CVE-2022-49218

CVE-2022-49218 is an out-of-bounds read vulnerability in the Linux kernel's Direct Rendering Manager (DRM) DisplayPort (DP) helper code, specifically in the drm_dp_get_adjust_request_post_cursor function within drivers/gpu/drm/drm_dp_helper.c. The issue arises because the link_status array, defined as a fixed-size array of 6 bytes (DP_LINK_STATUS_SIZE), is accessed with an index that can reach 10 when handling the Adjust Request Post Cursor2 register, triggering an out-of-bounds read. This was detected during a build with -Warray-bounds warnings. The vulnerability affects Linux kernel versions incorporating the flawed DRM/DP helper code.

Exploitation requires local access to the system with low privileges (AV:L/AC:L/PR:L/UI:N/S:U). A malicious local user could trigger the vulnerable code path during DisplayPort link status handling, potentially leading to high confidentiality impact through unauthorized memory reads (C:H) and high availability impact via denial of service, such as kernel crashes (A:H), with no integrity impact (I:N). The CVSS v3.1 base score is 7.1, and it is associated with CWE-125 (Out-of-bounds Read).

Kernel stable patches address the issue by removing the common helper function drm_dp_get_adjust_request_post_cursor and replacing its sole usage with an open-coded fetch and decode operation, mirroring the approach in drivers/gpu/drm/amd/display/dc/core/dc_link_dp.c. The fixes are available in kernel stable commits at https://git.kernel.org/stable/c/a2151490cc6c57b368d7974ffd447a8b36ade639 and https://git.kernel.org/stable/c/aeaed9a9fe694f8b1462fb81e2d33298c929180b.