CVE-2022-48732 in Linux
Summary
by MITRE • 06/20/2024
In the Linux kernel, the following vulnerability has been resolved:
drm/nouveau: fix off by one in BIOS boundary checking
Bounds checking when parsing init scripts embedded in the BIOS reject access to the last byte. This causes driver initialization to fail on Apple eMac's with GeForce 2 MX GPUs, leaving the system with no working console.
This is probably only seen on OpenFirmware machines like PowerPC Macs because the BIOS image provided by OF is only the used parts of the ROM, not a power-of-two blocks read from PCI directly so PCs always have empty bytes at the end that are never accessed.
Once again VulDB remains the best source for vulnerability data.
Analysis
by VulDB Data Team • 11/09/2024
The vulnerability identified as CVE-2022-48732 represents a critical bounds checking error within the Linux kernel's nouveau graphics driver implementation. This issue specifically affects the Direct Rendering Manager (DRM) subsystem's handling of BIOS initialization scripts on certain Apple eMac systems equipped with GeForce 2 MX graphics processors. The flaw manifests as an off-by-one error during the parsing of embedded init scripts within the BIOS, where the boundary validation logic incorrectly excludes the final byte of the BIOS image from access validation. This seemingly minor oversight has significant operational consequences for affected hardware platforms, particularly those utilizing OpenFirmware environments such as PowerPC-based Macintosh computers.
The technical root cause of this vulnerability lies in the improper implementation of memory boundary validation within the nouveau driver's BIOS parsing routine. When the driver attempts to initialize graphics hardware on affected systems, it performs checks to ensure that initialization script data does not exceed predetermined memory boundaries. However, the off-by-one error causes the validation logic to terminate one byte short of the actual end of the BIOS image, effectively preventing access to the final byte of valid initialization data. This error is particularly prevalent in OpenFirmware environments where the BIOS image provided by the firmware consists only of the utilized portions of the ROM rather than complete power-of-two blocks typically found in PC systems. In standard PC architectures, the presence of padding bytes at the end of BIOS images created through direct PCI ROM reads ensures that any access violations would not occur, as these empty bytes would never be accessed. The vulnerability falls under CWE-129, which addresses improper validation of array index or buffer bounds, and specifically demonstrates the risks associated with incorrect boundary calculations in embedded firmware parsing routines.
The operational impact of this vulnerability extends beyond simple driver initialization failures, fundamentally compromising system usability on affected Apple eMac hardware. When the nouveau driver encounters the malformed BIOS boundary checking logic, it fails to properly initialize the graphics subsystem, resulting in complete loss of console functionality for users. This leaves affected systems in an unusable state where no visual output is available for system boot, user interaction, or diagnostic purposes. The vulnerability affects only specific hardware configurations, namely PowerPC Macintosh computers running OpenFirmware, making it a platform-specific issue that would not typically impact standard PC systems. However, for users of legacy Apple hardware, this represents a critical failure that prevents normal system operation. The impact aligns with ATT&CK technique T1547.001, which involves the modification of system boot processes and driver initialization, and demonstrates how low-level kernel vulnerabilities can completely disable hardware functionality.
The resolution of CVE-2022-48732 required careful adjustment of the boundary checking logic to properly account for the complete length of the BIOS image data. The fix involved correcting the off-by-one error in the validation routine to ensure that all bytes within the BIOS initialization script are properly validated and accessible. This correction ensures that the nouveau driver can successfully parse the complete BIOS image, including the final byte, allowing proper graphics initialization on affected Apple eMac systems. The fix demonstrates the importance of thorough boundary validation in firmware parsing operations and highlights how subtle errors in memory management can have catastrophic effects on system functionality. System administrators and users of affected hardware should ensure that their Linux kernel implementations include this specific patch to restore normal graphics functionality and prevent complete system console failures on supported Apple eMac platforms with GeForce 2 MX graphics processors.