CVE-2022-1419 The root cause of this vulnerability is that the ioctl$DRM_IOCTL_MODE_DESTROY_DUMB can decrease refcount of *drm_vgem_gem_object, and *vgem_gem_dumb_create will access the freed drm_vgem_gem_object.

As a result, concurrent *drm_vgem_gem_object *creation can cause a *stack overflow*. *vgem_gem_dumb_create will access the freed *drm_vgem_gem_object, leading to a *buffer overflow*, *a segmentation fault, or a *segfault.

The details of this vulnerability are as follows:

1. Create a *drm_vgem_gem_object *in *vgem_gem_dumb_create.

2. Create another *drm_vgem_gem_object *in *vgem_gem_dumb_create.

3. Destroy the first *drm_vgem_gem_object.

What this code does is that it concurrently creates a *drm_vgem_gem_object, and another *drm_vgem_gem_object.

^

Concurrent *drm_vgem_gem_object *creation can cause a *stack overflow*. *vgem_gem_dumb_create will access the freed *drm_vgem_gem_object, leading to a *buffer overflow*, *a segmentation fault, or a *segfault.

This vulnerability has been assigned CVE-2022-1419 (this is not an official CVE ID).

Find the function triggered by the bug gld_driver_create

Stack overflow

There are two problems with this. The first is that the *drm_vgem_gem_object *created in *vgem_gem_dumb_create will then be freed without the necessary protection, leading to a *buffer overflow*, *a segmentation fault, or a *segfault.*

Timeline

Published on: 06/02/2022 14:15:00 UTC
Last modified on: 07/04/2022 11:15:00 UTC

References

• https://bugzilla.redhat.com/show_bug.cgi?id=2077560
• https://www.debian.org/security/2022/dsa-5173
• https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-1419