GHSA-QF4P-CXX8-7GVW

Vulnerability from github – Published: 2025-06-18 12:30 – Updated: 2025-11-19 15:31
VLAI?
Details

In the Linux kernel, the following vulnerability has been resolved:

drm/radeon: fix potential buffer overflow in ni_set_mc_special_registers()

The last case label can write two buffers 'mc_reg_address[j]' and 'mc_data[j]' with 'j' offset equal to SMC_NISLANDS_MC_REGISTER_ARRAY_SIZE since there are no checks for this value in both case labels after the last 'j++'.

Instead of changing '>' to '>=' there, add the bounds check at the start of the second 'case' (the first one already has it).

Also, remove redundant last checks for 'j' index bigger than array size. The expression is always false. Moreover, before or after the patch 'table->last' can be equal to SMC_NISLANDS_MC_REGISTER_ARRAY_SIZE and it seems it can be a valid value.

Detected using the static analysis tool - Svace.

Severity ?
7.8 (High)
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Show details on source website
To clipboard 

{
  "affected": [],
  "aliases": [
    "CVE-2022-50185"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-787"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-06-18T11:15:49Z",
    "severity": "HIGH"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/radeon: fix potential buffer overflow in ni_set_mc_special_registers()\n\nThe last case label can write two buffers \u0027mc_reg_address[j]\u0027 and\n\u0027mc_data[j]\u0027 with \u0027j\u0027 offset equal to SMC_NISLANDS_MC_REGISTER_ARRAY_SIZE\nsince there are no checks for this value in both case labels after the\nlast \u0027j++\u0027.\n\nInstead of changing \u0027\u003e\u0027 to \u0027\u003e=\u0027 there, add the bounds check at the start\nof the second \u0027case\u0027 (the first one already has it).\n\nAlso, remove redundant last checks for \u0027j\u0027 index bigger than array size.\nThe expression is always false. Moreover, before or after the patch\n\u0027table-\u003elast\u0027 can be equal to SMC_NISLANDS_MC_REGISTER_ARRAY_SIZE and it\nseems it can be a valid value.\n\nDetected using the static analysis tool - Svace.",
  "id": "GHSA-qf4p-cxx8-7gvw",
  "modified": "2025-11-19T15:31:29Z",
  "published": "2025-06-18T12:30:54Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-50185"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/136f614931a2bb73616b292cf542da3a18daefd5"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/1f341053852be76f82610ce47a505d930512f05c"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/782e413e38dffd37cc85b08b1ccb982adb4a93ce"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/8508d6d23a247c29792ce2fc0df3f3404d6a6a80"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/9faff03617afeced1c4e5daa89e79b3906374342"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/db1a9add3f90ff1c641974d5bb910c16b87af4ef"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/deb603c5928e546609c0d5798e231d0205748943"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/ea73869df6ef386fc0feeb28ff66742ca835b18f"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.