CVE-2022-49221 (GCVE-0-2022-49221)
Vulnerability from cvelistv5
Published
2025-02-26 01:55
Modified
2025-05-04 12:44
Severity ?
Summary
In the Linux kernel, the following vulnerability has been resolved: drm/msm/dp: populate connector of struct dp_panel DP CTS test case 4.2.2.6 has valid edid with bad checksum on purpose and expect DP source return correct checksum. During drm edid read, correct edid checksum is calculated and stored at connector::real_edid_checksum. The problem is struct dp_panel::connector never be assigned, instead the connector is stored in struct msm_dp::connector. When we run compliance testing test case 4.2.2.6 dp_panel_handle_sink_request() won't have a valid edid set in struct dp_panel::edid so we'll try to use the connectors real_edid_checksum and hit a NULL pointer dereference error because the connector pointer is never assigned. Changes in V2: -- populate panel connector at msm_dp_modeset_init() instead of at dp_panel_read_sink_caps() Changes in V3: -- remove unhelpful kernel crash trace commit text -- remove renaming dp_display parameter to dp Changes in V4: -- add more details to commit text Changes in v10: -- group into one series Changes in v11: -- drop drm/msm/dp: dp_link_parse_sink_count() return immediately if aux read Signee-off-by: Kuogee Hsieh <quic_khsieh@quicinc.com>
Impacted products
Vendor Product Version
Linux Linux Version: f86bc4a1a401d3691bad41e67f9db0c2ea94da32
Version: 7948fe12d47a946fb8025a0534c900e3dd4b5839
Version: 7948fe12d47a946fb8025a0534c900e3dd4b5839
Version: 7948fe12d47a946fb8025a0534c900e3dd4b5839
Version: 7948fe12d47a946fb8025a0534c900e3dd4b5839
Version: ab1ccd1e2584b268784518f838f7cc72faec576b
Version: 08a96864a45b65ee406a344c78dd761b2fd66887
Create a notification for this product.
   Linux Linux Version: 5.15
Create a notification for this product.
Show details on NVD website


