CVE-2022-49261 in Linux
Summary
by MITRE • 02/26/2025
In the Linux kernel, the following vulnerability has been resolved:
drm/i915/gem: add missing boundary check in vm_access
A missing bounds check in vm_access() can lead to an out-of-bounds read or write in the adjacent memory area, since the len attribute is not validated before the memcpy later in the function, potentially hitting:
[ 183.637831] BUG: unable to handle page fault for address: ffffc90000c86000
[ 183.637934] #PF: supervisor read access in kernel mode
[ 183.637997] #PF: error_code(0x0000) - not-present page
[ 183.638059] PGD 100000067 P4D 100000067 PUD 100258067 PMD 106341067 PTE 0
[ 183.638144] Oops: 0000 [#2] PREEMPT SMP NOPTI
[ 183.638201] CPU: 3 PID: 1790 Comm: poc Tainted: G D 5.17.0-rc6-ci-drm-11296+ #1
[ 183.638298] Hardware name: Intel Corporation CoffeeLake Client Platform/CoffeeLake H DDR4 RVP, BIOS CNLSFWR1.R00.X208.B00.1905301319 05/30/2019
[ 183.638430] RIP: 0010:memcpy_erms+0x6/0x10
[ 183.640213] RSP: 0018:ffffc90001763d48 EFLAGS: 00010246
[ 183.641117] RAX: ffff888109c14000 RBX: ffff888111bece40 RCX: 0000000000000ffc
[ 183.642029] RDX: 0000000000001000 RSI: ffffc90000c86000 RDI: ffff888109c14004
[ 183.642946] RBP: 0000000000000ffc R08: 800000000000016b R09: 0000000000000000
[ 183.643848] R10: ffffc90000c85000 R11: 0000000000000048 R12: 0000000000001000
[ 183.644742] R13: ffff888111bed190 R14: ffff888109c14000 R15: 0000000000001000
[ 183.645653] FS: 00007fe5ef807540(0000) GS:ffff88845b380000(0000) knlGS:0000000000000000
[ 183.646570] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 183.647481] CR2: ffffc90000c86000 CR3: 000000010ff02006 CR4: 00000000003706e0
[ 183.648384] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[ 183.649271] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
[ 183.650142] Call Trace:
[ 183.650988]
[ 183.651793] vm_access+0x1f0/0x2a0 [i915]
[ 183.652726] __access_remote_vm+0x224/0x380
[ 183.653561] mem_rw.isra.0+0xf9/0x190
[ 183.654402] vfs_read+0x9d/0x1b0
[ 183.655238] ksys_read+0x63/0xe0
[ 183.656065] do_syscall_64+0x38/0xc0
[ 183.656882] entry_SYSCALL_64_after_hwframe+0x44/0xae
[ 183.657663] RIP: 0033:0x7fe5ef725142
[ 183.659351] RSP: 002b:00007ffe1e81c7e8 EFLAGS: 00000246 ORIG_RAX: 0000000000000000
[ 183.660227] RAX: ffffffffffffffda RBX: 0000557055dfb780 RCX: 00007fe5ef725142
[ 183.661104] RDX: 0000000000001000 RSI: 00007ffe1e81d880 RDI: 0000000000000005
[ 183.661972] RBP: 00007ffe1e81e890 R08: 0000000000000030 R09: 0000000000000046
[ 183.662832] R10: 0000557055dfc2e0 R11: 0000000000000246 R12: 0000557055dfb1c0
[ 183.663691] R13: 00007ffe1e81e980 R14: 0000000000000000 R15: 0000000000000000
Changes since v1: - Updated if condition with range_overflows_t [Chris Wilson]
[mauld: tidy up the commit message and add Cc: stable]
(cherry picked from commit 661412e301e2ca86799aa4f400d1cf0bd38c57c6)
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
Analysis
by VulDB Data Team • 02/16/2026
The vulnerability described in CVE-2022-49261 resides within the Linux kernel's graphics subsystem, specifically in the intel i915 driver's virtual memory access handling mechanism. This issue manifests as a missing boundary check in the vm_access() function, which governs how memory accesses are processed for graphics rendering operations. The flaw occurs when the len parameter, which specifies the length of data to be copied, is not properly validated before a subsequent memcpy operation. This oversight creates a potential out-of-bounds read or write condition that can corrupt adjacent memory areas and ultimately lead to system instability or exploitation. The vulnerability is particularly concerning as it operates within kernel mode, meaning any successful exploitation could result in privilege escalation or system compromise. The kernel oops trace reveals a page fault occurring at address ffffc90000c86000 during a memcpy operation, indicating memory corruption in the kernel's virtual memory space. The call stack shows the execution path leading through vm_access, __access_remote_vm, and various file system read operations before reaching the final memcpy_erms function where the fault occurs.
The technical nature of this vulnerability aligns with CWE-129, which addresses insufficient boundary checking, and more specifically with CWE-787, which deals with out-of-bounds write conditions. From an attack perspective, this vulnerability maps to ATT&CK technique T1068, which involves local privilege escalation through kernel exploits, and potentially T1543, which covers persistence mechanisms that could be established through kernel-level modifications. The vulnerability's impact is significant because it affects graphics drivers that are commonly present in desktop and server environments, making it a prime target for exploitation. The fix implemented addresses the missing validation by updating the conditional check with a range_overflows_t function, which properly validates that the memory access parameters do not exceed acceptable boundaries. This change ensures that any attempt to access memory beyond valid limits will be properly rejected rather than allowing potentially malicious or erroneous operations to proceed.
The operational impact of this vulnerability extends beyond simple kernel panics, as it represents a potential entry point for sophisticated attacks targeting graphics processing units and their associated driver components. Systems utilizing Intel graphics hardware are particularly at risk, especially those running kernel versions that have not received the patch. The vulnerability demonstrates the importance of proper input validation in kernel space operations, where even seemingly minor oversights can lead to critical security issues. Organizations should prioritize patching affected systems, particularly those running kernel versions prior to the fix implementation. The remediation strategy involves ensuring that all systems with intel graphics drivers are updated to kernel versions containing the patched vm_access function. Additionally, system administrators should monitor for any unusual memory access patterns or kernel oops messages that might indicate exploitation attempts. The fix demonstrates the kernel development community's approach to addressing security issues through careful boundary checking and validation, reinforcing the principle that kernel-level security requires rigorous input sanitization to prevent memory corruption vulnerabilities that could be leveraged for privilege escalation or denial of service attacks.