CVE-2022-49261

A missing bounds check in vm_access() can lead to an out-of-bounds read or write in the adjacent memory area, since the len attribute is not validated before the memcpy later in the function, potentially hitting:

[ 183.637831] BUG: unable to handle page fault for address: ffffc90000c86000 [ 183.637934] #PF: supervisor read access in kernel mode [ 183.637997] #PF: errorcode(0x0000) - not-present page [ 183.638059] PGD 100000067 P4D 100000067 PUD 100258067 PMD 106341067 PTE 0 [ 183.638144] Oops: 0000 [#2] PREEMPT SMP NOPTI [ 183.638201] CPU: 3 PID: 1790 Comm: poc Tainted: G D 5.17.0-rc6-ci-drm-11296+ #1 [ 183.638298] Hardware name: Intel Corporation CoffeeLake Client Platform/CoffeeLake H DDR4 RVP, BIOS CNLSFWR1.R00.X208.B00.1905301319 05/30/2019 [ 183.638430] RIP: 0010:memcpyerms+0x6/0x10 [ 183.640213] RSP: 0018:ffffc90001763d48 EFLAGS: 00010246 [ 183.641117] RAX: ffff888109c14000 RBX: ffff888111bece40 RCX: 0000000000000ffc [ 183.642029] RDX: 0000000000001000 RSI: ffffc90000c86000 RDI: ffff888109c14004 [ 183.642946] RBP: 0000000000000ffc R08: 800000000000016b R09: 0000000000000000 [ 183.643848] R10: ffffc90000c85000 R11: 0000000000000048 R12: 0000000000001000 [ 183.644742] R13: ffff888111bed190 R14: ffff888109c14000 R15: 0000000000001000 [ 183.645653] FS: 00007fe5ef807540(0000) GS:ffff88845b380000(0000) knlGS:0000000000000000 [ 183.646570] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 183.647481] CR2: ffffc90000c86000 CR3: 000000010ff02006 CR4: 00000000003706e0 [ 183.648384] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 183.649271] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [ 183.650142] Call Trace: [ 183.650988] <TASK> [ 183.651793] vmaccess+0x1f0/0x2a0 [i915] [ 183.652726] _accessremotevm+0x224/0x380 [ 183.653561] memrw.isra.0+0xf9/0x190 [ 183.654402] vfsread+0x9d/0x1b0 [ 183.655238] ksysread+0x63/0xe0 [ 183.656065] dosyscall64+0x38/0xc0 [ 183.656882] entrySYSCALL64afterhwframe+0x44/0xae [ 183.657663] RIP: 0033:0x7fe5ef725142 [ 183.659351] RSP: 002b:00007ffe1e81c7e8 EFLAGS: 00000246 ORIGRAX: 0000000000000000 [ 183.660227] RAX: ffffffffffffffda RBX: 0000557055dfb780 RCX: 00007fe5ef725142 [ 183.661104] RDX: 0000000000001000 RSI: 00007ffe1e81d880 RDI: 0000000000000005 [ 183.661972] RBP: 00007ffe1e81e890 R08: 0000000000000030 R09: 0000000000000046 [ 183.662832] R10: 0000557055dfc2e0 R11: 0000000000000246 R12: 0000557055dfb1c0 [ 183.663691] R13: 00007ffe1e81e980 R14: 0000000000000000 R15: 0000000000000000

Changes since v1: - Updated if condition with rangeoverflowst [Chris Wilson]

[mauld: tidy up the commit message and add Cc: stable] (cherry picked from commit 661412e301e2ca86799aa4f400d1cf0bd38c57c6)

References

Affected packages

Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git

Affected ranges

Type: GIT
Repo: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events: Introduced

9f909e215fea0652023b9ed09d3d7bfe10386423

Fixed

89ddcc81914ab58cc203acc844f27d55ada8ec0e

Type: GIT
Repo: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events: Introduced

9f909e215fea0652023b9ed09d3d7bfe10386423

Fixed

312d3d4f49e12f97260bcf972c848c3562126a18

Type: GIT
Repo: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events: Introduced

9f909e215fea0652023b9ed09d3d7bfe10386423

Fixed

5f6e560e3e86ac053447524224e411034f41f5c7

Type: GIT
Repo: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events: Introduced

9f909e215fea0652023b9ed09d3d7bfe10386423

Fixed

8f0ebea8f6e8c474264ed97d7a64c9c09ed4f5aa

Type: GIT
Repo: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events: Introduced

