CVE-2022-50556

Vulnerability

The Linux kernel's Direct Rendering Manager (DRM) subsystem contains a null-pointer dereference vulnerability in the drmm_mode_config_init() function. This function calls drm_mode_create_standard_properties() to allocate standard DRM properties but does not check its return value. If memory allocation fails, the property pointer becomes NULL, leading to a null-ptr-deref when subsequent code—such as drm_object_attach_property()—attempts to use the NULL pointer.

Exploitation

An attacker would need to cause a memory allocation failure during the initialization of a DRM device. This can be achieved by exhausting system memory or by loading a malicious or vulnerable DRM driver module (e.g., the bochs driver) on a kernel with low memory. The vulnerability is triggered during driver probe, as shown in the kernel crash trace where bochs_pci_probe calls __drm_connector_init, which in turn invokes drm_object_attach_property on a NULL property. No special privileges beyond the ability to load a kernel module are required, though physical or local access may be needed to manipulate memory pressure.

Impact

A successful null-pointer dereference causes a kernel crash (general protection fault), leading to a denial of service (DoS). The crash trace shows an unprivileged user can trigger the bug by inserting the bochs module, causing a system panic or hang. No privilege escalation is possible, as the bug only results in a crash.

Mitigation

The fix has been committed to the Linux kernel stable tree. The patch adds a return value check for drm_mode_create_standard_properties() inside drmm_mode_config_init(). System administrators should update their kernel to a version containing the commit 961620ad6761 [1] or the equivalent backport [2]. No workaround is available besides applying the kernel update.