CVE-2022-50185
Severity CVSS v4.0:
Pending analysis
Type:
Unavailable / Other
Publication date:
18/06/2025
Last modified:
18/06/2025
Description
In the Linux kernel, the following vulnerability has been resolved:<br />
<br />
drm/radeon: fix potential buffer overflow in ni_set_mc_special_registers()<br />
<br />
The last case label can write two buffers &#39;mc_reg_address[j]&#39; and<br />
&#39;mc_data[j]&#39; with &#39;j&#39; offset equal to SMC_NISLANDS_MC_REGISTER_ARRAY_SIZE<br />
since there are no checks for this value in both case labels after the<br />
last &#39;j++&#39;.<br />
<br />
Instead of changing &#39;>&#39; to &#39;>=&#39; there, add the bounds check at the start<br />
of the second &#39;case&#39; (the first one already has it).<br />
<br />
Also, remove redundant last checks for &#39;j&#39; index bigger than array size.<br />
The expression is always false. Moreover, before or after the patch<br />
&#39;table->last&#39; can be equal to SMC_NISLANDS_MC_REGISTER_ARRAY_SIZE and it<br />
seems it can be a valid value.<br />
<br />
Detected using the static analysis tool - Svace.
Impact
References to Advisories, Solutions, and Tools
- https://git.kernel.org/stable/c/136f614931a2bb73616b292cf542da3a18daefd5
- https://git.kernel.org/stable/c/1f341053852be76f82610ce47a505d930512f05c
- https://git.kernel.org/stable/c/782e413e38dffd37cc85b08b1ccb982adb4a93ce
- https://git.kernel.org/stable/c/8508d6d23a247c29792ce2fc0df3f3404d6a6a80
- https://git.kernel.org/stable/c/9faff03617afeced1c4e5daa89e79b3906374342
- https://git.kernel.org/stable/c/db1a9add3f90ff1c641974d5bb910c16b87af4ef
- https://git.kernel.org/stable/c/deb603c5928e546609c0d5798e231d0205748943
- https://git.kernel.org/stable/c/ea73869df6ef386fc0feeb28ff66742ca835b18f