Commit 6c92f6d9 authored May 07, 2026 by Harry Wentland Committed by Alex Deucher May 19, 2026

drm/amd/display: Validate payload length and link_index in dc_process_dmub_aux_transfer_async



[Why&How]
dc_process_dmub_aux_transfer_async() copies payload->length bytes into a
16-byte stack buffer (dpaux.data[16]) guarded only by an ASSERT(), which
is a no-op in release builds. If a caller ever passes length > 16 this
results in a stack buffer overflow via memcpy.

Additionally, link_index is used to dereference dc->links[] without
bounds checking against dc->link_count, risking an out-of-bounds access.

Replace the ASSERT with a hard runtime check that returns false when
payload->length exceeds the destination buffer size, and add a bounds
check for link_index before it is used.

Assisted-by: GitHub Copilot:Claude claude-4-opus
Reviewed-by: Alex Hung <alex.hung@amd.com>
Signed-off-by: Harry Wentland <harry.wentland@amd.com>
Signed-off-by: Ivan Lipski <ivan.lipski@amd.com>
Tested-by: Dan Wheeler <daniel.wheeler@amd.com>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
(cherry picked from commit ba4caa9fecdf7a38f98c878ad05a8a64148b6881)
Cc: stable@vger.kernel.org

parent 86d2b206

drivers/gpu/drm/amd/display/dc/core/dc.c

+5 −1

Original line number	Diff line number	Diff line
		@@ -6071,7 +6071,11 @@ bool dc_process_dmub_aux_transfer_async(struct dc *dc,
		uint8_t action;
		union dmub_rb_cmd cmd = {0};

		ASSERT(payload->length <= 16);
		if (link_index >= dc->link_count \|\| !dc->links[link_index])
		return false;

		if (payload->length > sizeof(cmd.dp_aux_access.aux_control.dpaux.data))
		return false;

		cmd.dp_aux_access.header.type = DMUB_CMD__DP_AUX_ACCESS;
		cmd.dp_aux_access.header.payload_bytes = 0;