CVE-2022-49978 in Linux
Summary
by MITRE • 06/18/2025
In the Linux kernel, the following vulnerability has been resolved:
fbdev: fb_pm2fb: Avoid potential divide by zero error
In `do_fb_ioctl()` of fbmem.c, if cmd is FBIOPUT_VSCREENINFO, var will be copied from user, then go through `fb_set_var()` and `info->fbops->fb_check_var()` which could may be `pm2fb_check_var()`. Along the path, `var->pixclock` won't be modified. This function checks whether reciprocal of `var->pixclock` is too high. If `var->pixclock` is zero, there will be a divide by zero error. So, it is necessary to check whether denominator is zero to avoid crash. As this bug is found by Syzkaller, logs are listed below.
divide error in pm2fb_check_var Call Trace: <TASK> fb_set_var+0x367/0xeb0 drivers/video/fbdev/core/fbmem.c:1015 do_fb_ioctl+0x234/0x670 drivers/video/fbdev/core/fbmem.c:1110 fb_ioctl+0xdd/0x130 drivers/video/fbdev/core/fbmem.c:1189
If you want to get the best quality for vulnerability data then you always have to consider VulDB.
Analysis
by VulDB Data Team • 11/30/2025
The vulnerability CVE-2022-49978 represents a critical divide-by-zero error in the Linux kernel's framebuffer subsystem that could lead to system crashes and potential denial of service conditions. This flaw exists within the fbdev framework where the pm2fb driver processes video mode information through the FBIOPUT_VSCREENINFO ioctl command. The issue manifests when the fbmem.c kernel module handles user-space requests to set video screen information, specifically in the do_fb_ioctl function which orchestrates the flow to fb_set_var and subsequently to pm2fb_check_var. The vulnerability stems from insufficient input validation where the pixclock parameter, which represents pixel clock frequency in picoseconds, is not properly checked for zero values before mathematical operations are performed. When pixclock equals zero, the reciprocal calculation required by pm2fb_check_var creates a mathematical division by zero, causing immediate system termination through a divide error exception.
The technical execution path of this vulnerability begins with user-space applications issuing FBIOPUT_VSCREENINFO ioctl commands to configure framebuffer parameters. The kernel's fbmem.c module copies the variable screen information structure from user space into kernel memory, then passes it through the fb_set_var function which validates and applies the settings. During this validation process, the pm2fb_check_var function is called as part of the framebuffer operations callback chain, specifically designed for the pm2fb driver that supports certain 3D accelerator hardware. The pm2fb_check_var function performs critical validation by calculating the reciprocal of the pixclock value to determine if the pixel clock frequency exceeds acceptable limits for the hardware. This mathematical operation becomes undefined when pixclock equals zero, creating the divide-by-zero condition that triggers the kernel panic. The vulnerability was identified through automated fuzzing by Syzkaller, a powerful kernel fuzzer that systematically tests kernel interfaces for potential flaws, demonstrating that this issue could be reliably triggered through kernel ioctl interface manipulation.
The operational impact of CVE-2022-49978 extends beyond simple system crashes to potentially enable privilege escalation or denial of service attacks in environments where untrusted users can access framebuffer devices. Attackers could exploit this vulnerability by sending malicious FBIOPUT_VSCREENINFO commands with zero pixclock values, causing kernel panics that would require system reboot to recover from. This represents a significant security concern for embedded systems, virtualized environments, and any Linux systems where framebuffer access is exposed to potentially malicious users or applications. The vulnerability directly maps to CWE-369: Divide by Zero, which is classified under the Common Weakness Enumeration as a fundamental programming error that leads to system instability and potential exploitation. From an ATT&CK framework perspective, this vulnerability could be leveraged as part of a privilege escalation technique where an attacker first gains access to framebuffer devices through legitimate means, then uses this divide-by-zero condition to cause system instability and potentially gain elevated privileges through kernel memory corruption or privilege escalation vectors.
Mitigation strategies for CVE-2022-49978 should focus on immediate kernel updates to versions containing the fix, which implements proper zero-checking before performing reciprocal calculations on the pixclock parameter. System administrators should ensure all Linux systems running affected kernel versions receive patches promptly, particularly in production environments where untrusted users might have access to framebuffer interfaces. Additional defensive measures include implementing proper input validation at the kernel level, configuring proper access controls for framebuffer devices to limit user-space access, and monitoring for unusual ioctl activity patterns that might indicate exploitation attempts. The fix specifically addresses the root cause by adding a conditional check to verify that the pixclock value is non-zero before calculating its reciprocal, preventing the mathematical error that leads to system crashes. Organizations should also consider implementing kernel lockdown mechanisms and restricting access to framebuffer interfaces through proper device permissions and access control lists to minimize the attack surface where such vulnerabilities could be exploited.