2025-03-09 03:03:50 +00:00

41 lines
7.0 KiB
JSON

{
"id": "CVE-2022-49261",
"sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"published": "2025-02-26T07:01:03.057",
"lastModified": "2025-02-26T07:01:03.057",
"vulnStatus": "Awaiting Analysis",
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/i915/gem: add missing boundary check in vm_access\n\nA missing bounds check in vm_access() can lead to an out-of-bounds read\nor write in the adjacent memory area, since the len attribute is not\nvalidated before the memcpy later in the function, potentially hitting:\n\n[ 183.637831] BUG: unable to handle page fault for address: ffffc90000c86000\n[ 183.637934] #PF: supervisor read access in kernel mode\n[ 183.637997] #PF: error_code(0x0000) - not-present page\n[ 183.638059] PGD 100000067 P4D 100000067 PUD 100258067 PMD 106341067 PTE 0\n[ 183.638144] Oops: 0000 [#2] PREEMPT SMP NOPTI\n[ 183.638201] CPU: 3 PID: 1790 Comm: poc Tainted: G D 5.17.0-rc6-ci-drm-11296+ #1\n[ 183.638298] Hardware name: Intel Corporation CoffeeLake Client Platform/CoffeeLake H DDR4 RVP, BIOS CNLSFWR1.R00.X208.B00.1905301319 05/30/2019\n[ 183.638430] RIP: 0010:memcpy_erms+0x6/0x10\n[ 183.640213] RSP: 0018:ffffc90001763d48 EFLAGS: 00010246\n[ 183.641117] RAX: ffff888109c14000 RBX: ffff888111bece40 RCX: 0000000000000ffc\n[ 183.642029] RDX: 0000000000001000 RSI: ffffc90000c86000 RDI: ffff888109c14004\n[ 183.642946] RBP: 0000000000000ffc R08: 800000000000016b R09: 0000000000000000\n[ 183.643848] R10: ffffc90000c85000 R11: 0000000000000048 R12: 0000000000001000\n[ 183.644742] R13: ffff888111bed190 R14: ffff888109c14000 R15: 0000000000001000\n[ 183.645653] FS: 00007fe5ef807540(0000) GS:ffff88845b380000(0000) knlGS:0000000000000000\n[ 183.646570] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[ 183.647481] CR2: ffffc90000c86000 CR3: 000000010ff02006 CR4: 00000000003706e0\n[ 183.648384] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\n[ 183.649271] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\n[ 183.650142] Call Trace:\n[ 183.650988] <TASK>\n[ 183.651793] vm_access+0x1f0/0x2a0 [i915]\n[ 183.652726] __access_remote_vm+0x224/0x380\n[ 183.653561] mem_rw.isra.0+0xf9/0x190\n[ 183.654402] vfs_read+0x9d/0x1b0\n[ 183.655238] ksys_read+0x63/0xe0\n[ 183.656065] do_syscall_64+0x38/0xc0\n[ 183.656882] entry_SYSCALL_64_after_hwframe+0x44/0xae\n[ 183.657663] RIP: 0033:0x7fe5ef725142\n[ 183.659351] RSP: 002b:00007ffe1e81c7e8 EFLAGS: 00000246 ORIG_RAX: 0000000000000000\n[ 183.660227] RAX: ffffffffffffffda RBX: 0000557055dfb780 RCX: 00007fe5ef725142\n[ 183.661104] RDX: 0000000000001000 RSI: 00007ffe1e81d880 RDI: 0000000000000005\n[ 183.661972] RBP: 00007ffe1e81e890 R08: 0000000000000030 R09: 0000000000000046\n[ 183.662832] R10: 0000557055dfc2e0 R11: 0000000000000246 R12: 0000557055dfb1c0\n[ 183.663691] R13: 00007ffe1e81e980 R14: 0000000000000000 R15: 0000000000000000\n\nChanges since v1:\n - Updated if condition with range_overflows_t [Chris Wilson]\n\n[mauld: tidy up the commit message and add Cc: stable]\n(cherry picked from commit 661412e301e2ca86799aa4f400d1cf0bd38c57c6)"
},
{
"lang": "es",
