Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

017 - Ir a la línea de ayuda en Ciberseguridad    Ir a Agenda     Ir a Sala de prensa     Ir a suscripción de boletines

Ir al buscador

CVE-2022-50398

Gravedad:
Pendiente de análisis
Tipo:
No Disponible / Otro tipo
Fecha de publicación:
18/09/2025
Última modificación:
19/09/2025

Descripción

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> drm/msm/dp: add atomic_check to bridge ops<br /> <br /> DRM commit_tails() will disable downstream crtc/encoder/bridge if<br /> both disable crtc is required and crtc-&gt;active is set before pushing<br /> a new frame downstream.<br /> <br /> There is a rare case that user space display manager issue an extra<br /> screen update immediately followed by close DRM device while down<br /> stream display interface is disabled. This extra screen update will<br /> timeout due to the downstream interface is disabled but will cause<br /> crtc-&gt;active be set. Hence the followed commit_tails() called by<br /> drm_release() will pass the disable downstream crtc/encoder/bridge<br /> conditions checking even downstream interface is disabled.<br /> This cause the crash to happen at dp_bridge_disable() due to it trying<br /> to access the main link register to push the idle pattern out while main<br /> link clocks is disabled.<br /> <br /> This patch adds atomic_check to prevent the extra frame will not<br /> be pushed down if display interface is down so that crtc-&gt;active<br /> will not be set neither. This will fail the conditions checking<br /> of disabling down stream crtc/encoder/bridge which prevent<br /> drm_release() from calling dp_bridge_disable() so that crash<br /> at dp_bridge_disable() prevented.<br /> <br /> There is no protection in the DRM framework to check if the display<br /> pipeline has been already disabled before trying again. The only<br /> check is the crtc_state-&gt;active but this is controlled by usermode<br /> using UAPI. Hence if the usermode sets this and then crashes, the<br /> driver needs to protect against double disable.<br /> <br /> SError Interrupt on CPU7, code 0x00000000be000411 -- SError<br /> CPU: 7 PID: 3878 Comm: Xorg Not tainted 5.19.0-stb-cbq #19<br /> Hardware name: Google Lazor (rev3 - 8) (DT)<br /> pstate: a04000c9 (NzCv daIF +PAN -UAO -TCO -DIT -SSBS BTYPE=--)<br /> pc : __cmpxchg_case_acq_32+0x14/0x2c<br /> lr : do_raw_spin_lock+0xa4/0xdc<br /> sp : ffffffc01092b6a0<br /> x29: ffffffc01092b6a0 x28: 0000000000000028 x27: 0000000000000038<br /> x26: 0000000000000004 x25: ffffffd2973dce48 x24: 0000000000000000<br /> x23: 00000000ffffffff x22: 00000000ffffffff x21: ffffffd2978d0008<br /> x20: ffffffd2978d0008 x19: ffffff80ff759fc0 x18: 0000000000000000<br /> x17: 004800a501260460 x16: 0441043b04600438 x15: 04380000089807d0<br /> x14: 07b0089807800780 x13: 0000000000000000 x12: 0000000000000000<br /> x11: 0000000000000438 x10: 00000000000007d0 x9 : ffffffd2973e09e4<br /> x8 : ffffff8092d53300 x7 : ffffff808902e8b8 x6 : 0000000000000001<br /> x5 : ffffff808902e880 x4 : 0000000000000000 x3 : ffffff80ff759fc0<br /> x2 : 0000000000000001 x1 : 0000000000000000 x0 : ffffff80ff759fc0<br /> Kernel panic - not syncing: Asynchronous SError Interrupt<br /> CPU: 7 PID: 3878 Comm: Xorg Not tainted 5.19.0-stb-cbq #19<br /> Hardware name: Google Lazor (rev3 - 8) (DT)<br /> Call trace:<br /> dump_backtrace.part.0+0xbc/0xe4<br /> show_stack+0x24/0x70<br /> dump_stack_lvl+0x68/0x84<br /> dump_stack+0x18/0x34<br /> panic+0x14c/0x32c<br /> nmi_panic+0x58/0x7c<br /> arm64_serror_panic+0x78/0x84<br /> do_serror+0x40/0x64<br /> el1h_64_error_handler+0x30/0x48<br /> el1h_64_error+0x68/0x6c<br /> __cmpxchg_case_acq_32+0x14/0x2c<br /> _raw_spin_lock_irqsave+0x38/0x4c<br /> lock_timer_base+0x40/0x78<br /> __mod_timer+0xf4/0x25c<br /> schedule_timeout+0xd4/0xfc<br /> __wait_for_common+0xac/0x140<br /> wait_for_completion_timeout+0x2c/0x54<br /> dp_ctrl_push_idle+0x40/0x88<br /> dp_bridge_disable+0x24/0x30<br /> drm_atomic_bridge_chain_disable+0x90/0xbc<br /> drm_atomic_helper_commit_modeset_disables+0x198/0x444<br /> msm_atomic_commit_tail+0x1d0/0x374<br /> commit_tail+0x80/0x108<br /> drm_atomic_helper_commit+0x118/0x11c<br /> drm_atomic_commit+0xb4/0xe0<br /> drm_client_modeset_commit_atomic+0x184/0x224<br /> drm_client_modeset_commit_locked+0x58/0x160<br /> drm_client_modeset_commit+0x3c/0x64<br /> __drm_fb_helper_restore_fbdev_mode_unlocked+0x98/0xac<br /> drm_fb_helper_set_par+0x74/0x80<br /> drm_fb_helper_hotplug_event+0xdc/0xe0<br /> __drm_fb_helper_restore_fbdev_mode_unlocked+0x7c/0xac<br /> drm_fb_helper_restore_fbdev_mode_unlocked+0x20/0x2c<br /> drm_fb_helper_lastclose+0x20/0x2c<br /> drm_lastclose+0x44/0x6c<br /> drm_release+0x88/0xd4<br /> __fput+0x104/0x220<br /> ____fput+0x1c/0x28<br /> task_work_run+0x8c/0x100<br /> d<br /> ---truncated---

Impacto

Referencias a soluciones, herramientas e información