CVE-2022-49963
- Source
- https://nvd.nist.gov/vuln/detail/CVE-2022-49963
- Import Source
- https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2022-49963.json
- JSON Data
- https://api.osv.dev/v1/vulns/CVE-2022-49963
- Downstream
- Related
- Published
- 2025-06-18T11:00:24Z
- Modified
- 2025-10-21T11:28:46.554437Z
- Summary
- drm/i915/ttm: fix CCS handling
- Details
-
In the Linux kernel, the following vulnerability has been resolved:
drm/i915/ttm: fix CCS handling
Crucible + recent Mesa seems to sometimes hit:
GEMBUGON(numccsblks > NUMCCSBLKSPERXFER)
And it looks like we can also trigger this with gemlmemswapping, if we modify the test to use slightly larger object sizes.
Looking closer it looks like we have the following issues in migrate_copy():
We are using plain integer in various places, which we can easily overflow with a large object.
We pass the entire object size (when the src is lmem) into emitpte() and then try to copy it, which doesn't work, since we only have a few fixed sized windows in which to map the pages and perform the copy. With an object > 8M we therefore aren't properly copying the pages. And then with an object > 64M we trigger the GEMBUGON(numccsblks > NUMCCSBLKSPER_XFER).
So it looks like our copy handling for any object > 8M (which is our CHUNK_SZ) is currently broken on DG2.
Testcase: igt@gemlmemswapping (cherry picked from commit 8676145eb2f53a9940ff70910caf0125bd8a4bc2)
- References
Affected packages
Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Affected ranges
- Type
- GIT
- Repo
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- Events
-
Introducedda0595ae91da837929a00470ab40546090e5b9aeFixed97434cb55bd884bd268626ec41489f79b261b2d4
- Type
- GIT
- Repo
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- Events
-
Introducedda0595ae91da837929a00470ab40546090e5b9aeFixed8d905254162965c8e6be697d82c7dbf5d08f574d
Affected versions
v5.*
v5.18
v5.18-rc3
v5.18-rc4
v5.18-rc5
v5.18-rc6
v5.18-rc7
v5.19
v5.19-rc1
v5.19-rc2
v5.19-rc3
v5.19-rc4
v5.19-rc5
v5.19-rc6
v5.19-rc7
v5.19-rc8
v5.19.1
v5.19.2
v5.19.3
v5.19.4
v5.19.5
v5.19.6
v5.19.7
v6.*
v6.0-rc1
v6.0-rc2
Database specific
vanir_signatures
[
{
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@97434cb55bd884bd268626ec41489f79b261b2d4",
"id": "CVE-2022-49963-03550ebf",
"deprecated": false,
"target": {
"function": "intel_context_migrate_copy",
"file": "drivers/gpu/drm/i915/gt/intel_migrate.c"
},
"signature_version": "v1",
"digest": {
"length": 3438.0,
"function_hash": "168978494000133682396264691324267541963"
},
"signature_type": "Function"
},
{
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@97434cb55bd884bd268626ec41489f79b261b2d4",
"id": "CVE-2022-49963-4b0ea4fb",
"deprecated": false,
"target": {
"file": "drivers/gpu/drm/i915/gt/intel_migrate.c"
},
"signature_version": "v1",
"digest": {
"threshold": 0.9,
"line_hashes": [
"254969981997025168273607662840933668544",
"212965377769637954583958938808905974843",
"216244811504031688702092657284840512841",
"308118165301300287577274373314949369648",
"277141319872363041703011236085045483988",
"50122048683798198783043724754914787349",
"265690887981070295458398249871054407419",
"139871864525289379354931970864492735659",
"195040530211439980846958101736208993990",
"110121074595876938037070718790607348789",
"339927243114492485845072180581060273800",
"140020170029874550951842631866381696424",
"130689775645031695927752981027843504969",
"77222264389463687103520301417235055140",
"94581025484668377090887690142041339071",
"292127902775831277019885696371380211168",
"195844462084047246960762549150767185916",
"114554527773760604155752108004727692130",
"75917601202189246340415838404478029",
"166881427240722743824315500821169152529",
"66874767794196125266664476186801818585",
"233146014808151201615285036387316812560",
