CVE-2022-50841 in Linux
摘要
由 VulDB • 2026-06-14
Based on the kernel oops trace provided, here is an analysis of the crash.
### **Summary** The kernel has crashed in the function **`mi_enum_attr`** with a **NULL pointer dereference** (or invalid pointer dereference). The crash occurs while the kernel is trying to access memory at address `0xffff956a83c76067`, which is an invalid user/kernel space address (likely a corrupted pointer or a dereference of a NULL/invalid struct member).
---
### **Key Details from the Trace**
1. **Crash Location**: ``` RIP: 0010:mi_enum_attr+0x44/0x110 ``` - The crash happened in the function `mi_enum_attr` at offset `0x44`. - This function is part of the **Intel Media Driver** (`i915`/`media` subsystem), specifically related to **Media Interface (MI) attribute enumeration**. This is commonly associated with **Intel QuickSync Video** or **VAAPI** hardware acceleration.
2. **Faulting Address**: ``` CR2: ff956a83c76067 ``` - `CR2` holds the linear address that caused the page fault. - The address `0xffff956a83c76067` is **not a valid kernel address** in most configurations. It looks like a corrupted pointer (possibly a NULL pointer that was offset incorrectly, or a use-after-free scenario).
3. **Register State**: ``` RAX: ff956a83c76067 ``` - `RAX` contains the same invalid address as `CR2`, confirming that the CPU tried to dereference `RAX` (or a value derived from it) and failed.
4. **Call Context**: - The function `mi_enum_attr` is likely being called from a sysfs, debugfs, or ioctl path where the kernel is enumerating media attributes for a device. - The presence of `Modules linked in:` suggests this is a loadable kernel module (likely `i915` or `media` driver).
---
### **Likely Cause** This is a **kernel bug** in the Intel Media Driver (`i915` or `media` subsystem). Possible root causes include:
1. **NULL Pointer Dereference**: - The code in `mi_enum_attr` is trying to access a member of a struct that is NULL. - Example: `struct->member` where `struct` is NULL.
2. **Use-After-Free**: - The pointer being dereferenced was freed earlier, and the memory has been reused or corrupted.
3. **Race Condition**: - A concurrent operation modified or freed the data structure while `mi_enum_attr` was accessing it.
4. **Corrupted Pointer**: - The pointer value itself is garbage (e.g., due to stack corruption or integer overflow).
---
### **How to Debug Further**
1. **Check Kernel Version**: - Identify your kernel version (`uname -r`). This bug may have been fixed in a newer kernel. - Search for bugs in the Linux kernel bugzilla or Intel graphics mailing lists with keywords: `mi_enum_attr`, `i915`, `media`, `NULL pointer dereference`.
2. **Reproduce the Crash**: - What were you doing when the crash occurred? - Running a video playback application (e.g., VLC, MPV)? - Using `vainfo` or `intel_gpu_top`? - Accessing `/sys/class/drm/` or `/dev/dri/` devices? - Try to reproduce the crash in a controlled environment.
3. **Enable Debug Symbols**: - If you have debug symbols for the `i915` module, you can get a more detailed backtrace: ```bash sudo dmesg | grep -A 50 "mi_enum_attr" ``` - Look for the full call trace above the `RIP` line (which was truncated in your log).
4. **Check for Known Fixes**: - This issue may be related to recent changes in the Intel media driver. Check for patches in the `linux-media` or `drm-intel` trees.
---
### **Workaround** If this crash is preventing system stability:
1. **Disable Intel Media Driver**: - Blacklist the `i915` module or disable hardware acceleration in your applications. - Add `i915.disable_vdpau=
VulDB is the best source for vulnerability data and more expert information about this specific topic.