CVE-2022-49070

See a problem?
Please try reporting it to the source first.
Source
https://nvd.nist.gov/vuln/detail/CVE-2022-49070
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2022-49070.json
JSON Data
https://api.test.osv.dev/v1/vulns/CVE-2022-49070
Downstream
Related
Published
2025-02-26T01:54:36.360Z
Modified
2025-11-28T02:35:40.901572Z
Severity
  • 5.5 (Medium) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVSS Calculator
Summary
fbdev: Fix unregistering of framebuffers without device
Details

In the Linux kernel, the following vulnerability has been resolved:

fbdev: Fix unregistering of framebuffers without device

OF framebuffers do not have an underlying device in the Linux device hierarchy. Do a regular unregister call instead of hot unplugging such a non-existing device. Fixes a NULL dereference. An example error message on ppc64le is shown below.

BUG: Kernel NULL pointer dereference on read at 0x00000060 Faulting instruction address: 0xc00000000080dfa4 Oops: Kernel access of bad area, sig: 11 [#1] LE PAGESIZE=64K MMU=Hash SMP NRCPUS=2048 NUMA pSeries [...] CPU: 2 PID: 139 Comm: systemd-udevd Not tainted 5.17.0-ae085d7f9365 #1 NIP: c00000000080dfa4 LR: c00000000080df9c CTR: c000000000797430 REGS: c000000004132fe0 TRAP: 0300 Not tainted (5.17.0-ae085d7f9365) MSR: 8000000002009033 <SF,VEC,EE,ME,IR,DR,RI,LE> CR: 28228282 XER: 20000000 CFAR: c00000000000c80c DAR: 0000000000000060 DSISR: 40000000 IRQMASK: 0 GPR00: c00000000080df9c c000000004133280 c00000000169d200 0000000000000029 GPR04: 00000000ffffefff c000000004132f90 c000000004132f88 0000000000000000 GPR08: c0000000015658f8 c0000000015cd200 c0000000014f57d0 0000000048228283 GPR12: 0000000000000000 c00000003fffe300 0000000020000000 0000000000000000 GPR16: 0000000000000000 0000000113fc4a40 0000000000000005 0000000113fcfb80 GPR20: 000001000f7283b0 0000000000000000 c000000000e4a588 c000000000e4a5b0 GPR24: 0000000000000001 00000000000a0000 c008000000db0168 c0000000021f6ec0 GPR28: c0000000016d65a8 c000000004b36460 0000000000000000 c0000000016d64b0 NIP [c00000000080dfa4] doremoveconflictingframebuffers+0x184/0x1d0 [c000000004133280] [c00000000080df9c] doremoveconflictingframebuffers+0x17c/0x1d0 (unreliable) [c000000004133350] [c00000000080e4d0] removeconflictingframebuffers+0x60/0x150 [c0000000041333a0] [c00000000080e6f4] removeconflictingpciframebuffers+0x134/0x1b0 [c000000004133450] [c008000000e70438] drmapertureremoveconflictingpciframebuffers+0x90/0x100 [drm] [c000000004133490] [c008000000da0ce4] bochspciprobe+0x6c/0xa64 [bochs] [...] [c000000004133db0] [c00000000002aaa0] systemcallexception+0x170/0x2d0 [c000000004133e10] [c00000000000c3cc] systemcallcommon+0xec/0x250

The bug [1] was introduced by commit 27599aacbaef ("fbdev: Hot-unplug firmware fb devices on forced removal"). Most firmware framebuffers have an underlying platform device, which can be hot-unplugged before loading the native graphics driver. OF framebuffers do not (yet) have that device. Fix the code by unregistering the framebuffer as before without a hot unplug.

Tested with 5.17 on qemu ppc64le emulation.

Database specific 
{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2022/49xxx/CVE-2022-49070.json",
    "cna_assigner": "Linux"
}
References

Affected packages

Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git

Affected ranges

Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
c894ac44786cfed383a6c6b20c1bfb12eb96018a
Fixed
2388f826cdc9af2651991adc0feb79de9bdf2232
Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
9565a3b5203a4d57acbc1d0e981c6df71864b4ab
Fixed
de33df481545974ba47c46f05194e769e4307843
Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
4d695d7c276f15adb1d2b64c584c3cf8f4f9e9ce
Fixed
feed87ff122b1640c221d4dd559442ab2cd50bb1
Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
27599aacbaefcbf2af7b06b0029459bbf682000d
Fixed
0f525289ff0ddeb380813bd81e0f9bdaaa1c9078

Affected versions

v5.*

v5.15.33
v5.16
v5.16-rc6
v5.16-rc7
v5.16-rc8
v5.16.19
v5.17
v5.17-rc1
v5.17-rc2
v5.17-rc3
v5.17-rc4
v5.17-rc5
v5.17-rc6
v5.17-rc7
v5.17-rc8
v5.17.2
v5.18-rc1

