio de la espera de que el receptor complete la transferencia de datos al host mientras ocurre la irq. Esto hará que el búfer de recepción del host contenga datos inesperados. Este parche soluciona este problema verificando aux isr y regresa inmediatamente al controlador aux isr si no hay ningún bit de estado isr establecido. Actualmente hay un informe de error que indica que la corrupción de eDP edid ocurre durante el inicio del sistema. Después de una larga depuración, descubrí que la interrupción VIDEO_READY se activaba continuamente durante el inicio del sistema, lo que provocaba que dp_aux_isr() completara dp_aux_cmd_fifo_tx() prematuramente para recuperar datos del búfer de hardware auxiliar que aún no contiene la transferencia completa de datos desde el receptor. Esto provocó corrupción. A continuación se muestra la firma en los registros del kernel cuando ocurre un problema, EDID tiene el panel de encabezado corrupto-simple-dp-aux aux-aea0000.edp: No se pudo identificar el panel a través de EDID Cambios en v2: - complete si (ret == IRQ_HANDLED) ay dp-aux_isr() - agregar más texto de confirmación Cambios en v3: - agregar Stephen sugerido - dp_aux_isr() devolver IRQ_XXX a la persona que llama - dp_ctrl_isr() devolver IRQ_XXX a la persona que llama Cambios en v4: - dividir en dos parches Cambios en v5: - eliminar línea vacía entre etiquetas Cambios en v6: - eliminar \"eso\" adicional y línea fija de más de 75 caracteres en el texto de confirmación Patchwork: https://patchwork.freedesktop.org/patch/516121/", }, ], id: "CVE-2022-48898", lastModified: "2024-09-11T16:19:18.350", metrics: { cvssMetricV31: [ { cvssData: { attackComplexity: "HIGH", attackVector: "LOCAL", availabilityImpact: "HIGH", baseScore: 4.7, baseSeverity: "MEDIUM", confidentialityImpact: "NONE", integrityImpact: "NONE", privilegesRequired: "LOW", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", version: "3.1", }, exploitabilityScore: 1, impactScore: 3.6, source: "nvd@nist.gov", type: "Primary", }, ], }, published: "2024-08-21T07:15:05.750", references: [ { source: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", tags: [ "Patch", ], url: "https://git.kernel.org/stable/c/1cba0d150fa102439114a91b3e215909efc9f169", }, { source: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", tags: [ "Patch", ], url: "https://git.kernel.org/stable/c/785607e5e6fb52caf141e4580de40405565f04f1", }, { source: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", tags: [ "Patch", ], url: "https://git.kernel.org/stable/c/984ad875db804948c86ca9e1c2e784ae8252715a", }, { source: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", tags: [ "Patch", ], url: "https://git.kernel.org/stable/c/b7dcbca46db3c77fdb02c2a9d6239e5aa3b06a59", }, ], sourceIdentifier: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", vulnStatus: "Analyzed", weaknesses: [ { description: [ { lang: "en", value: "CWE-362", }, ], source: "nvd@nist.gov", type: "Primary", }, ], }
Log in or create an account to share your comment.
Security Advisory comment format.
This schema specifies the format of a comment related to a security advisory.
Title of the comment
Description of the comment
Loading…
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.