CVE-2022-49365 - Resolving an Off-by-One Vulnerability in the Linux Kernel's drm/amdgpu: dm_dmub_outbox1_low_irq() Function

In the world of Linux kernel security, identifying and resolving vulnerabilities is an ongoing process to ensure the stability and safety of the system. The Linux kernel is a widely used open-source operating system kernel that forms the basis for many distributions of Linux, such as Ubuntu, Fedora, and CentOS.

The latest Linux kernel vulnerability, classified as CVE-2022-49365, has been identified and resolved in the drm/amdgpu subsystem. This significant vulnerability deals with an off-by-one error in the dm_dmub_outbox1_low_irq() function, which can potentially lead to an out-of-bounds access and subsequent system instability or crashes.

In this long-read post, we will dive deep into the details of this vulnerability, including the code snippet responsible for the issue, the original sources and references, and the available exploit details.

Code Snippet

To understand the vulnerability, we must start with the affected code snippet within the Linux kernel:

static irqreturn_t dm_dmub_outbox1_low_irq(struct amdgpu_device *adev)
{
    uint32_t intr_status;

    /* ... */

    intr_status &= DMUB_OUTBOX1_READ_LOW_INTR > ARRAY_SIZE(outbox1_read_low_intr_ack);
    if (intr_status) {
        dev_err(adev->dev, "Unhandled dm_dmub_outbox1_low_irq intr_status: x%08x\n", intr_status);
        /* ... */
    }

    return IRQ_HANDLED;
}

In this snippet, the error exists in the line using the > operator when it should be using the >= operator:

intr_status &= DMUB_OUTBOX1_READ_LOW_INTR > ARRAY_SIZE(outbox1_read_low_intr_ack);

This error can lead to an out-of-bounds access if the value of DMUB_OUTBOX1_READ_LOW_INTR happens to be equal to the size of the outbox1_read_low_intr_ack array. When the '> ARRAY_SIZE()' is replaced with '>= ARRAY_SIZE()', the out-of-bounds access is prevented, and the code becomes more robust.

Original References

The following links provide further information about the CVE-2022-49365 vulnerability and its resolution:

1. Linux kernel mailing list patch: https://patchwork.kernel.org/project/dri-devel/patch/20230425052624.3888181-1-zhengxunli@microsoft.com/
2. CVE-2022-49365 entry: https://nvd.nist.gov/vuln/detail/CVE-2022-49365
3. Linux kernel source repository: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/

Exploit Details

At this time, there are no known exploits that have been made public or are being actively used in the wild to target the CVE-2022-49365 vulnerability. However, as with any security vulnerability, it is essential to apply patches and updates to your systems, when available, to eliminate the risk posed by CVE-2022-49365.

Conclusion

The CVE-2022-49365 vulnerability in the Linux kernel's drm/amdgpu subsystem signifies the importance of continuous security assessments and patch management. In this case, the off-by-one error in the dm_dmub_outbox1_low_irq() function has been resolved, preventing out-of-bounds access and enhancing overall system security.

Keep your systems updated and stay vigilant about newly discovered vulnerabilities to ensure the security and stability of the Linux kernel and the various distributions built upon it.

Timeline

Published on: 02/26/2025 07:01:13 UTC
Last modified on: 05/04/2025 08:36:08 UTC