[PATCH] drm/dp/mst: fix OOB reads in remote DPCD/I2C sideband reply parsers

[PATCH] drm/dp/mst: fix OOB reads in remote DPCD/I2C sideband reply parsers

[Ashutosh Desai]

drm_dp_sideband_parse_remote_dpcd_read() reads num_bytes from the raw
message and then unconditionally does:

  memcpy(bytes, &raw->msg[idx], num_bytes);

without checking that idx + num_bytes <= raw->curlen.  raw->msg[] is
256 bytes; if a malicious or misbehaving MST hub sets num_bytes larger
than the remaining payload, the memcpy reads past the received data
into whatever follows in raw->msg[].

drm_dp_sideband_parse_remote_i2c_read_ack() has the same flaw and also
lacked the post-increment idx bounds check (noted with a /* TODO check */
comment since the code was introduced).

Add the missing bounds checks in both functions, consistent with the
pattern used throughout the rest of the sideband parser.

Signed-off-by: Ashutosh Desai <ashutoshdesai993@gmail.com>
---
 drivers/gpu/drm/display/drm_dp_mst_topology.c | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/drivers/gpu/drm/display/drm_dp_mst_topology.c b/drivers/gpu/drm/display/drm_dp_mst_topology.c
index 170113520..9cef6c576 100644
--- a/drivers/gpu/drm/display/drm_dp_mst_topology.c
+++ b/drivers/gpu/drm/display/drm_dp_mst_topology.c
@@ -873,6 +873,8 @@ static bool drm_dp_sideband_parse_remote_dpcd_read(struct drm_dp_sideband_msg_rx
 	idx++;
 	if (idx > raw->curlen)
 		goto fail_len;
+	if (idx + repmsg->u.remote_dpcd_read_ack.num_bytes > raw->curlen)
+		goto fail_len;
 
 	memcpy(repmsg->u.remote_dpcd_read_ack.bytes, &raw->msg[idx], repmsg->u.remote_dpcd_read_ack.num_bytes);
 	return true;
@@ -907,7 +909,11 @@ static bool drm_dp_sideband_parse_remote_i2c_read_ack(struct drm_dp_sideband_msg
 		goto fail_len;
 	repmsg->u.remote_i2c_read_ack.num_bytes = raw->msg[idx];
 	idx++;
-	/* TODO check */
+	if (idx > raw->curlen)
+		goto fail_len;
+	if (idx + repmsg->u.remote_i2c_read_ack.num_bytes > raw->curlen)
+		goto fail_len;
+
 	memcpy(repmsg->u.remote_i2c_read_ack.bytes, &raw->msg[idx], repmsg->u.remote_i2c_read_ack.num_bytes);
 	return true;
 fail_len:
-- 
2.34.1

Claude review: drm/dp/mst: fix OOB reads in remote DPCD/I2C sideband reply parsers

[Claude Code Review Bot]

Overall Series Review

Subject: drm/dp/mst: fix OOB reads in remote DPCD/I2C sideband reply parsers
Author: Ashutosh Desai <ashutoshdesai993@gmail.com>
Patches: 1
Reviewed: 2026-04-12T10:33:37.154436

---

This is a single-patch fix for out-of-bounds reads in two DP MST sideband reply parsers. The fix is correct, addresses a real vulnerability, and follows the existing validation pattern used throughout the rest of the file. The patch is small and well-scoped.

The main concern is the absence of a `Fixes:` tag and `Cc: stable@vger.kernel.org`, which are expected for security-relevant bug fixes in the kernel.

**Verdict: Looks good with minor process nits.**

---
Generated by Claude Code Patch Reviewer

Claude review: drm/dp/mst: fix OOB reads in remote DPCD/I2C sideband reply parsers

[Claude Code Review Bot]

Patch Review

**Correctness: Good.** The patch addresses two distinct but related issues:

1. **`drm_dp_sideband_parse_remote_dpcd_read()`** — Already had `idx > raw->curlen` bounds checks after each `idx++`, but was missing validation that the `memcpy` length (`num_bytes`) wouldn't cause a read past the received data. The added check:
   ```c
   if (idx + repmsg->u.remote_dpcd_read_ack.num_bytes > raw->curlen)
       goto fail_len;
   ```
   is correct. At this point `idx` is an `int` (value 3), `num_bytes` is `u8` (max 255), so no integer overflow risk. `curlen` is `u8` and the comparison promotes to `int`.

2. **`drm_dp_sideband_parse_remote_i2c_read_ack()`** — Was missing *both* the post-increment `idx > raw->curlen` check *and* the `idx + num_bytes > raw->curlen` check before the `memcpy`. The `/* TODO check */` comment had been there since the code was introduced, so this resolves a known gap. The patch correctly adds both checks and removes the TODO.

**Destination buffer safety:** Both `remote_dpcd_read_ack.bytes` and `remote_i2c_read_ack.bytes` are `u8 bytes[255]` (verified in `drm_dp_mst_helper.h:284,300`), and `num_bytes` is `u8` (max 255), so the destination buffer can never overflow.

**Source buffer safety:** `raw->msg` is 256 bytes (`drm_dp_mst_helper.h:172`), `curlen` is `u8` (max 255). The new checks ensure `idx + num_bytes <= curlen <= 255`, so the `memcpy` stays within bounds of both the valid data and the buffer itself.

**Nits / suggestions:**

- **Missing `Fixes:` tag.** This is a security-relevant fix and should reference the original commit that introduced the code (likely `ad7f8a1f9ced` or similar from the initial MST sideband parser). Kernel maintainers will likely request this before applying.

- **Missing `Cc: stable@vger.kernel.org`.** An OOB read from external input is a security issue that should be backported to stable kernels.

- The commit message says *"reads past the received data into whatever follows in raw->msg[]"* — this is slightly imprecise. With `idx` at 3 and `num_bytes` up to 255, the memcpy could read up to `msg[258]`, which is 2 bytes past the end of `msg[256]` into adjacent struct fields (`curchunk_len`, `curchunk_idx`). So it's not only reading uninitialized *within* `msg[]` but potentially a small struct-bounded OOB. The practical impact is the same (info leak of kernel memory), but the description could be more precise.

- No functional concerns with the code itself — it follows the exact same validation pattern as the rest of the file (e.g., `drm_dp_sideband_parse_enum_path_resources_ack` at line 924).

---
Generated by Claude Code Patch Reviewer