{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/gpu/drm/msm/dp/dp_display.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "413c62697b61226a236c8b1f5cd64dcf42bcc12f",
              "status": "affected",
              "version": "f86bc4a1a401d3691bad41e67f9db0c2ea94da32",
              "versionType": "git"
            },
            {
              "lessThan": "9525b8bcae8b99188990b56484799cf4b1b43786",
              "status": "affected",
              "version": "7948fe12d47a946fb8025a0534c900e3dd4b5839",
              "versionType": "git"
            },
            {
              "lessThan": "fbba600f432a360b42452fee79d1fb35d3aa8aeb",
              "status": "affected",
              "version": "7948fe12d47a946fb8025a0534c900e3dd4b5839",
              "versionType": "git"
            },
            {
              "lessThan": "104074ebc0c3f358dd1ee944fbcde92c6e5a21dd",
              "status": "affected",
              "version": "7948fe12d47a946fb8025a0534c900e3dd4b5839",
              "versionType": "git"
            },
            {
              "lessThan": "5e602f5156910c7b19661699896cb6e3fb94fab9",
              "status": "affected",
              "version": "7948fe12d47a946fb8025a0534c900e3dd4b5839",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "ab1ccd1e2584b268784518f838f7cc72faec576b",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "08a96864a45b65ee406a344c78dd761b2fd66887",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/gpu/drm/msm/dp/dp_display.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "5.15"
            },
            {
              "lessThan": "5.15",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.110",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.33",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.16.*",
              "status": "unaffected",
              "version": "5.16.19",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.17.*",
              "status": "unaffected",
              "version": "5.17.2",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "5.18",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.110",
                  "versionStartIncluding": "5.10.67",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.33",
                  "versionStartIncluding": "5.15",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.16.19",
                  "versionStartIncluding": "5.15",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.17.2",
                  "versionStartIncluding": "5.15",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.18",
                  "versionStartIncluding": "5.15",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "5.13.19",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "5.14.6",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/msm/dp: populate connector of struct dp_panel\n\nDP CTS test case 4.2.2.6 has valid edid with bad checksum on purpose\nand expect DP source return correct checksum. During drm edid read,\ncorrect edid checksum is calculated and stored at\nconnector::real_edid_checksum.\n\nThe problem is struct dp_panel::connector never be assigned, instead the\nconnector is stored in struct msm_dp::connector. When we run compliance\ntesting test case 4.2.2.6 dp_panel_handle_sink_request() won\u0027t have a valid\nedid set in struct dp_panel::edid so we\u0027ll try to use the connectors\nreal_edid_checksum and hit a NULL pointer dereference error because the\nconnector pointer is never assigned.\n\nChanges in V2:\n-- populate panel connector at msm_dp_modeset_init() instead of at dp_panel_read_sink_caps()\n\nChanges in V3:\n-- remove unhelpful kernel crash trace commit text\n-- remove renaming dp_display parameter to dp\n\nChanges in V4:\n-- add more details to commit text\n\nChanges in v10:\n--  group into one series\n\nChanges in v11:\n-- drop drm/msm/dp: dp_link_parse_sink_count() return immediately if aux read\n\nSignee-off-by: Kuogee Hsieh \u003cquic_khsieh@quicinc.com\u003e"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-04T12:44:22.205Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/413c62697b61226a236c8b1f5cd64dcf42bcc12f"
        },
        {
          "url": "https://git.kernel.org/stable/c/9525b8bcae8b99188990b56484799cf4b1b43786"
        },
        {
          "url": "https://git.kernel.org/stable/c/fbba600f432a360b42452fee79d1fb35d3aa8aeb"
        },
        {
          "url": "https://git.kernel.org/stable/c/104074ebc0c3f358dd1ee944fbcde92c6e5a21dd"
        },
        {
          "url": "https://git.kernel.org/stable/c/5e602f5156910c7b19661699896cb6e3fb94fab9"
        }
      ],
      "title": "drm/msm/dp: populate connector of struct dp_panel",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2022-49221",
    "datePublished": "2025-02-26T01:55:53.318Z",
    "dateReserved": "2025-02-26T01:49:39.292Z",
    "dateUpdated": "2025-05-04T12:44:22.205Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2022-49221\",\"sourceIdentifier\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"published\":\"2025-02-26T07:00:59.167\",\"lastModified\":\"2025-03-18T19:33:38.933\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"In the Linux kernel, the following vulnerability has been resolved:\\n\\ndrm/msm/dp: populate connector of struct dp_panel\\n\\nDP CTS test case 4.2.2.6 has valid edid with bad checksum on purpose\\nand expect DP source return correct checksum. During drm edid read,\\ncorrect edid checksum is calculated and stored at\\nconnector::real_edid_checksum.\\n\\nThe problem is struct dp_panel::connector never be assigned, instead the\\nconnector is stored in struct msm_dp::connector. When we run compliance\\ntesting test case 4.2.2.6 dp_panel_handle_sink_request() won\u0027t have a valid\\nedid set in struct dp_panel::edid so we\u0027ll try to use the connectors\\nreal_edid_checksum and hit a NULL pointer dereference error because the\\nconnector pointer is never assigned.\\n\\nChanges in V2:\\n-- populate panel connector at msm_dp_modeset_init() instead of at dp_panel_read_sink_caps()\\n\\nChanges in V3:\\n-- remove unhelpful kernel crash trace commit text\\n-- remove renaming dp_display parameter to dp\\n\\nChanges in V4:\\n-- add more details to commit text\\n\\nChanges in v10:\\n--  group into one series\\n\\nChanges in v11:\\n-- drop drm/msm/dp: dp_link_parse_sink_count() return immediately if aux read\\n\\nSignee-off-by: Kuogee Hsieh \u003cquic_khsieh@quicinc.com\u003e\"},{\"lang\":\"es\",\"value\":\"En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: drm/msm/dp: rellenar el conector de struct dp_panel DP CTS caso de prueba 4.2.2.6 tiene un edid v\u00e1lido con suma de comprobaci\u00f3n incorrecta a prop\u00f3sito y espera que la fuente DP devuelva la suma de comprobaci\u00f3n correcta. Durante la lectura del edid de drm, se calcula la suma de comprobaci\u00f3n del edid correcta y se almacena en connector::real_edid_checksum. El problema es que struct dp_panel::connector nunca se asigna, en su lugar el conector se almacena en struct msm_dp::connector. Cuando ejecutamos el caso de prueba de prueba de cumplimiento 4.2.2.6 dp_panel_handle_sink_request() no tendr\u00e1 un edid v\u00e1lido establecido en struct dp_panel::edid, por lo que intentaremos usar el conector real_edid_checksum y nos encontraremos con un error de desreferencia de puntero NULL porque el puntero del conector nunca se asigna. Cambios en V2: -- rellenar el conector del panel en msm_dp_modeset_init() en lugar de en dp_panel_read_sink_caps() Cambios en V3: -- eliminar el texto de confirmaci\u00f3n de seguimiento de fallos del n\u00facleo que no es de ayuda -- eliminar el cambio de nombre del par\u00e1metro dp_display a dp Cambios en V4: -- a\u00f1adir m\u00e1s detalles al texto de confirmaci\u00f3n Cambios en v10: -- agrupar en una serie Cambios en v11: -- eliminar drm/msm/dp: dp_link_parse_sink_count() retorna inmediatamente si se lee aux. Firmado por: Kuogee Hsieh \"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H\",\"baseScore\":5.5,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"LOCAL\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":1.8,\"impactScore\":3.6}]},\"weaknesses\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-476\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"5.10.67\",\"versionEndExcluding\":\"5.10.110\",\"matchCriteriaId\":\"E35E629A-08A5-4AA5-AAD3-0327AB394504\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"5.13.19\",\"versionEndExcluding\":\"5.14\",\"matchCriteriaId\":\"097A0850-FAA6-4FFF-88C2-F5B49B5CE740\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"5.14.6\",\"versionEndExcluding\":\"5.15.33\",\"matchCriteriaId\":\"44ED6312-668B-40E9-985A-5399C9E479F5\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"5.16\",\"versionEndExcluding\":\"5.16.19\",\"matchCriteriaId\":\"20C43679-0439-405A-B97F-685BEE50613B\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"5.17\",\"versionEndExcluding\":\"5.17.2\",\"matchCriteriaId\":\"210C679C-CF84-44A3-8939-E629C87E54BF\"}]}]}],\"references\":[{\"url\":\"https://git.kernel.org/stable/c/104074ebc0c3f358dd1ee944fbcde92c6e5a21dd\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/413c62697b61226a236c8b1f5cd64dcf42bcc12f\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/5e602f5156910c7b19661699896cb6e3fb94fab9\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/9525b8bcae8b99188990b56484799cf4b1b43786\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/fbba600f432a360b42452fee79d1fb35d3aa8aeb\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]}]}}"
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.


Loading…

Loading…

Loading…

Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.


Loading…