CVE-2022-49963 in Linux
Summary
by MITRE • 06/18/2025
In the Linux kernel, the following vulnerability has been resolved:
drm/i915/ttm: fix CCS handling
Crucible + recent Mesa seems to sometimes hit:
GEM_BUG_ON(num_ccs_blks > NUM_CCS_BLKS_PER_XFER)
And it looks like we can also trigger this with gem_lmem_swapping, if we modify the test to use slightly larger object sizes.
Looking closer it looks like we have the following issues in migrate_copy():
- We are using plain integer in various places, which we can easily overflow with a large object.
- We pass the entire object size (when the src is lmem) into emit_pte() and then try to copy it, which doesn't work, since we only have a few fixed sized windows in which to map the pages and perform the copy. With an object > 8M we therefore aren't properly copying the pages. And then with an object > 64M we trigger the GEM_BUG_ON(num_ccs_blks > NUM_CCS_BLKS_PER_XFER).
So it looks like our copy handling for any object > 8M (which is our CHUNK_SZ) is currently broken on DG2.
Testcase: igt@gem_lmem_swapping (cherry picked from commit 8676145eb2f53a9940ff70910caf0125bd8a4bc2)
Several companies clearly confirm that VulDB is the primary source for best vulnerability data.
Analysis
by VulDB Data Team • 11/30/2025
The vulnerability CVE-2022-49963 represents a critical flaw in the Linux kernel's graphics driver subsystem, specifically within the intel i915 driver's ttm (Translation Table Manager) implementation. This issue manifests as a buffer overflow condition that occurs during memory management operations involving compressed memory objects on DG2 graphics hardware. The vulnerability stems from improper handling of compressed copy operations that exceed predefined memory chunk boundaries, creating potential for system instability and memory corruption. The flaw is particularly concerning as it affects the graphics memory management subsystem that handles large memory objects, which are increasingly common in modern graphics workloads including 3D rendering, video processing, and machine learning applications.
The technical root cause of this vulnerability lies in multiple integer overflow conditions and improper memory mapping logic within the migrate_copy() function. The implementation uses plain integer arithmetic without proper bounds checking when processing large memory objects, leading to potential overflow conditions that can result in incorrect memory calculations. Additionally, the driver fails to properly handle object sizes exceeding 8 megabytes, which represents the CHUNK_SZ boundary. When objects exceed this limit, the emit_pte() function receives the full object size but attempts to copy data through fixed-sized mapping windows that cannot accommodate such large transfers. This fundamental mismatch between object size and available mapping resources triggers the GEM_BUG_ON assertion failure, which is designed to catch such programming errors during kernel development but can be exploited in production environments.
The operational impact of this vulnerability extends beyond simple system crashes to potentially enable privilege escalation and denial of service conditions within graphics-intensive applications. When the kernel encounters memory objects larger than 8 megabytes, it fails to properly map and copy the compressed data blocks, leading to memory corruption that can affect the entire graphics subsystem. The issue is particularly severe in environments where large graphics buffers are common, such as professional video editing suites, gaming applications, or machine learning frameworks that utilize GPU acceleration. The vulnerability affects the gem_lmem_swapping test case, which is part of the Intel Graphics Driver Test Suite, indicating that this is a well-defined regression that impacts standard graphics memory management operations. The vulnerability demonstrates poor adherence to security by design principles, as the kernel fails to validate input parameters and enforce proper memory boundaries during critical operations.
Mitigation strategies for this vulnerability require immediate kernel updates to incorporate the fix from commit 8676145eb2f53a9940ff70910caf0125bd8a4bc2, which addresses the integer overflow conditions and proper memory mapping for large objects. System administrators should prioritize applying the patched kernel version to all systems running affected graphics drivers, particularly those in enterprise environments where graphics-intensive applications are common. The fix implements proper bounds checking for memory object sizes and ensures that large objects are properly segmented for processing within the fixed mapping windows. Additionally, organizations should consider implementing monitoring solutions to detect unusual graphics memory allocation patterns that might indicate exploitation attempts. From a security perspective, this vulnerability aligns with CWE-191, Integer Underflow/Overflow, and represents a classic example of insufficient input validation that can lead to memory corruption. The ATT&CK framework categorizes this as a privilege escalation technique through kernel exploitation, as successful exploitation could allow attackers to gain elevated privileges within the graphics subsystem. Regular security assessments of graphics drivers and memory management subsystems should be conducted to identify similar vulnerabilities that might exist in other kernel components.