Thanks for your attention to this bug. We have a PoC that can trigger the KASAN crash. Please DM if you need it to reproduce the issue.
This is a bug that enables the kernel info leak for an attacker with physical access. Xiang On Mon, Jun 8, 2026 at 11:40 PM Xiang Mei <[email protected]> wrote: > > drm_parse_tiled_block() casts the DisplayID block to a > struct displayid_tiled_block and reads the full fixed layout up to > tile->topology_id[7] without checking block->num_bytes. The DisplayID > iterator only validates the declared payload length, so a crafted EDID > can advertise a tiled-display block (tag DATA_BLOCK_TILED_DISPLAY, or > DATA_BLOCK_2_TILED_DISPLAY_TOPOLOGY for v2.0) with a small num_bytes at > the end of a DisplayID extension. The read then runs past the end of the > exact-sized kmemdup()'d EDID allocation, a heap out-of-bounds read. > > Add a minimum-length check, as drm_parse_vesa_mso_data() already does. > > BUG: KASAN: slab-out-of-bounds in drm_edid_connector_update > Read of size 2 at addr ffff888010077700 by task exploit/147 > dump_stack_lvl (lib/dump_stack.c:94 ...) > print_report (mm/kasan/report.c:378 ...) > kasan_report (mm/kasan/report.c:595) > drm_edid_connector_update (drivers/gpu/drm/drm_edid.c:7581) > bochs_connector_helper_get_modes (drivers/gpu/drm/tiny/bochs.c:574) > drm_helper_probe_single_connector_modes > (drivers/gpu/drm/drm_probe_helper.c:426) > status_store (drivers/gpu/drm/drm_sysfs.c:219) > ... > vfs_write (fs/read_write.c:595 fs/read_write.c:688) > ksys_write (fs/read_write.c:740) > > Fixes: 40d9b043a89e ("drm/connector: store tile information from displayid > (v3)") > Reported-by: Weiming Shi <[email protected]> > Assisted-by: Claude:claude-opus-4-8 > Signed-off-by: Xiang Mei <[email protected]> > --- > drivers/gpu/drm/drm_edid.c | 7 +++++++ > 1 file changed, 7 insertions(+) > > diff --git a/drivers/gpu/drm/drm_edid.c b/drivers/gpu/drm/drm_edid.c > index 404208bf23a6..92054ac82fe2 100644 > --- a/drivers/gpu/drm/drm_edid.c > +++ b/drivers/gpu/drm/drm_edid.c > @@ -7575,6 +7575,13 @@ static void drm_parse_tiled_block(struct drm_connector > *connector, > u8 num_v_tile, num_h_tile; > struct drm_tile_group *tg; > > + if (block->num_bytes < sizeof(*tile) - sizeof(*block)) { > + drm_dbg_kms(connector->dev, > + "[CONNECTOR:%d:%s] Unexpected tiled block size > %u\n", > + connector->base.id, connector->name, > block->num_bytes); > + return; > + } > + > w = tile->tile_size[0] | tile->tile_size[1] << 8; > h = tile->tile_size[2] | tile->tile_size[3] << 8; > > -- > 2.43.0 >