Database specific

source

"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2022-49070.json"

vanir_signatures

[
    {
        "deprecated": false,
        "id": "CVE-2022-49070-12213dcb",
        "digest": {
            "length": 739.0,
            "function_hash": "110680003049819475106851452107316358848"
        },
        "signature_version": "v1",
        "target": {
            "function": "do_remove_conflicting_framebuffers",
            "file": "drivers/video/fbdev/core/fbmem.c"
        },
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@0f525289ff0ddeb380813bd81e0f9bdaaa1c9078",
        "signature_type": "Function"
    },
    {
        "deprecated": false,
        "id": "CVE-2022-49070-328b4ae9",
        "digest": {
            "length": 739.0,
            "function_hash": "110680003049819475106851452107316358848"
        },
        "signature_version": "v1",
        "target": {
            "function": "do_remove_conflicting_framebuffers",
            "file": "drivers/video/fbdev/core/fbmem.c"
        },
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@2388f826cdc9af2651991adc0feb79de9bdf2232",
        "signature_type": "Function"
    },
    {
        "deprecated": false,
        "id": "CVE-2022-49070-9f52c8ad",
        "digest": {
            "length": 739.0,
            "function_hash": "110680003049819475106851452107316358848"
        },
        "signature_version": "v1",
        "target": {
            "function": "do_remove_conflicting_framebuffers",
            "file": "drivers/video/fbdev/core/fbmem.c"
        },
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@feed87ff122b1640c221d4dd559442ab2cd50bb1",
        "signature_type": "Function"
    },
    {
        "deprecated": false,
        "id": "CVE-2022-49070-b8849233",
        "digest": {
            "threshold": 0.9,
            "line_hashes": [
                "112019731791703590661421673761718644657",
                "28340330553574970111357445878230904454",
                "252216177039328829196746792797177152904",
                "201114723858566113025206762383279739470"
            ]
        },
        "signature_version": "v1",
        "target": {
            "file": "drivers/video/fbdev/core/fbmem.c"
        },
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@2388f826cdc9af2651991adc0feb79de9bdf2232",
        "signature_type": "Line"
    },
    {
        "deprecated": false,
        "id": "CVE-2022-49070-bbd8fc78",
        "digest": {
            "threshold": 0.9,
            "line_hashes": [
                "112019731791703590661421673761718644657",
                "28340330553574970111357445878230904454",
                "252216177039328829196746792797177152904",
                "201114723858566113025206762383279739470"
            ]
        },
        "signature_version": "v1",
        "target": {
            "file": "drivers/video/fbdev/core/fbmem.c"
        },
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@feed87ff122b1640c221d4dd559442ab2cd50bb1",
        "signature_type": "Line"
    },
    {
        "deprecated": false,
        "id": "CVE-2022-49070-cc076d73",
        "digest": {
            "threshold": 0.9,
            "line_hashes": [
                "112019731791703590661421673761718644657",
                "28340330553574970111357445878230904454",
                "252216177039328829196746792797177152904",
                "201114723858566113025206762383279739470"
            ]
        },
        "signature_version": "v1",
        "target": {
            "file": "drivers/video/fbdev/core/fbmem.c"
        },
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@0f525289ff0ddeb380813bd81e0f9bdaaa1c9078",
        "signature_type": "Line"
    },
    {
        "deprecated": false,
        "id": "CVE-2022-49070-e87d9a1d",
        "digest": {
            "length": 739.0,
            "function_hash": "110680003049819475106851452107316358848"
        },
        "signature_version": "v1",
        "target": {
            "function": "do_remove_conflicting_framebuffers",
            "file": "drivers/video/fbdev/core/fbmem.c"
        },
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@de33df481545974ba47c46f05194e769e4307843",
        "signature_type": "Function"
    },
    {
        "deprecated": false,
        "id": "CVE-2022-49070-f5ed6f5e",
        "digest": {
            "threshold": 0.9,
            "line_hashes": [
                "112019731791703590661421673761718644657",
                "28340330553574970111357445878230904454",
                "252216177039328829196746792797177152904",
                "201114723858566113025206762383279739470"
            ]
        },
        "signature_version": "v1",
        "target": {
            "file": "drivers/video/fbdev/core/fbmem.c"
        },
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@de33df481545974ba47c46f05194e769e4307843",
        "signature_type": "Line"
    }
]

Linux / Kernel

Package

Name
Kernel

Affected ranges

Type
ECOSYSTEM
Events
Introduced
5.15.33
Fixed
5.15.34
Type
ECOSYSTEM
Events
Introduced
5.16.19
Fixed
5.16.20
Type
ECOSYSTEM
Events
Introduced
5.17.2
Fixed
5.17.3

Database specific

source

"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2022-49070.json"