CVE-2022-50102 in Linux
Summary
by MITRE • 06/18/2025
In the Linux kernel, the following vulnerability has been resolved:
video: fbdev: arkfb: Fix a divide-by-zero bug in ark_set_pixclock()
Since the user can control the arguments of the ioctl() from the user space, under special arguments that may result in a divide-by-zero bug in: drivers/video/fbdev/arkfb.c:784: ark_set_pixclock(info, (hdiv * info->var.pixclock) / hmul); with hdiv=1, pixclock=1 and hmul=2 you end up with (1*1)/2 = (int) 0. and then in: drivers/video/fbdev/arkfb.c:504: rv = dac_set_freq(par->dac, 0, 1000000000 / pixclock); we'll get a division-by-zero.
The following log can reveal it:
divide error: 0000 [#1] PREEMPT SMP KASAN PTI
RIP: 0010:ark_set_pixclock drivers/video/fbdev/arkfb.c:504 [inline]
RIP: 0010:arkfb_set_par+0x10fc/0x24c0 drivers/video/fbdev/arkfb.c:784 Call Trace: fb_set_var+0x604/0xeb0 drivers/video/fbdev/core/fbmem.c:1034 do_fb_ioctl+0x234/0x670 drivers/video/fbdev/core/fbmem.c:1110 fb_ioctl+0xdd/0x130 drivers/video/fbdev/core/fbmem.c:1189
Fix this by checking the argument of ark_set_pixclock() first.
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
Analysis
by VulDB Data Team • 12/01/2025
The vulnerability CVE-2022-50102 represents a critical divide-by-zero error in the Linux kernel's framebuffer device driver for ARK microelectronics graphics hardware. This flaw exists within the arkfb driver module located at drivers/video/fbdev/arkfb.c and specifically affects the ark_set_pixclock() function. The vulnerability arises from insufficient input validation when processing user-space ioctl() commands that control framebuffer parameters. When malicious or malformed parameters are passed through the ioctl interface with specific values hdiv=1, pixclock=1, and hmul=2, the arithmetic operation (1*1)/2 produces an integer result of zero, which then propagates into a subsequent division operation that causes the kernel to crash. This type of vulnerability falls under CWE-369, known as "Divide By Zero," which is a well-documented weakness in software security that can lead to system instability and potential denial of service conditions.
The technical exploitation of this vulnerability occurs through the framebuffer device interface where user-space applications can manipulate display parameters via ioctl system calls. The kernel's fbmem.c module handles these requests and routes them to the appropriate driver functions including arkfb_set_par() which calls ark_set_pixclock(). The arithmetic error manifests at line 504 where the expression 1000000000 / pixclock attempts to divide by zero when pixclock evaluates to zero due to the earlier calculation. This divide-by-zero condition triggers a kernel oops and system crash, as evidenced by the kernel log showing "divide error: 0000 [#1] PREEMPT SMP KASAN PTI" and the call trace indicating the execution path from fb_set_var through do_fb_ioctl to the failing ark_set_pixclock function. Such errors are classified under ATT&CK technique T1499.004, "Endpoint Denial of Service," as they can be exploited to cause system instability and service disruption.
The operational impact of this vulnerability extends beyond simple system crashes, as it represents a potential denial of service vector that could be exploited in environments where framebuffer access is available to untrusted users or processes. Attackers could potentially cause system-wide instability by repeatedly triggering this divide-by-zero condition, leading to system hangs or reboots that affect the availability of graphics services and potentially the entire system. The vulnerability affects Linux kernel versions that include the arkfb driver and represents a failure in proper input validation and error handling within kernel space code. The fix implemented involves adding proper parameter validation checks within the ark_set_pixclock() function to prevent the execution of division operations with zero denominators, thereby preventing the kernel crash and maintaining system stability. This remediation aligns with security best practices for kernel development and follows the principle of input validation that is fundamental to preventing arithmetic overflow and division by zero errors in operating system components.
The vulnerability demonstrates a classic example of how user-controllable inputs in kernel drivers can lead to critical system failures when proper validation is not implemented. The fix requires checking the arguments to ark_set_pixclock() before performing any arithmetic operations, ensuring that division operations always have non-zero denominators. This approach addresses the root cause rather than merely patching symptoms and maintains the driver's functionality while preventing the kernel crash. The issue affects systems using ARK graphics hardware through the framebuffer subsystem and could potentially impact embedded systems or servers that rely on framebuffer interfaces for display output. The vulnerability highlights the importance of robust input validation in kernel space drivers and the need for comprehensive testing of edge cases in graphics and display subsystems to prevent similar issues in other kernel components.