"335026635414990221916583931973468587180",
"171895891281977855213222028725759874293",
"276417554501024874080659704748038582421",
"275471110100085377008267804654279554703",
"121971742231923432888521190917848852161",
"277104083898658806356232504263231842627",
"267086752860244597465496812798647856031",
"293534632593794498448074556818718875475",
"248131059349643382638293730679963186940",
"286941540485391949532384290134634528138",
"180936008772917411975743478762053054709",
"79339431738730339345535181673662145972",
"27296480226082070462172399280738983990",
"332660442243868257636248802901584421824",
"211272513893479228188398058592543822391"
]
},
"signature_type": "Line"
},
{
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@8d905254162965c8e6be697d82c7dbf5d08f574d",
"id": "CVE-2022-49963-5d87677c",
"deprecated": false,
"target": {
"function": "intel_context_migrate_copy",
"file": "drivers/gpu/drm/i915/gt/intel_migrate.c"
},
"signature_version": "v1",
"digest": {
"length": 3438.0,
"function_hash": "168978494000133682396264691324267541963"
},
"signature_type": "Function"
},
{
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@8d905254162965c8e6be697d82c7dbf5d08f574d",
"id": "CVE-2022-49963-74101033",
"deprecated": false,
"target": {
"file": "drivers/gpu/drm/i915/gt/intel_migrate.c"
},
"signature_version": "v1",
"digest": {
"threshold": 0.9,
"line_hashes": [
"254969981997025168273607662840933668544",
"212965377769637954583958938808905974843",
"216244811504031688702092657284840512841",
"308118165301300287577274373314949369648",
"277141319872363041703011236085045483988",
"50122048683798198783043724754914787349",
"265690887981070295458398249871054407419",
"139871864525289379354931970864492735659",
"195040530211439980846958101736208993990",
"110121074595876938037070718790607348789",
"339927243114492485845072180581060273800",
"140020170029874550951842631866381696424",
"130689775645031695927752981027843504969",
"77222264389463687103520301417235055140",
"94581025484668377090887690142041339071",
"292127902775831277019885696371380211168",
"195844462084047246960762549150767185916",
"114554527773760604155752108004727692130",
"75917601202189246340415838404478029",
"166881427240722743824315500821169152529",
"66874767794196125266664476186801818585",
"233146014808151201615285036387316812560",
"335026635414990221916583931973468587180",
"171895891281977855213222028725759874293",
"276417554501024874080659704748038582421",
"275471110100085377008267804654279554703",
"121971742231923432888521190917848852161",
"277104083898658806356232504263231842627",
"267086752860244597465496812798647856031",
"293534632593794498448074556818718875475",
"248131059349643382638293730679963186940",
"286941540485391949532384290134634528138",
"180936008772917411975743478762053054709",
"79339431738730339345535181673662145972",
"27296480226082070462172399280738983990",
"332660442243868257636248802901584421824",
"211272513893479228188398058592543822391"
]
},
"signature_type": "Line"
},
{
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@8d905254162965c8e6be697d82c7dbf5d08f574d",
"id": "CVE-2022-49963-cae03649",
"deprecated": false,
"target": {
"function": "calculate_chunk_sz",
"file": "drivers/gpu/drm/i915/gt/intel_migrate.c"
},
"signature_version": "v1",
"digest": {
"length": 213.0,
"function_hash": "244667837910224657290143035638704928760"
},
"signature_type": "Function"
},
{
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@97434cb55bd884bd268626ec41489f79b261b2d4",
"id": "CVE-2022-49963-d0847478",
"deprecated": false,
"target": {
"function": "calculate_chunk_sz",
"file": "drivers/gpu/drm/i915/gt/intel_migrate.c"
},
"signature_version": "v1",
"digest": {
"length": 213.0,
"function_hash": "244667837910224657290143035638704928760"
},
"signature_type": "Function"
}
]