"value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: drm/i915/gem: agregar comprobaci\u00f3n de los l\u00edmites faltante en vm_access Una comprobaci\u00f3n de los l\u00edmites faltante en vm_access() puede provocar una lectura o escritura fuera de los l\u00edmites en el \u00e1rea de memoria adyacente, ya que el atributo len no se valida antes de memcpy m\u00e1s adelante en la funci\u00f3n, lo que potencialmente afecta a: [ 183.637831] ERROR: no se puede manejar la falla de p\u00e1gina para la direcci\u00f3n: ffffc90000c86000 [ 183.637934] #PF: acceso de lectura de supervisor en modo kernel [ 183.637997] #PF: error_code(0x0000) - p\u00e1gina no presente [ 183.638059] PGD 100000067 P4D 100000067 PUD 100258067 PMD 106341067 PTE 0 [ 183.638144] Oops: 0000 [#2] PREEMPT SMP NOPTI [ 183.638201] CPU: 3 PID: 1790 Comm: poc Contaminado: GD 5.17.0-rc6-ci-drm-11296+ #1 [ 183.638298] Nombre del hardware: Intel Corporation CoffeeLake Client Platform/CoffeeLake H DDR4 RVP, BIOS CNLSFWR1.R00.X208.B00.1905301319 30/05/2019 [ 183.638430] RIP: 0010:memcpy_erms+0x6/0x10 [ 183.640213] RSP: 0018:ffffc90001763d48 EFLAGS: 00010246 [ 183.641117] RAX: ffff888109c14000 RBX: ffff888111bece40 RCX: 0000000000000ffc [ 183.642029] RDX: 0000000000001000 RSI: ffffc90000c86000 RDI: ffff888109c14004 [ 183.642946] RBP: 0000000000000ffc R08: 800000000000016b R09: 0000000000000000 [ 183.643848] R10: ffffc90000c85000 R11: 0000000000000048 R12: 00000000000001000 [ 183.644742] R13: ffff888111bed190 R14: ffff888109c14000 R15: 0000000000001000 [ 183.645653] FS: 00007fe5ef807540(0000) GS:ffff88845b380000(0000) knlGS:0000000000000000 [ 183.646570] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 183.647481] CR2: ffffc90000c86000 CR3: 000000010ff02006 CR4: 00000000003706e0 [ 183.648384] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 000000000000000 [ 183.649271] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [ 183.650142] Seguimiento de llamadas: [ 183.650988] [ 183.651793] vm_access+0x1f0/0x2a0 [i915] [ 183.652726] __access_remote_vm+0x224/0x380 [ 183.653561] mem_rw.isra.0+0xf9/0x190 [ 183.654402] vfs_read+0x9d/0x1b0 [ 183.655238] ksys_read+0x63/0xe0 [ 183.656065] do_syscall_64+0x38/0xc0 [ 183.656882] entry_SYSCALL_64_after_hwframe+0x44/0xae [ 183.657663] RIP: 0033:0x7fe5ef725142 [ 183.659351] RSP: 002b:00007ffe1e81c7e8 EFLAGS: 00000246 ORIG_RAX: 000000000000000 [ 183.660227] RAX: ffffffffffffffda RBX: 0000557055dfb780 RCX: 00007fe5ef725142 [ 183.661104] RDX: 0000000000001000 RSI: 00007ffe1e81d880 RDI: 000000000000005 [ 183.661972] RBP: 00007ffe1e81e890 R08: 0000000000000030 R09: 0000000000000046 [ 183.662832] R10: 0000557055dfc2e0 R11: 0000000000000246 R12: 0000557055dfb1c0 [ 183.663691] R13: 00007ffe1e81e980 R14: 000000000000000 R15: 000000000000000 Cambios desde v1: - Condici\u00f3n if actualizada con range_overflows_t [Chris Wilson] [mauld: ordena el mensaje de confirmaci\u00f3n y agrega Cc: estable] (seleccionado de el commit 661412e301e2ca86799aa4f400d1cf0bd38c57c6)"
}
],
"metrics": {},
"references": [
{
"url": "https://git.kernel.org/stable/c/312d3d4f49e12f97260bcf972c848c3562126a18",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/3886a86e7e6cc6ce2ce93c440fecd8f42aed0ce7",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/5f6e560e3e86ac053447524224e411034f41f5c7",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/89ddcc81914ab58cc203acc844f27d55ada8ec0e",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/8f0ebea8f6e8c474264ed97d7a64c9c09ed4f5aa",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
}
]
}