ghsa-qrvf-hmjq-6539
Vulnerability from github
Published
2025-09-22 21:30
Modified
2025-09-22 21:30
Severity ?
7.8 (High) - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Details

In the Linux kernel, the following vulnerability has been resolved:

drm/i915/gem: add missing boundary check in vm_access

A missing bounds check in vm_access() can lead to an out-of-bounds read or write in the adjacent memory area, since the len attribute is not validated before the memcpy later in the function, potentially hitting:

[ 183.637831] BUG: unable to handle page fault for address: ffffc90000c86000 [ 183.637934] #PF: supervisor read access in kernel mode [ 183.637997] #PF: error_code(0x0000) - not-present page [ 183.638059] PGD 100000067 P4D 100000067 PUD 100258067 PMD 106341067 PTE 0 [ 183.638144] Oops: 0000 [#2] PREEMPT SMP NOPTI [ 183.638201] CPU: 3 PID: 1790 Comm: poc Tainted: G D 5.17.0-rc6-ci-drm-11296+ #1 [ 183.638298] Hardware name: Intel Corporation CoffeeLake Client Platform/CoffeeLake H DDR4 RVP, BIOS CNLSFWR1.R00.X208.B00.1905301319 05/30/2019 [ 183.638430] RIP: 0010:memcpy_erms+0x6/0x10 [ 183.640213] RSP: 0018:ffffc90001763d48 EFLAGS: 00010246 [ 183.641117] RAX: ffff888109c14000 RBX: ffff888111bece40 RCX: 0000000000000ffc [ 183.642029] RDX: 0000000000001000 RSI: ffffc90000c86000 RDI: ffff888109c14004 [ 183.642946] RBP: 0000000000000ffc R08: 800000000000016b R09: 0000000000000000 [ 183.643848] R10: ffffc90000c85000 R11: 0000000000000048 R12: 0000000000001000 [ 183.644742] R13: ffff888111bed190 R14: ffff888109c14000 R15: 0000000000001000 [ 183.645653] FS: 00007fe5ef807540(0000) GS:ffff88845b380000(0000) knlGS:0000000000000000 [ 183.646570] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 183.647481] CR2: ffffc90000c86000 CR3: 000000010ff02006 CR4: 00000000003706e0 [ 183.648384] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 183.649271] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [ 183.650142] Call Trace: [ 183.650988] [ 183.651793] vm_access+0x1f0/0x2a0 [i915] [ 183.652726] __access_remote_vm+0x224/0x380 [ 183.653561] mem_rw.isra.0+0xf9/0x190 [ 183.654402] vfs_read+0x9d/0x1b0 [ 183.655238] ksys_read+0x63/0xe0 [ 183.656065] do_syscall_64+0x38/0xc0 [ 183.656882] entry_SYSCALL_64_after_hwframe+0x44/0xae [ 183.657663] RIP: 0033:0x7fe5ef725142 [ 183.659351] RSP: 002b:00007ffe1e81c7e8 EFLAGS: 00000246 ORIG_RAX: 0000000000000000 [ 183.660227] RAX: ffffffffffffffda RBX: 0000557055dfb780 RCX: 00007fe5ef725142 [ 183.661104] RDX: 0000000000001000 RSI: 00007ffe1e81d880 RDI: 0000000000000005 [ 183.661972] RBP: 00007ffe1e81e890 R08: 0000000000000030 R09: 0000000000000046 [ 183.662832] R10: 0000557055dfc2e0 R11: 0000000000000246 R12: 0000557055dfb1c0 [ 183.663691] R13: 00007ffe1e81e980 R14: 0000000000000000 R15: 0000000000000000

Changes since v1: - Updated if condition with range_overflows_t [Chris Wilson]

[mauld: tidy up the commit message and add Cc: stable] (cherry picked from commit 661412e301e2ca86799aa4f400d1cf0bd38c57c6)