9f909e215fea0652023b9ed09d3d7bfe10386423

Fixed

3886a86e7e6cc6ce2ce93c440fecd8f42aed0ce7

Affected versions

v5.*

v5.10

v5.10-rc1

v5.10-rc2

v5.10-rc3

v5.10-rc4

v5.10-rc5

v5.10-rc6

v5.10-rc7

v5.10.1

v5.10.10

v5.10.100

v5.10.101

v5.10.102

v5.10.103

v5.10.104

v5.10.105

v5.10.106

v5.10.107

v5.10.108

v5.10.109

v5.10.11

v5.10.12

v5.10.13

v5.10.14

v5.10.15

v5.10.16

v5.10.17

v5.10.18

v5.10.19

v5.10.2

v5.10.20

v5.10.21

v5.10.22

v5.10.23

v5.10.24

v5.10.25

v5.10.26

v5.10.27

v5.10.28

v5.10.29

v5.10.3

v5.10.30

v5.10.31

v5.10.32

v5.10.33

v5.10.34

v5.10.35

v5.10.36

v5.10.37

v5.10.38

v5.10.39

v5.10.4

v5.10.40

v5.10.41

v5.10.42

v5.10.43

v5.10.44

v5.10.45

v5.10.46

v5.10.47

v5.10.48

v5.10.49

v5.10.5

v5.10.50

v5.10.51

v5.10.52

v5.10.53

v5.10.54

v5.10.55

v5.10.56

v5.10.57

v5.10.58

v5.10.59

v5.10.6

v5.10.60

v5.10.61

v5.10.62

v5.10.63

v5.10.64

v5.10.65

v5.10.66

v5.10.67

v5.10.68

v5.10.69

v5.10.7

v5.10.70

v5.10.71

v5.10.72

v5.10.73

v5.10.74

v5.10.75

v5.10.76

v5.10.77

v5.10.78

v5.10.79

v5.10.8

v5.10.80

v5.10.81

v5.10.82

v5.10.83

v5.10.84

v5.10.85

v5.10.86

v5.10.87

v5.10.88

v5.10.89

v5.10.9

v5.10.90

v5.10.91

v5.10.92

v5.10.93

v5.10.94

v5.10.95

v5.10.96

v5.10.97

v5.10.98

v5.10.99

v5.11

v5.11-rc1

v5.11-rc2

v5.11-rc3

v5.11-rc4

v5.11-rc5

v5.11-rc6

v5.11-rc7

v5.12

v5.12-rc1

v5.12-rc1-dontuse

v5.12-rc2

v5.12-rc3

v5.12-rc4

v5.12-rc5

v5.12-rc6

v5.12-rc7

v5.12-rc8

v5.13

v5.13-rc1

v5.13-rc2

v5.13-rc3

v5.13-rc4

v5.13-rc5

v5.13-rc6

v5.13-rc7

v5.14

v5.14-rc1

v5.14-rc2

v5.14-rc3

v5.14-rc4

v5.14-rc5

v5.14-rc6

v5.14-rc7

v5.15

v5.15-rc1

v5.15-rc2

v5.15-rc3

v5.15-rc4

v5.15-rc5

v5.15-rc6

v5.15-rc7

v5.15.1

v5.15.10

v5.15.11

v5.15.12

v5.15.13

v5.15.14

v5.15.15

v5.15.16

v5.15.17

v5.15.18

v5.15.19

v5.15.2

v5.15.20

v5.15.21

v5.15.22

v5.15.23

v5.15.24

v5.15.25

v5.15.26

v5.15.27

v5.15.28

v5.15.29

v5.15.3

v5.15.30

v5.15.31

v5.15.32

v5.15.4

v5.15.5

v5.15.6

v5.15.7

v5.15.8

v5.15.9

v5.16

v5.16-rc1

v5.16-rc2

v5.16-rc3

v5.16-rc4

v5.16-rc5

v5.16-rc6

v5.16-rc7

v5.16-rc8

v5.16.1

v5.16.10

v5.16.11

v5.16.12

v5.16.13

v5.16.14

v5.16.15

v5.16.16

v5.16.17

v5.16.18

v5.16.2

v5.16.3

v5.16.4

v5.16.5

v5.16.6

v5.16.7

v5.16.8

v5.16.9

v5.17

v5.17-rc1

v5.17-rc2

v5.17-rc3

v5.17-rc4

v5.17-rc5

v5.17-rc6

v5.17-rc7

v5.17-rc8

v5.17.1

v5.7

v5.7-rc2

v5.7-rc3

v5.7-rc4

v5.7-rc5

v5.7-rc6

v5.7-rc7

v5.8

v5.8-rc1

v5.8-rc2

v5.8-rc3

v5.8-rc4

v5.8-rc5

v5.8-rc6

v5.8-rc7

v5.9

v5.9-rc1

v5.9-rc2

v5.9-rc3

v5.9-rc4

v5.9-rc5

v5.9-rc6

v5.9-rc7

v5.9-rc8

Database specific

vanir_signatures

[
    {
        "id": "CVE-2022-49261-1834b9de",
        "deprecated": false,
        "signature_version": "v1",
        "digest": {
            "length": 866.0,
            "function_hash": "161269037402564412559990180842755843559"
        },
        "target": {
            "function": "vm_access",
            "file": "drivers/gpu/drm/i915/gem/i915_gem_mman.c"
        },
        "signature_type": "Function",
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@5f6e560e3e86ac053447524224e411034f41f5c7"
    },
    {
        "id": "CVE-2022-49261-25de5e7d",
        "deprecated": false,
        "signature_version": "v1",
        "digest": {
            "length": 866.0,
            "function_hash": "161269037402564412559990180842755843559"
        },
        "target": {
            "function": "vm_access",
            "file": "drivers/gpu/drm/i915/gem/i915_gem_mman.c"
        },
        "signature_type": "Function",
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@3886a86e7e6cc6ce2ce93c440fecd8f42aed0ce7"
    },
    {
        "id": "CVE-2022-49261-4790c6b2",
        "deprecated": false,
        "signature_version": "v1",
        "digest": {
            "length": 866.0,
            "function_hash": "161269037402564412559990180842755843559"
        },
        "target": {
            "function": "vm_access",
            "file": "drivers/gpu/drm/i915/gem/i915_gem_mman.c"
        },
        "signature_type": "Function",
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@312d3d4f49e12f97260bcf972c848c3562126a18"
    },
    {
        "id": "CVE-2022-49261-64ced99d",
        "deprecated": false,
        "signature_version": "v1",
        "digest": {
            "line_hashes": [
                "15695926923394844187633329733336119555",
