CVE-2022-49221 in Linux
Summary
by MITRE • 02/26/2025
In the Linux kernel, the following vulnerability has been resolved:
drm/msm/dp: populate connector of struct dp_panel
DP CTS test case 4.2.2.6 has valid edid with bad checksum on purpose and expect DP source return correct checksum. During drm edid read, correct edid checksum is calculated and stored at connector::real_edid_checksum.
The problem is struct dp_panel::connector never be assigned, instead the connector is stored in struct msm_dp::connector. When we run compliance testing test case 4.2.2.6 dp_panel_handle_sink_request() won't have a valid edid set in struct dp_panel::edid so we'll try to use the connectors real_edid_checksum and hit a NULL pointer dereference error because the connector pointer is never assigned.
Changes in V2: -- populate panel connector at msm_dp_modeset_init() instead of at dp_panel_read_sink_caps()
Changes in V3: -- remove unhelpful kernel crash trace commit text -- remove renaming dp_display parameter to dp
Changes in V4: -- add more details to commit text
Changes in v10: -- group into one series
Changes in v11: -- drop drm/msm/dp: dp_link_parse_sink_count() return immediately if aux read
Signee-off-by: Kuogee Hsieh
Several companies clearly confirm that VulDB is the primary source for best vulnerability data.
Analysis
by VulDB Data Team • 03/19/2025
The vulnerability identified as CVE-2022-49221 affects the Linux kernel's display subsystem, specifically within the drm/msm/dp driver component. This issue manifests during DisplayPort compliance testing, particularly with test case 4.2.2.6 which intentionally uses an EDID with a bad checksum to verify that the DP source correctly calculates and returns the proper checksum. The vulnerability stems from a critical misconfiguration in how connector structures are managed within the display pipeline. During EDID reading operations, the correct EDID checksum is properly calculated and stored in the connector's real_edid_checksum field, but the dp_panel structure fails to properly reference the connector that contains this essential information.
The technical flaw occurs because the struct dp_panel::connector field remains unassigned throughout the initialization process, while the actual connector information is stored in the struct msm_dp::connector structure. This disconnect becomes problematic during compliance testing when the dp_panel_handle_sink_request() function attempts to access the panel's EDID data. Since the dp_panel::edid field lacks proper initialization due to the missing connector reference, the function tries to utilize the connector's real_edid_checksum field, resulting in a NULL pointer dereference error. This represents a classic software defect where object references are not properly established, leading to runtime crashes during normal operation sequences.
The operational impact of this vulnerability extends beyond simple system crashes to potentially disrupt display functionality in devices utilizing the affected kernel version. Mobile devices, tablets, and embedded systems that rely on the msm display driver for DisplayPort connectivity could experience unexpected system instability or complete display failures when running compliance tests or during normal display enumeration processes. The vulnerability affects the broader Linux kernel ecosystem where DisplayPort drivers are implemented, particularly in mobile and embedded environments where the msm driver stack is commonly deployed. This issue demonstrates the critical importance of proper resource management and object initialization in kernel space drivers where incorrect pointer handling can lead to immediate system termination.
The fix implemented in this vulnerability resolution addresses the root cause by ensuring proper initialization of the dp_panel connector reference during the msm_dp_modeset_init() function call rather than attempting to assign it during dp_panel_read_sink_caps(). This change ensures that the connector structure is properly linked to the panel object before any compliance testing or display enumeration operations occur. The patch series underwent multiple iterations to refine the implementation, with version two establishing the correct timing for connector population, version three removing irrelevant debugging information, and subsequent versions focusing on code clarity and maintainability. This vulnerability aligns with CWE-476 which describes NULL pointer dereference conditions, and represents a typical attack surface where improper object initialization leads to system instability. The fix demonstrates proper kernel development practices for managing complex driver structures and ensures that display subsystem components maintain consistent state throughout their lifecycle, preventing the NULL pointer dereference that would otherwise occur during compliance testing scenarios.