Show details on source website

To clipboard 

{
  "affected": [],
  "aliases": [
    "CVE-2022-49261"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-125"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-02-26T07:01:03Z",
    "severity": "HIGH"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/i915/gem: add missing boundary check in vm_access\n\nA missing bounds check in vm_access() can lead to an out-of-bounds read\nor write in the adjacent memory area, since the len attribute is not\nvalidated before the memcpy later in the function, potentially hitting:\n\n[  183.637831] BUG: unable to handle page fault for address: ffffc90000c86000\n[  183.637934] #PF: supervisor read access in kernel mode\n[  183.637997] #PF: error_code(0x0000) - not-present page\n[  183.638059] PGD 100000067 P4D 100000067 PUD 100258067 PMD 106341067 PTE 0\n[  183.638144] Oops: 0000 [#2] PREEMPT SMP NOPTI\n[  183.638201] CPU: 3 PID: 1790 Comm: poc Tainted: G      D           5.17.0-rc6-ci-drm-11296+ #1\n[  183.638298] Hardware name: Intel Corporation CoffeeLake Client Platform/CoffeeLake H DDR4 RVP, BIOS CNLSFWR1.R00.X208.B00.1905301319 05/30/2019\n[  183.638430] RIP: 0010:memcpy_erms+0x6/0x10\n[  183.640213] RSP: 0018:ffffc90001763d48 EFLAGS: 00010246\n[  183.641117] RAX: ffff888109c14000 RBX: ffff888111bece40 RCX: 0000000000000ffc\n[  183.642029] RDX: 0000000000001000 RSI: ffffc90000c86000 RDI: ffff888109c14004\n[  183.642946] RBP: 0000000000000ffc R08: 800000000000016b R09: 0000000000000000\n[  183.643848] R10: ffffc90000c85000 R11: 0000000000000048 R12: 0000000000001000\n[  183.644742] R13: ffff888111bed190 R14: ffff888109c14000 R15: 0000000000001000\n[  183.645653] FS:  00007fe5ef807540(0000) GS:ffff88845b380000(0000) knlGS:0000000000000000\n[  183.646570] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[  183.647481] CR2: ffffc90000c86000 CR3: 000000010ff02006 CR4: 00000000003706e0\n[  183.648384] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\n[  183.649271] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\n[  183.650142] Call Trace:\n[  183.650988]  \u003cTASK\u003e\n[  183.651793]  vm_access+0x1f0/0x2a0 [i915]\n[  183.652726]  __access_remote_vm+0x224/0x380\n[  183.653561]  mem_rw.isra.0+0xf9/0x190\n[  183.654402]  vfs_read+0x9d/0x1b0\n[  183.655238]  ksys_read+0x63/0xe0\n[  183.656065]  do_syscall_64+0x38/0xc0\n[  183.656882]  entry_SYSCALL_64_after_hwframe+0x44/0xae\n[  183.657663] RIP: 0033:0x7fe5ef725142\n[  183.659351] RSP: 002b:00007ffe1e81c7e8 EFLAGS: 00000246 ORIG_RAX: 0000000000000000\n[  183.660227] RAX: ffffffffffffffda RBX: 0000557055dfb780 RCX: 00007fe5ef725142\n[  183.661104] RDX: 0000000000001000 RSI: 00007ffe1e81d880 RDI: 0000000000000005\n[  183.661972] RBP: 00007ffe1e81e890 R08: 0000000000000030 R09: 0000000000000046\n[  183.662832] R10: 0000557055dfc2e0 R11: 0000000000000246 R12: 0000557055dfb1c0\n[  183.663691] R13: 00007ffe1e81e980 R14: 0000000000000000 R15: 0000000000000000\n\nChanges since v1:\n     - Updated if condition with range_overflows_t [Chris Wilson]\n\n[mauld: tidy up the commit message and add Cc: stable]\n(cherry picked from commit 661412e301e2ca86799aa4f400d1cf0bd38c57c6)",
  "id": "GHSA-qrvf-hmjq-6539",
  "modified": "2025-09-22T21:30:16Z",
  "published": "2025-09-22T21:30:16Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-49261"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/312d3d4f49e12f97260bcf972c848c3562126a18"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/3886a86e7e6cc6ce2ce93c440fecd8f42aed0ce7"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/5f6e560e3e86ac053447524224e411034f41f5c7"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/89ddcc81914ab58cc203acc844f27d55ada8ec0e"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/8f0ebea8f6e8c474264ed97d7a64c9c09ed4f5aa"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.