CVE-2022-50417 (GCVE-0-2022-50417)
Vulnerability from cvelistv5
Published
2025-09-18 16:04
Modified
2025-09-18 16:04
Severity ?
Summary
In the Linux kernel, the following vulnerability has been resolved: drm/panfrost: Fix GEM handle creation ref-counting panfrost_gem_create_with_handle() previously returned a BO but with the only reference being from the handle, which user space could in theory guess and release, causing a use-after-free. Additionally if the call to panfrost_gem_mapping_get() in panfrost_ioctl_create_bo() failed then a(nother) reference on the BO was dropped. The _create_with_handle() is a problematic pattern, so ditch it and instead create the handle in panfrost_ioctl_create_bo(). If the call to panfrost_gem_mapping_get() fails then this means that user space has indeed gone behind our back and freed the handle. In which case just return an error code.
Impacted products
Vendor Product Version
Linux Linux Version: f3ba91228e8e917e5bd6c4b72bfe846933d17370
Version: f3ba91228e8e917e5bd6c4b72bfe846933d17370
Version: f3ba91228e8e917e5bd6c4b72bfe846933d17370
Version: f3ba91228e8e917e5bd6c4b72bfe846933d17370
Version: f3ba91228e8e917e5bd6c4b72bfe846933d17370
Create a notification for this product.
Show details on NVD website


{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/gpu/drm/panfrost/panfrost_drv.c",
            "drivers/gpu/drm/panfrost/panfrost_gem.c",
            "drivers/gpu/drm/panfrost/panfrost_gem.h"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "0b70f6ea4d4f2b4d4b291d86ab76b4d07394932c",
              "status": "affected",
              "version": "f3ba91228e8e917e5bd6c4b72bfe846933d17370",
              "versionType": "git"
            },
            {
              "lessThan": "4f1105ee72d8c7c35d90e3491b31b2d9d6b7e33a",
              "status": "affected",
              "version": "f3ba91228e8e917e5bd6c4b72bfe846933d17370",
              "versionType": "git"
            },
            {
              "lessThan": "3f9feffa8a5ab08b4e298a27b1aa7204a7d42ca2",
              "status": "affected",
              "version": "f3ba91228e8e917e5bd6c4b72bfe846933d17370",
              "versionType": "git"
            },
            {
              "lessThan": "ba3d2c2380e7129b525a787489c0b7e819a3b898",
              "status": "affected",
              "version": "f3ba91228e8e917e5bd6c4b72bfe846933d17370",
              "versionType": "git"
            },
            {
              "lessThan": "4217c6ac817451d5116687f3cc6286220dc43d49",
              "status": "affected",
              "version": "f3ba91228e8e917e5bd6c4b72bfe846933d17370",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/gpu/drm/panfrost/panfrost_drv.c",
            "drivers/gpu/drm/panfrost/panfrost_gem.c",
            "drivers/gpu/drm/panfrost/panfrost_gem.h"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "5.2"
            },
            {
              "lessThan": "5.2",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.163",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.87",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.0.*",
              "status": "unaffected",
              "version": "6.0.19",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.5",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.2",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.163",
                  "versionStartIncluding": "5.2",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.87",
                  "versionStartIncluding": "5.2",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.0.19",
                  "versionStartIncluding": "5.2",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.5",
                  "versionStartIncluding": "5.2",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.2",
                  "versionStartIncluding": "5.2",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/panfrost: Fix GEM handle creation ref-counting\n\npanfrost_gem_create_with_handle() previously returned a BO but with the\nonly reference being from the handle, which user space could in theory\nguess and release, causing a use-after-free. Additionally if the call to\npanfrost_gem_mapping_get() in panfrost_ioctl_create_bo() failed then\na(nother) reference on the BO was dropped.\n\nThe _create_with_handle() is a problematic pattern, so ditch it and\ninstead create the handle in panfrost_ioctl_create_bo(). If the call to\npanfrost_gem_mapping_get() fails then this means that user space has\nindeed gone behind our back and freed the handle. In which case just\nreturn an error code."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-09-18T16:04:00.512Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/0b70f6ea4d4f2b4d4b291d86ab76b4d07394932c"
        },
        {
          "url": "https://git.kernel.org/stable/c/4f1105ee72d8c7c35d90e3491b31b2d9d6b7e33a"
        },
        {
          "url": "https://git.kernel.org/stable/c/3f9feffa8a5ab08b4e298a27b1aa7204a7d42ca2"
        },
        {
          "url": "https://git.kernel.org/stable/c/ba3d2c2380e7129b525a787489c0b7e819a3b898"
        },
        {
          "url": "https://git.kernel.org/stable/c/4217c6ac817451d5116687f3cc6286220dc43d49"
        }
      ],
      "title": "drm/panfrost: Fix GEM handle creation ref-counting",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2022-50417",
    "datePublished": "2025-09-18T16:04:00.512Z",
    "dateReserved": "2025-09-17T14:53:07.003Z",
    "dateUpdated": "2025-09-18T16:04:00.512Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2022-50417\",\"sourceIdentifier\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"published\":\"2025-09-18T16:15:45.123\",\"lastModified\":\"2025-09-19T16:00:27.847\",\"vulnStatus\":\"Awaiting Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"In the Linux kernel, the following vulnerability has been resolved:\\n\\ndrm/panfrost: Fix GEM handle creation ref-counting\\n\\npanfrost_gem_create_with_handle() previously returned a BO but with the\\nonly reference being from the handle, which user space could in theory\\nguess and release, causing a use-after-free. Additionally if the call to\\npanfrost_gem_mapping_get() in panfrost_ioctl_create_bo() failed then\\na(nother) reference on the BO was dropped.\\n\\nThe _create_with_handle() is a problematic pattern, so ditch it and\\ninstead create the handle in panfrost_ioctl_create_bo(). If the call to\\npanfrost_gem_mapping_get() fails then this means that user space has\\nindeed gone behind our back and freed the handle. In which case just\\nreturn an error code.\"}],\"metrics\":{},\"references\":[{\"url\":\"https://git.kernel.org/stable/c/0b70f6ea4d4f2b4d4b291d86ab76b4d07394932c\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/3f9feffa8a5ab08b4e298a27b1aa7204a7d42ca2\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/4217c6ac817451d5116687f3cc6286220dc43d49\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/4f1105ee72d8c7c35d90e3491b31b2d9d6b7e33a\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/ba3d2c2380e7129b525a787489c0b7e819a3b898\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"}]}}"
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.


Loading…

Loading…

Loading…

Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.


Loading…

Loading…