GHSA-PGRP-H7RW-4VPC
Vulnerability from github – Published: 2025-06-18 12:30 – Updated: 2025-11-14 18:31In the Linux kernel, the following vulnerability has been resolved:
drm/i915/ttm: fix CCS handling
Crucible + recent Mesa seems to sometimes hit:
GEM_BUG_ON(num_ccs_blks > NUM_CCS_BLKS_PER_XFER)
And it looks like we can also trigger this with gem_lmem_swapping, if we modify the test to use slightly larger object sizes.
Looking closer it looks like we have the following issues in migrate_copy():
-
We are using plain integer in various places, which we can easily overflow with a large object.
-
We pass the entire object size (when the src is lmem) into emit_pte() and then try to copy it, which doesn't work, since we only have a few fixed sized windows in which to map the pages and perform the copy. With an object > 8M we therefore aren't properly copying the pages. And then with an object > 64M we trigger the GEM_BUG_ON(num_ccs_blks > NUM_CCS_BLKS_PER_XFER).
So it looks like our copy handling for any object > 8M (which is our CHUNK_SZ) is currently broken on DG2.
Testcase: igt@gem_lmem_swapping (cherry picked from commit 8676145eb2f53a9940ff70910caf0125bd8a4bc2)
{
"affected": [],
"aliases": [
"CVE-2022-49963"
],
"database_specific": {
"cwe_ids": [],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-06-18T11:15:23Z",
"severity": "MODERATE"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/i915/ttm: fix CCS handling\n\nCrucible + recent Mesa seems to sometimes hit:\n\nGEM_BUG_ON(num_ccs_blks \u003e NUM_CCS_BLKS_PER_XFER)\n\nAnd it looks like we can also trigger this with gem_lmem_swapping, if we\nmodify the test to use slightly larger object sizes.\n\nLooking closer it looks like we have the following issues in\nmigrate_copy():\n\n - We are using plain integer in various places, which we can easily\n overflow with a large object.\n\n - We pass the entire object size (when the src is lmem) into\n emit_pte() and then try to copy it, which doesn\u0027t work, since we\n only have a few fixed sized windows in which to map the pages and\n perform the copy. With an object \u003e 8M we therefore aren\u0027t properly\n copying the pages. And then with an object \u003e 64M we trigger the\n GEM_BUG_ON(num_ccs_blks \u003e NUM_CCS_BLKS_PER_XFER).\n\nSo it looks like our copy handling for any object \u003e 8M (which is our\nCHUNK_SZ) is currently broken on DG2.\n\nTestcase: igt@gem_lmem_swapping\n(cherry picked from commit 8676145eb2f53a9940ff70910caf0125bd8a4bc2)",
"id": "GHSA-pgrp-h7rw-4vpc",
"modified": "2025-11-14T18:31:23Z",
"published": "2025-06-18T12:30:38Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-49963"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/8d905254162965c8e6be697d82c7dbf5d08f574d"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/97434cb55bd884bd268626ec41489f79b261b2d4"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.