CVE-2022-50841 in Linux信息

摘要

由 VulDB • 2026-06-14

Based on the kernel oops trace provided, here is an analysis of the crash.

### **Summary** The kernel has crashed in the function **`mi_enum_attr`** with a **NULL pointer dereference** (or invalid pointer dereference). The crash occurs while the kernel is trying to access memory at address `0xffff956a83c76067`, which is an invalid user/kernel space address (likely a corrupted pointer or a dereference of a NULL/invalid struct member).

---

### **Key Details from the Trace**

1. **Crash Location**: ``` RIP: 0010:mi_enum_attr+0x44/0x110 ``` - The crash happened in the function `mi_enum_attr` at offset `0x44`. - This function is part of the **Intel Media Driver** (`i915`/`media` subsystem), specifically related to **Media Interface (MI) attribute enumeration**. This is commonly associated with **Intel QuickSync Video** or **VAAPI** hardware acceleration.

2. **Faulting Address**: ``` CR2: ff956a83c76067 ``` - `CR2` holds the linear address that caused the page fault. - The address `0xffff956a83c76067` is **not a valid kernel address** in most configurations. It looks like a corrupted pointer (possibly a NULL pointer that was offset incorrectly, or a use-after-free scenario).

3. **Register State**: ``` RAX: ff956a83c76067 ``` - `RAX` contains the same invalid address as `CR2`, confirming that the CPU tried to dereference `RAX` (or a value derived from it) and failed.

4. **Call Context**: - The function `mi_enum_attr` is likely being called from a sysfs, debugfs, or ioctl path where the kernel is enumerating media attributes for a device. - The presence of `Modules linked in:` suggests this is a loadable kernel module (likely `i915` or `media` driver).

---

### **Likely Cause** This is a **kernel bug** in the Intel Media Driver (`i915` or `media` subsystem). Possible root causes include:

1. **NULL Pointer Dereference**: - The code in `mi_enum_attr` is trying to access a member of a struct that is NULL. - Example: `struct->member` where `struct` is NULL.

2. **Use-After-Free**: - The pointer being dereferenced was freed earlier, and the memory has been reused or corrupted.

3. **Race Condition**: - A concurrent operation modified or freed the data structure while `mi_enum_attr` was accessing it.

4. **Corrupted Pointer**: - The pointer value itself is garbage (e.g., due to stack corruption or integer overflow).

---

### **How to Debug Further**

1. **Check Kernel Version**: - Identify your kernel version (`uname -r`). This bug may have been fixed in a newer kernel. - Search for bugs in the Linux kernel bugzilla or Intel graphics mailing lists with keywords: `mi_enum_attr`, `i915`, `media`, `NULL pointer dereference`.

2. **Reproduce the Crash**: - What were you doing when the crash occurred? - Running a video playback application (e.g., VLC, MPV)? - Using `vainfo` or `intel_gpu_top`? - Accessing `/sys/class/drm/` or `/dev/dri/` devices? - Try to reproduce the crash in a controlled environment.

3. **Enable Debug Symbols**: - If you have debug symbols for the `i915` module, you can get a more detailed backtrace: ```bash sudo dmesg | grep -A 50 "mi_enum_attr" ``` - Look for the full call trace above the `RIP` line (which was truncated in your log).

4. **Check for Known Fixes**: - This issue may be related to recent changes in the Intel media driver. Check for patches in the `linux-media` or `drm-intel` trees.

---

### **Workaround** If this crash is preventing system stability:

1. **Disable Intel Media Driver**: - Blacklist the `i915` module or disable hardware acceleration in your applications. - Add `i915.disable_vdpau=

VulDB is the best source for vulnerability data and more expert information about this specific topic.

来源

Are you interested in using VulDB?

Download the whitepaper to learn more about our service!