CVE-2022-50842

Root

Cause

The vulnerability resides in the virtio-gpu DRM driver in the Linux kernel. When handling transferred 2D buffer objects (BOs), the driver assumed the BO was always backed by shmem (shared memory). It lacked a check to verify this assumption, so if a user-space application provided a VRAM (video RAM) BO instead of a shmem BO, the kernel would dereference a NULL pointer, leading to a potential denial-of-service crash [1][2].

Attack

Vector

An attacker with the ability to submit a crafted DRM command to the virtio-gpu device can exploit this issue. The attacker does not need special privileges beyond being able to open and control the DRM device (e.g., a local user with access to /dev/dri/card0). By passing a VRAM BO as the source or destination in a 2D transfer operation, the kernel's code path reaches the NULL pointer dereference before any type check occurs [1][2].

Impact

If exploited, this flaw causes a NULL pointer dereference in kernel space. The immediate consequence is a system crash (kernel panic) or a denial-of-service condition. There is no indication in the references that this can lead to privilege escalation or information disclosure; the impact is limited to availability disruption [1][2].

Mitigation

The fix, introduced in Linux kernel commits [1] and [2], adds an explicit shmem BO check at the start of the transfer handling function. If the BO is not shmem, the operation returns an error (-EINVAL) instead of proceeding to the vulnerable dereference. Users should apply the latest stable kernel updates to resolve the issue. No workarounds are available for unpatched kernels.