CVE-2022-1419 The root cause of this vulnerability is that the ioctl$DRM_IOCTL_MODE_DESTROY_DUMB can decrease refcount of *drm_vgem_gem_object, and *vgem_gem_dumb_create will access the freed drm_vgem_gem_object.
As a result, concurrent *drm_vgem_gem_object *creation can cause a *stack overflow*. *vgem_gem_dumb_create will access the freed *drm_vgem_gem_object, leading to a *buffer overflow*, *a segmentation fault, or a *segfault.
The details of this vulnerability are as follows:
1. Create a *drm_vgem_gem_object *in *vgem_gem_dumb_create.
2. Create another *drm_vgem_gem_object *in *vgem_gem_dumb_create.
3. Destroy the first *drm_vgem_gem_object.
What this code does is that it concurrently creates a *drm_vgem_gem_object, and another *drm_vgem_gem_object.
^
Concurrent *drm_vgem_gem_object *creation can cause a *stack overflow*. *vgem_gem_dumb_create will access the freed *drm_vgem_gem_object, leading to a *buffer overflow*, *a segmentation fault, or a *segfault.
This vulnerability has been assigned CVE-2022-1419 (this is not an official CVE ID).
Find the function triggered by the bug gld_driver_create
Stack overflow
There are two problems with this. The first is that the *drm_vgem_gem_object *created in *vgem_gem_dumb_create will then be freed without the necessary protection, leading to a *buffer overflow*, *a segmentation fault, or a *segfault.*
Timeline
Published on: 06/02/2022 14:15:00 UTC
Last modified on: 07/04/2022 11:15:00 UTC