fkie_cve-2022-50221
Vulnerability from fkie_nvd
Published
2025-06-18 11:15
Modified
2025-06-18 13:47
Severity ?
Summary
In the Linux kernel, the following vulnerability has been resolved: drm/fb-helper: Fix out-of-bounds access Clip memory range to screen-buffer size to avoid out-of-bounds access in fbdev deferred I/O's damage handling. Fbdev's deferred I/O can only track pages. From the range of pages, the damage handler computes the clipping rectangle for the display update. If the fbdev screen buffer ends near the beginning of a page, that page could contain more scanlines. The damage handler would then track these non-existing scanlines as dirty and provoke an out-of-bounds access during the screen update. Hence, clip the maximum memory range to the size of the screen buffer. While at it, rename the variables min/max to min_off/max_off in drm_fb_helper_deferred_io(). This avoids confusion with the macros of the same name.
References
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/9c49ac792c639dbec0728b513329a32461f72253
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/ae25885bdf59fde40726863c57fd20e4a0642183
Impacted products
Vendor Product Version


To clipboard 

{
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/fb-helper: Fix out-of-bounds access\n\nClip memory range to screen-buffer size to avoid out-of-bounds access\nin fbdev deferred I/O\u0027s damage handling.\n\nFbdev\u0027s deferred I/O can only track pages. From the range of pages, the\ndamage handler computes the clipping rectangle for the display update.\nIf the fbdev screen buffer ends near the beginning of a page, that page\ncould contain more scanlines. The damage handler would then track these\nnon-existing scanlines as dirty and provoke an out-of-bounds access\nduring the screen update. Hence, clip the maximum memory range to the\nsize of the screen buffer.\n\nWhile at it, rename the variables min/max to min_off/max_off in\ndrm_fb_helper_deferred_io(). This avoids confusion with the macros of\nthe same name."
    },
    {
      "lang": "es",
      "value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: drm/fb-helper: Arregla el acceso fuera de los l\u00edmites Recorta el rango de memoria al tama\u00f1o del b\u00fafer de pantalla para evitar el acceso fuera de los l\u00edmites en el manejo de da\u00f1os de E/S diferidas de fbdev. La E/S diferida de fbdev solo puede rastrear p\u00e1ginas. A partir del rango de p\u00e1ginas, el controlador de da\u00f1os calcula el rect\u00e1ngulo de recorte para la actualizaci\u00f3n de la pantalla. Si el b\u00fafer de pantalla de fbdev termina cerca del principio de una p\u00e1gina, esa p\u00e1gina podr\u00eda contener m\u00e1s l\u00edneas de exploraci\u00f3n. El controlador de da\u00f1os rastrear\u00eda entonces estas l\u00edneas de exploraci\u00f3n inexistentes como sucias y provocar\u00eda un acceso fuera de los l\u00edmites durante la actualizaci\u00f3n de la pantalla. Por lo tanto, recorta el rango m\u00e1ximo de memoria al tama\u00f1o del b\u00fafer de pantalla. Mientras lo haces, cambia el nombre de las variables min/max a min_off/max_off en drm_fb_helper_deferred_io(). Esto evita confusiones con las macros del mismo nombre."
    }
  ],
  "id": "CVE-2022-50221",
  "lastModified": "2025-06-18T13:47:40.833",
  "metrics": {},
  "published": "2025-06-18T11:15:53.090",
  "references": [
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "url": "https://git.kernel.org/stable/c/9c49ac792c639dbec0728b513329a32461f72253"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "url": "https://git.kernel.org/stable/c/ae25885bdf59fde40726863c57fd20e4a0642183"
    }
  ],
  "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
  "vulnStatus": "Awaiting Analysis"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.