VYPR
← All advisories
Unrated severityNVD Advisory· Published Dec 24, 2025· Updated Apr 15, 2026

CVE-2023-54116

CVE-2023-54116

Description

In the Linux kernel, the following vulnerability has been resolved:

drm/fbdev-generic: prohibit potential out-of-bounds access

The fbdev test of IGT may write after EOF, which lead to out-of-bound access for drm drivers with fbdev-generic. For example, run fbdev test on a x86+ast2400 platform, with 1680x1050 resolution, will cause the linux kernel hang with the following call trace:

Oops: 0000 [#1] PREEMPT SMP PTI [IGT] fbdev: starting subtest eof Workqueue: events drm_fb_helper_damage_work [drm_kms_helper] [IGT] fbdev: starting subtest nullptr

RIP: 0010:memcpy_erms+0xa/0x20 RSP: 0018:ffffa17d40167d98 EFLAGS: 00010246 RAX: ffffa17d4eb7fa80 RBX: ffffa17d40e0aa80 RCX: 00000000000014c0 RDX: 0000000000001a40 RSI: ffffa17d40e0b000 RDI: ffffa17d4eb80000 RBP: ffffa17d40167e20 R08: 0000000000000000 R09: ffff89522ecff8c0 R10: ffffa17d4e4c5000 R11: 0000000000000000 R12: ffffa17d4eb7fa80 R13: 0000000000001a40 R14: 000000000000041a R15: ffffa17d40167e30 FS: 0000000000000000(0000) GS:ffff895257380000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: ffffa17d40e0b000 CR3: 00000001eaeca006 CR4: 00000000001706e0 Call Trace:

? drm_fbdev_generic_helper_fb_dirty+0x207/0x330 [drm_kms_helper] drm_fb_helper_damage_work+0x8f/0x170 [drm_kms_helper] process_one_work+0x21f/0x430 worker_thread+0x4e/0x3c0 ? __pfx_worker_thread+0x10/0x10 kthread+0xf4/0x120 ? __pfx_kthread+0x10/0x10 ret_from_fork+0x2c/0x50

CR2: ffffa17d40e0b000 ---[ end trace 0000000000000000 ]---

The is because damage rectangles computed by drm_fb_helper_memory_range_to_clip() function is not guaranteed to be bound in the screen's active display area. Possible reasons are:

1) Buffers are allocated in the granularity of page size, for mmap system call support. The shadow screen buffer consumed by fbdev emulation may also choosed be page size aligned.

2) The DIV_ROUND_UP() used in drm_fb_helper_memory_range_to_clip() will introduce off-by-one error.

For example, on a 16KB page size system, in order to store a 1920x1080 XRGB framebuffer, we need allocate 507 pages. Unfortunately, the size 1920*1080*4 can not be divided exactly by 16KB.

1920 * 1080 * 4 = 8294400 bytes 506 * 16 * 1024 = 8290304 bytes 507 * 16 * 1024 = 8306688 bytes

line_length = 1920*4 = 7680 bytes

507 * 16 * 1024 / 7680 = 1081.6

off / line_length = 507 * 16 * 1024 / 7680 = 1081 DIV_ROUND_UP(507 * 16 * 1024, 7680) will yeild 1082

memcpy_toio() typically issue the copy line by line, when copy the last line, out-of-bound access will be happen. Because:

1082 * line_length = 1082 * 7680 = 8309760, and 8309760 > 8306688

Note that userspace may still write to the invisiable area if a larger buffer than width x stride is exposed. But it is not a big issue as long as there still have memory resolve the access if not drafting so far.

  • Also limit the y1 (Daniel)
  • keep fix patch it to minimal (Daniel)
  • screen_size is page size aligned because of it need mmap (Thomas)
  • Adding fixes tag (Thomas)

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

A lack of bounds checking in Linux kernel's fbdev-generic driver allows out-of-bounds write via EOF access, leading to system hang.

Vulnerability

CVE-2023-54116 is an out-of-bounds access vulnerability in the Linux kernel's drm/fbdev-generic driver. The root cause is that damage rectangles computed by drm_fb_helper_memory_range_to_clip() are not guaranteed to remain within the screen's active display area. This can occur because buffers are page-size-aligned for mmap support, and the DIV_ROUND_UP() macro introduces an off-by-one error, allowing writes beyond the allocated framebuffer memory. [1]

Exploitation

An attacker with local access can trigger the vulnerability by running the IGT GPU test suite's fbdev EOF subtest, which performs writes past the end of the framebuffer. This does not require special privileges beyond being able to execute IGT tests. The attack surface is limited to systems using the fbdev emulation layer with the generic helper, and the exploit does not need any network access—it is a local denial-of-service vector. [1]

Impact

Successful exploitation results in a kernel crash due to out-of-bounds memory access, leading to a system hang or denial of service. The call trace shows a memcpy_erms operation transferring data into an invalid memory region, causing an Oops. No privilege escalation or data corruption beyond the crash is reported. [1]

Mitigation

The fix is included in Linux kernel commit efd2821b8abe (stable tree). Users should apply kernel updates that contain this fix. No workaround is mentioned; updating the kernel is the recommended action. [1]

References
  1. Making sure you're not a bot!

AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

1

Patches

3
efd2821b8abe
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitvia osv
commit
251653fa974e
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitvia osv
commit
c8687694bb1f
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitvia osv
commit

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

3

News mentions

0

No linked articles in our index yet.