CVE-2022-48898

{"id": "CVE-2022-48898", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.7, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}, "impactScore": 3.6, "exploitabilityScore": 1.0}]}, "published": "2024-08-21T07:15:05.750", "references": [{"url": "https://git.kernel.org/stable/c/1cba0d150fa102439114a91b3e215909efc9f169", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/785607e5e6fb52caf141e4580de40405565f04f1", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/984ad875db804948c86ca9e1c2e784ae8252715a", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/b7dcbca46db3c77fdb02c2a9d6239e5aa3b06a59", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-362"}]}], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/msm/dp: do not complete dp_aux_cmd_fifo_tx() if irq is not for aux transfer\n\nThere are 3 possible interrupt sources are handled by DP controller,\nHPDstatus, Controller state changes and Aux read/write transaction.\nAt every irq, DP controller have to check isr status of every interrupt\nsources and service the interrupt if its isr status bits shows interrupts\nare pending. There is potential race condition may happen at current aux\nisr handler implementation since it is always complete dp_aux_cmd_fifo_tx()\neven irq is not for aux read or write transaction. This may cause aux read\ntransaction return premature if host aux data read is in the middle of\nwaiting for sink to complete transferring data to host while irq happen.\nThis will cause host's receiving buffer contains unexpected data. This\npatch fixes this problem by checking aux isr and return immediately at\naux isr handler if there are no any isr status bits set.\n\nCurrent there is a bug report regrading eDP edid corruption happen during\nsystem booting up. After lengthy debugging to found that VIDEO_READY\ninterrupt was continuously firing during system booting up which cause\ndp_aux_isr() to complete dp_aux_cmd_fifo_tx() prematurely to retrieve data\nfrom aux hardware buffer which is not yet contains complete data transfer\nfrom sink. This cause edid corruption.\n\nFollows are the signature at kernel logs when problem happen,\nEDID has corrupt header\npanel-simple-dp-aux aux-aea0000.edp: Couldn't identify panel via EDID\n\nChanges in v2:\n-- do complete if (ret == IRQ_HANDLED) ay dp-aux_isr()\n-- add more commit text\n\nChanges in v3:\n-- add Stephen suggested\n-- dp_aux_isr() return IRQ_XXX back to caller\n-- dp_ctrl_isr() return IRQ_XXX back to caller\n\nChanges in v4:\n-- split into two patches\n\nChanges in v5:\n-- delete empty line between tags\n\nChanges in v6:\n-- remove extra \"that\" and fixed line more than 75 char at commit text\n\nPatchwork: https://patchwork.freedesktop.org/patch/516121/"}, {"lang": "es", "value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: drm/msm/dp: no complete dp_aux_cmd_fifo_tx() si irq no es para transferencia auxiliar. Hay 3 posibles fuentes de interrupci\u00f3n que son manejadas por el controlador DP, HPDstatus, los cambios de estado del controlador y Aux. transacci\u00f3n de lectura/escritura. En cada irq, el controlador DP debe verificar el estado isr de cada fuente de interrupci\u00f3n y atender la interrupci\u00f3n si sus bits de estado isr muestran que hay interrupciones pendientes. Existe una posible condici\u00f3n de ejecuci\u00f3n que puede ocurrir en la implementaci\u00f3n actual del controlador aux isr, ya que siempre est\u00e1 completo dp_aux_cmd_fifo_tx(), incluso irq no es para transacciones de lectura o escritura auxiliar. Esto puede causar que la transacci\u00f3n de lectura auxiliar regrese prematuramente si la lectura de datos auxiliares del host est\u00e1 en medio de la espera de que el receptor complete la transferencia de datos al host mientras ocurre la irq. Esto har\u00e1 que el b\u00fafer de recepci\u00f3n del host contenga datos inesperados. Este parche soluciona este problema verificando aux isr y regresa inmediatamente al controlador aux isr si no hay ning\u00fan bit de estado isr establecido. Actualmente hay un informe de error que indica que la corrupci\u00f3n de eDP edid ocurre durante el inicio del sistema. Despu\u00e9s de una larga depuraci\u00f3n, descubr\u00ed que la interrupci\u00f3n VIDEO_READY se activaba continuamente durante el inicio del sistema, lo que provocaba que dp_aux_isr() completara dp_aux_cmd_fifo_tx() prematuramente para recuperar datos del b\u00fafer de hardware auxiliar que a\u00fan no contiene la transferencia completa de datos desde el receptor. Esto provoc\u00f3 corrupci\u00f3n. A continuaci\u00f3n se muestra la firma en los registros del kernel cuando ocurre un problema, EDID tiene el panel de encabezado corrupto-simple-dp-aux aux-aea0000.edp: No se pudo identificar el panel a trav\u00e9s de EDID Cambios en v2: - complete si (ret == IRQ_HANDLED) ay dp-aux_isr() - agregar m\u00e1s texto de confirmaci\u00f3n Cambios en v3: - agregar Stephen sugerido - dp_aux_isr() devolver IRQ_XXX a la persona que llama - dp_ctrl_isr() devolver IRQ_XXX a la persona que llama Cambios en v4: - dividir en dos parches Cambios en v5: - eliminar l\u00ednea vac\u00eda entre etiquetas Cambios en v6: - eliminar \"eso\" adicional y l\u00ednea fija de m\u00e1s de 75 caracteres en el texto de confirmaci\u00f3n Patchwork: https://patchwork.freedesktop.org/patch/516121/"}], "lastModified": "2024-09-11T16:19:18.350", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "0A75A69A-4F89-495D-9990-0D27E9EA3748", "versionEndExcluding": "5.10.164", "versionStartIncluding": "5.10"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "E706841F-E788-4316-9B05-DA8EB60CE6B3", "versionEndExcluding": "5.15.89", "versionStartIncluding": "5.11"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "9275C81F-AE96-4CDB-AD20-7DBD36E5D909", "versionEndExcluding": "6.1.7", "versionStartIncluding": "5.16"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.2:rc1:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "FF501633-2F44-4913-A8EE-B021929F49F6"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.2:rc2:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "2BDA597B-CAC1-4DF0-86F0-42E142C654E9"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.2:rc3:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "725C78C9-12CE-406F-ABE8-0813A01D66E8"}], "operator": "OR"}]}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}