GHSA-mmv6-wm63-ppr6unknown

In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: Fix NULL...

Published
June 25, 2026
Last Modified
June 25, 2026

🔗 CVE IDs covered (1)

📋 Description

In the Linux kernel, the following vulnerability has been resolved:

drm/amd/display: Fix NULL deref and buffer over-read in SDP debugfs

[Why & How] dp_sdp_message_debugfs_write() dereferences connector->base.state->crtc without checking for NULL. A connector can be connected but not bound to any CRTC (e.g. after hot-plug before the next atomic commit), causing a kernel crash when writing to the sdp_message debugfs node.

The function also ignores the user-provided size argument and always passes 36 bytes to copy_from_user(), reading past the user buffer when size < 36.

Fix both issues by:

  • Returning -ENODEV when connector->base.state or state->crtc is NULL
  • Clamping write_size to min(size, sizeof(data))

(cherry picked from commit 6ab4c36a522842ff70474a1c0af2e40e50fc8300)

🔗 References (10)