                "301252687989921858444936638551073484413",
                "316842941097097332974185206757355376017",
                "36552275211471762302593420040817133070"
            ],
            "threshold": 0.9
        },
        "target": {
            "file": "drivers/gpu/drm/i915/gem/i915_gem_mman.c"
        },
        "signature_type": "Line",
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@3886a86e7e6cc6ce2ce93c440fecd8f42aed0ce7"
    },
    {
        "id": "CVE-2022-49261-80e1bc45",
        "deprecated": false,
        "signature_version": "v1",
        "digest": {
            "line_hashes": [
                "15695926923394844187633329733336119555",
                "301252687989921858444936638551073484413",
                "316842941097097332974185206757355376017",
                "36552275211471762302593420040817133070"
            ],
            "threshold": 0.9
        },
        "target": {
            "file": "drivers/gpu/drm/i915/gem/i915_gem_mman.c"
        },
        "signature_type": "Line",
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@5f6e560e3e86ac053447524224e411034f41f5c7"
    },
    {
        "id": "CVE-2022-49261-8ce12db7",
        "deprecated": false,
        "signature_version": "v1",
        "digest": {
            "length": 866.0,
            "function_hash": "161269037402564412559990180842755843559"
        },
        "target": {
            "function": "vm_access",
            "file": "drivers/gpu/drm/i915/gem/i915_gem_mman.c"
        },
        "signature_type": "Function",
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@8f0ebea8f6e8c474264ed97d7a64c9c09ed4f5aa"
    },
    {
        "id": "CVE-2022-49261-97b79dd6",
        "deprecated": false,
        "signature_version": "v1",
        "digest": {
            "line_hashes": [
                "15695926923394844187633329733336119555",
                "301252687989921858444936638551073484413",
                "316842941097097332974185206757355376017",
                "36552275211471762302593420040817133070"
            ],
            "threshold": 0.9
        },
        "target": {
            "file": "drivers/gpu/drm/i915/gem/i915_gem_mman.c"
        },
        "signature_type": "Line",
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@312d3d4f49e12f97260bcf972c848c3562126a18"
    },
    {
        "id": "CVE-2022-49261-b3354c05",
        "deprecated": false,
        "signature_version": "v1",
        "digest": {
            "length": 601.0,
            "function_hash": "272136544272247646652518001366109480157"
        },
        "target": {
            "function": "vm_access",
            "file": "drivers/gpu/drm/i915/gem/i915_gem_mman.c"
        },
        "signature_type": "Function",
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@89ddcc81914ab58cc203acc844f27d55ada8ec0e"
    },
    {
        "id": "CVE-2022-49261-c8203354",
        "deprecated": false,
        "signature_version": "v1",
        "digest": {
            "line_hashes": [
                "15695926923394844187633329733336119555",
                "301252687989921858444936638551073484413",
                "316842941097097332974185206757355376017",
                "36552275211471762302593420040817133070"
            ],
            "threshold": 0.9
        },
        "target": {
            "file": "drivers/gpu/drm/i915/gem/i915_gem_mman.c"
        },
        "signature_type": "Line",
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@8f0ebea8f6e8c474264ed97d7a64c9c09ed4f5aa"
    },
    {
        "id": "CVE-2022-49261-eee8f30b",
        "deprecated": false,
        "signature_version": "v1",
        "digest": {
            "line_hashes": [
                "15695926923394844187633329733336119555",
                "301252687989921858444936638551073484413",
                "285544232282928154771822427665497009233",
                "84447417140393443835446980595050247913"
            ],
            "threshold": 0.9
        },
        "target": {
            "file": "drivers/gpu/drm/i915/gem/i915_gem_mman.c"
        },
        "signature_type": "Line",
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@89ddcc81914ab58cc203acc844f27d55ada8ec0e"
    }
]

Linux / Kernel

Package

Name: Kernel

Affected ranges

Type: ECOSYSTEM
Events: Introduced

5.8.0

Fixed

5.10.110

Type: ECOSYSTEM
Events: Introduced

5.11.0

Fixed

5.15.33

Type: ECOSYSTEM
Events: Introduced

5.16.0

Fixed

5.16.19

Type: ECOSYSTEM
Events: Introduced

5.17.0

Fixed

5.17.2