CVE-2022-49221

26.02.2025, 07:00

In the Linux kernel, the following vulnerability has been resolved:

drm/msm/dp: populate connector of struct dp_panel

DP CTS test case 4.2.2.6 has valid edid with bad checksum on purpose
and expect DP source return correct checksum. During drm edid read,
correct edid checksum is calculated and stored at
connector::real_edid_checksum.

The problem is struct dp_panel::connector never be assigned, instead the
connector is stored in struct msm_dp::connector. When we run compliance
testing test case 4.2.2.6 dp_panel_handle_sink_request() won't have a valid
edid set in struct dp_panel::edid so we'll try to use the connectors
real_edid_checksum and hit a NULL pointer dereference error because the
connector pointer is never assigned.

Changes in V2:
-- populate panel connector at msm_dp_modeset_init() instead of at dp_panel_read_sink_caps()

Changes in V3:
-- remove unhelpful kernel crash trace commit text
-- remove renaming dp_display parameter to dp

Changes in V4:
-- add more details to commit text

Changes in v10:
--  group into one series

Changes in v11:
-- drop drm/msm/dp: dp_link_parse_sink_count() return immediately if aux read

Signee-off-by: Kuogee Hsieh <quic_khsieh@quicinc.com>

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	NIST	5.5 MEDIUM	LOCAL	LOW	LOW	CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Linux	CNA	---				---

Base Score

CVSS 3.x

EPSS Score

Percentile: 3%

Vendor	Product	Version
linux	linux_kernel	5.10.67 ≤ 𝑥 < 5.10.110
linux	linux_kernel	5.13.19 ≤ 𝑥 < 5.14
linux	linux_kernel	5.14.6 ≤ 𝑥 < 5.15.33
linux	linux_kernel	5.16 ≤ 𝑥 < 5.16.19
linux	linux_kernel	5.17 ≤ 𝑥 < 5.17.2

𝑥

= Vulnerable software versions

Debian Releases

Debian Product

Codename

linux

bullseye	5.10.223-1 fixed
bullseye (security)	5.10.234-1 fixed
bookworm	6.1.123-1 fixed
bookworm (security)	6.1.128-1 fixed
trixie	6.12.12-1 fixed
sid	6.12.16-1 fixed

Common Weakness Enumeration

CWE-476 - NULL Pointer Dereference
A NULL pointer dereference occurs when the application dereferences a pointer that it expects to be valid, but is NULL, typically causing a crash or exit.

References

https://git.kernel.org/stable/c/104074ebc0c3f358dd1ee944fbcde92c6e5a21dd

https://git.kernel.org/stable/c/413c62697b61226a236c8b1f5cd64dcf42bcc12f

https://git.kernel.org/stable/c/5e602f5156910c7b19661699896cb6e3fb94fab9

https://git.kernel.org/stable/c/9525b8bcae8b99188990b56484799cf4b1b43786

https://git.kernel.org/stable/c/fbba600f432a360b42452fee79d1fb35d3aa8aeb