{"dataType":"CVE_RECORD","dataVersion":"5.1","cveMetadata":{"cveId":"CVE-2022-49261","assignerOrgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","state":"PUBLISHED","assignerShortName":"Linux","dateReserved":"2025-02-26T01:49:39.296Z","datePublished":"2025-02-26T01:56:13.077Z","dateUpdated":"2025-05-04T08:33:36.170Z"},"containers":{"cna":{"providerMetadata":{"orgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","shortName":"Linux","dateUpdated":"2025-05-04T08:33:36.170Z"},"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/i915/gem: add missing boundary check in vm_access\n\nA missing bounds check in vm_access() can lead to an out-of-bounds read\nor write in the adjacent memory area, since the len attribute is not\nvalidated before the memcpy later in the function, potentially hitting:\n\n[  183.637831] BUG: unable to handle page fault for address: ffffc90000c86000\n[  183.637934] #PF: supervisor read access in kernel mode\n[  183.637997] #PF: error_code(0x0000) - not-present page\n[  183.638059] PGD 100000067 P4D 100000067 PUD 100258067 PMD 106341067 PTE 0\n[  183.638144] Oops: 0000 [#2] PREEMPT SMP NOPTI\n[  183.638201] CPU: 3 PID: 1790 Comm: poc Tainted: G      D           5.17.0-rc6-ci-drm-11296+ #1\n[  183.638298] Hardware name: Intel Corporation CoffeeLake Client Platform/CoffeeLake H DDR4 RVP, BIOS CNLSFWR1.R00.X208.B00.1905301319 05/30/2019\n[  183.638430] RIP: 0010:memcpy_erms+0x6/0x10\n[  183.640213] RSP: 0018:ffffc90001763d48 EFLAGS: 00010246\n[  183.641117] RAX: ffff888109c14000 RBX: ffff888111bece40 RCX: 0000000000000ffc\n[  183.642029] RDX: 0000000000001000 RSI: ffffc90000c86000 RDI: ffff888109c14004\n[  183.642946] RBP: 0000000000000ffc R08: 800000000000016b R09: 0000000000000000\n[  183.643848] R10: ffffc90000c85000 R11: 0000000000000048 R12: 0000000000001000\n[  183.644742] R13: ffff888111bed190 R14: ffff888109c14000 R15: 0000000000001000\n[  183.645653] FS:  00007fe5ef807540(0000) GS:ffff88845b380000(0000) knlGS:0000000000000000\n[  183.646570] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[  183.647481] CR2: ffffc90000c86000 CR3: 000000010ff02006 CR4: 00000000003706e0\n[  183.648384] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\n[  183.649271] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\n[  183.650142] Call Trace:\n[  183.650988]  <TASK>\n[  183.651793]  vm_access+0x1f0/0x2a0 [i915]\n[  183.652726]  __access_remote_vm+0x224/0x380\n[  183.653561]  mem_rw.isra.0+0xf9/0x190\n[  183.654402]  vfs_read+0x9d/0x1b0\n[  183.655238]  ksys_read+0x63/0xe0\n[  183.656065]  do_syscall_64+0x38/0xc0\n[  183.656882]  entry_SYSCALL_64_after_hwframe+0x44/0xae\n[  183.657663] RIP: 0033:0x7fe5ef725142\n[  183.659351] RSP: 002b:00007ffe1e81c7e8 EFLAGS: 00000246 ORIG_RAX: 0000000000000000\n[  183.660227] RAX: ffffffffffffffda RBX: 0000557055dfb780 RCX: 00007fe5ef725142\n[  183.661104] RDX: 0000000000001000 RSI: 00007ffe1e81d880 RDI: 0000000000000005\n[  183.661972] RBP: 00007ffe1e81e890 R08: 0000000000000030 R09: 0000000000000046\n[  183.662832] R10: 0000557055dfc2e0 R11: 0000000000000246 R12: 0000557055dfb1c0\n[  183.663691] R13: 00007ffe1e81e980 R14: 0000000000000000 R15: 0000000000000000\n\nChanges since v1:\n     - Updated if condition with range_overflows_t [Chris Wilson]\n\n[mauld: tidy up the commit message and add Cc: stable]\n(cherry picked from commit 661412e301e2ca86799aa4f400d1cf0bd38c57c6)"}],"affected":[{"product":"Linux","vendor":"Linux","defaultStatus":"unaffected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["drivers/gpu/drm/i915/gem/i915_gem_mman.c"],"versions":[{"version":"9f909e215fea0652023b9ed09d3d7bfe10386423","lessThan":"89ddcc81914ab58cc203acc844f27d55ada8ec0e","status":"affected","versionType":"git"},{"version":"9f909e215fea0652023b9ed09d3d7bfe10386423","lessThan":"312d3d4f49e12f97260bcf972c848c3562126a18","status":"affected","versionType":"git"},{"version":"9f909e215fea0652023b9ed09d3d7bfe10386423","lessThan":"5f6e560e3e86ac053447524224e411034f41f5c7","status":"affected","versionType":"git"},{"version":"9f909e215fea0652023b9ed09d3d7bfe10386423","lessThan":"8f0ebea8f6e8c474264ed97d7a64c9c09ed4f5aa","status":"affected","versionType":"git"},{"version":"9f909e215fea0652023b9ed09d3d7bfe10386423","lessThan":"3886a86e7e6cc6ce2ce93c440fecd8f42aed0ce7","status":"affected","versionType":"git"}]},{"product":"Linux","vendor":"Linux","defaultStatus":"affected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["drivers/gpu/drm/i915/gem/i915_gem_mman.c"],"versions":[{"version":"5.8","status":"affected"},{"version":"0","lessThan":"5.8","status":"unaffected","versionType":"semver"},{"version":"5.10.110","lessThanOrEqual":"5.10.*","status":"unaffected","versionType":"semver"},{"version":"5.15.33","lessThanOrEqual":"5.15.*","status":"unaffected","versionType":"semver"},{"version":"5.16.19","lessThanOrEqual":"5.16.*","status":"unaffected","versionType":"semver"},{"version":"5.17.2","lessThanOrEqual":"5.17.*","status":"unaffected","versionType":"semver"},{"version":"5.18","lessThanOrEqual":"*","status":"unaffected","versionType":"original_commit_for_fix"}]}],"cpeApplicability":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.8","versionEndExcluding":"5.10.110"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.8","versionEndExcluding":"5.15.33"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.8","versionEndExcluding":"5.16.19"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.8","versionEndExcluding":"5.17.2"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.8","versionEndExcluding":"5.18"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/89ddcc81914ab58cc203acc844f27d55ada8ec0e"},{"url":"https://git.kernel.org/stable/c/312d3d4f49e12f97260bcf972c848c3562126a18"},{"url":"https://git.kernel.org/stable/c/5f6e560e3e86ac053447524224e411034f41f5c7"},{"url":"https://git.kernel.org/stable/c/8f0ebea8f6e8c474264ed97d7a64c9c09ed4f5aa"},{"url":"https://git.kernel.org/stable/c/3886a86e7e6cc6ce2ce93c440fecd8f42aed0ce7"}],"title":"drm/i915/gem: add missing boundary check in vm_access","x_generator":{"engine":"bippy-1.2.0"}}}}