CVE-2022-50390
MEDIUMCVSS Vector
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Lifecycle Timeline
3Description
In the Linux kernel, the following vulnerability has been resolved: drm/ttm: fix undefined behavior in bit shift for TTM_TT_FLAG_PRIV_POPULATED Shifting signed 32-bit value by 31 bits is undefined, so changing significant bit to unsigned. The UBSAN warning calltrace like below: UBSAN: shift-out-of-bounds in ./include/drm/ttm/ttm_tt.h:122:26 left shift of 1 by 31 places cannot be represented in type 'int' Call Trace: <TASK> dump_stack_lvl+0x7d/0xa5 dump_stack+0x15/0x1b ubsan_epilogue+0xe/0x4e __ubsan_handle_shift_out_of_bounds+0x1e7/0x20c ttm_bo_move_memcpy+0x3b4/0x460 [ttm] bo_driver_move+0x32/0x40 [drm_vram_helper] ttm_bo_handle_move_mem+0x118/0x200 [ttm] ttm_bo_validate+0xfa/0x220 [ttm] drm_gem_vram_pin_locked+0x70/0x1b0 [drm_vram_helper] drm_gem_vram_pin+0x48/0xb0 [drm_vram_helper] drm_gem_vram_plane_helper_prepare_fb+0x53/0xe0 [drm_vram_helper] drm_gem_vram_simple_display_pipe_prepare_fb+0x26/0x30 [drm_vram_helper] drm_simple_kms_plane_prepare_fb+0x4d/0xe0 [drm_kms_helper] drm_atomic_helper_prepare_planes+0xda/0x210 [drm_kms_helper] drm_atomic_helper_commit+0xc3/0x1e0 [drm_kms_helper] drm_atomic_commit+0x9c/0x160 [drm] drm_client_modeset_commit_atomic+0x33a/0x380 [drm] drm_client_modeset_commit_locked+0x77/0x220 [drm] drm_client_modeset_commit+0x31/0x60 [drm] __drm_fb_helper_restore_fbdev_mode_unlocked+0xa7/0x170 [drm_kms_helper] drm_fb_helper_set_par+0x51/0x90 [drm_kms_helper] fbcon_init+0x316/0x790 visual_init+0x113/0x1d0 do_bind_con_driver+0x2a3/0x5c0 do_take_over_console+0xa9/0x270 do_fbcon_takeover+0xa1/0x170 do_fb_registered+0x2a8/0x340 fbcon_fb_registered+0x47/0xe0 register_framebuffer+0x294/0x4a0 __drm_fb_helper_initial_config_and_unlock+0x43c/0x880 [drm_kms_helper] drm_fb_helper_initial_config+0x52/0x80 [drm_kms_helper] drm_fbdev_client_hotplug+0x156/0x1b0 [drm_kms_helper] drm_fbdev_generic_setup+0xfc/0x290 [drm_kms_helper] bochs_pci_probe+0x6ca/0x772 [bochs] local_pci_probe+0x4d/0xb0 pci_device_probe+0x119/0x320 really_probe+0x181/0x550 __driver_probe_device+0xc6/0x220 driver_probe_device+0x32/0x100 __driver_attach+0x195/0x200 bus_for_each_dev+0xbb/0x120 driver_attach+0x27/0x30 bus_add_driver+0x22e/0x2f0 driver_register+0xa9/0x190 __pci_register_driver+0x90/0xa0 bochs_pci_driver_init+0x52/0x1000 [bochs] do_one_initcall+0x76/0x430 do_init_module+0x61/0x28a load_module+0x1f82/0x2e50 __do_sys_finit_module+0xf8/0x190 __x64_sys_finit_module+0x23/0x30 do_syscall_64+0x58/0x80 entry_SYSCALL_64_after_hwframe+0x63/0xcd </TASK>
Analysis
A undefined behavior vulnerability exists in the Linux kernel's TTM (Translation Table Maps) memory management subsystem where shifting a signed 32-bit value by 31 bits during bit flag operations causes undefined behavior. This affects all Linux kernel versions using the affected TTM code path, and while the vulnerability itself is difficult to exploit directly, it can be triggered by local attackers with low privileges during GPU memory operations, resulting in denial of service through kernel panic or undefined system behavior. The EPSS score of 0.01% and lack of known public exploits indicate this is a low real-world exploitation probability, but the CVSS 5.5 score reflects the availability impact when triggered.
Technical Context
The vulnerability resides in the drm/ttm subsystem (Direct Rendering Manager / Translation Table Maps) within the Linux kernel header file ttm_tt.h at line 122, where the TTM_TT_FLAG_PRIV_POPULATED flag definition uses a left bit shift operation on a signed 32-bit integer. Specifically, the macro shifts the value 1 left by 31 positions (1 << 31), which in signed 32-bit arithmetic exceeds the representable range and triggers undefined behavior according to the C standard and UBSAN (Undefined Behavior Sanitizer) detection. The affected CPE (cpe:2.3:o:linux:linux_kernel) indicates all Linux kernel installations using TTM are potentially affected. While no specific CWE is listed in the advisory, this falls under improper integer handling and type safety violations, commonly related to CWE-190 (Integer Overflow) or CWE-197 (Numeric Truncation Error). The fix involves changing the bit shift operand from a signed int to unsigned, allowing the operation to proceed safely.
Affected Products
The Linux kernel across all versions prior to the patch commit dates is affected, specifically any kernel utilizing the drm/ttm memory management subsystem. The vulnerability impacts all systems running Linux kernels, as identified by the generic CPE (cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*). Particularly affected are systems with GPU support that exercise the TTM code paths, including those using bochs video driver (as evidenced in the call stack) and other DRM drivers. The patch has been merged into stable kernel branches via commits 2ff0309b73d86e8591881ac035af06e01c112e89, 387659939c00156f8d6bab0fbc55b4eaf2b6bc5b, 6528971fdce0dfc0a28fec42c151a1eccdabadf5, and c4079a34c0adef9f35a16783fb13a9084406f96d in the kernel.org stable tree.
Remediation
Update the Linux kernel to a patched version released after the fix commits referenced in kernel.org stable (commits 2ff0309b73d86e8591881ac035af06e01c112e89, 387659939c00156f8d6bab0fbc55b4eaf2b6bc5b, 6528971fdce0dfc0a28fec42c151a1eccdabadf5, or c4079a34c0adef9f35a16783fb13a9084406f96d). Most Linux distributions have backported this fix into their stable kernel branches; check your distribution's security advisories for the specific kernel version. For immediate systems unable to patch, disable GPU/DRM functionality if not required, or restrict local user access to prevent triggering the code path. The fix itself is minimal (changing signed int to unsigned in the bit shift operation), so patch application is straightforward with no compatibility concerns.
Priority Score
Vendor Status
Share
External POC / Exploit Code
Leaving vuln.today