CVE-2022-50390

See a problem?
Please try reporting it to the source first.
Source
https://cve.org/CVERecord?id=CVE-2022-50390
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2022-50390.json
JSON Data
https://api.test.osv.dev/v1/vulns/CVE-2022-50390
Downstream
Related
Published
2025-09-18T13:33:10.073Z
Modified
2026-03-20T12:22:34.482444Z
Severity
  • 5.5 (Medium) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVSS Calculator
Summary
drm/ttm: fix undefined behavior in bit shift for TTM_TT_FLAG_PRIV_POPULATED
Details

In the Linux kernel, the following vulnerability has been resolved:

drm/ttm: fix undefined behavior in bit shift for TTMTTFLAGPRIVPOPULATED

Shifting signed 32-bit value by 31 bits is undefined, so changing significant bit to unsigned. The UBSAN warning calltrace like below:

UBSAN: shift-out-of-bounds in ./include/drm/ttm/ttmtt.h:122:26 left shift of 1 by 31 places cannot be represented in type 'int' Call Trace: <TASK> dumpstacklvl+0x7d/0xa5 dumpstack+0x15/0x1b ubsan_epilogue+0xe/0x4e __ubsanhandleshiftoutofbounds+0x1e7/0x20c ttmbomovememcpy+0x3b4/0x460 [ttm] bodrivermove+0x32/0x40 [drmvramhelper] ttmbohandlemovemem+0x118/0x200 [ttm] ttmbovalidate+0xfa/0x220 [ttm] drmgemvrampinlocked+0x70/0x1b0 [drmvramhelper] drmgemvrampin+0x48/0xb0 [drmvramhelper] drmgemvramplanehelperpreparefb+0x53/0xe0 [drmvramhelper] drmgemvramsimpledisplaypipepreparefb+0x26/0x30 [drmvramhelper] drmsimplekmsplanepreparefb+0x4d/0xe0 [drmkmshelper] drmatomichelperprepareplanes+0xda/0x210 [drmkmshelper] drmatomichelpercommit+0xc3/0x1e0 [drmkmshelper] drmatomiccommit+0x9c/0x160 [drm] drmclientmodesetcommitatomic+0x33a/0x380 [drm] drmclientmodesetcommitlocked+0x77/0x220 [drm] drmclientmodeset_commit+0x31/0x60 [drm] __drmfbhelperrestorefbdevmodeunlocked+0xa7/0x170 [drmkmshelper] drmfbhelpersetpar+0x51/0x90 [drmkmshelper] fbconinit+0x316/0x790 visualinit+0x113/0x1d0 dobindcondriver+0x2a3/0x5c0 dotakeoverconsole+0xa9/0x270 dofbcontakeover+0xa1/0x170 dofbregistered+0x2a8/0x340 fbconfbregistered+0x47/0xe0 register_framebuffer+0x294/0x4a0 __drmfbhelperinitialconfigandunlock+0x43c/0x880 [drmkmshelper] drmfbhelperinitialconfig+0x52/0x80 [drmkmshelper] drmfbdevclienthotplug+0x156/0x1b0 [drmkmshelper] drmfbdevgenericsetup+0xfc/0x290 [drmkmshelper] bochspciprobe+0x6ca/0x772 [bochs] localpciprobe+0x4d/0xb0 pcideviceprobe+0x119/0x320 really_probe+0x181/0x550 __driverprobedevice+0xc6/0x220 driverprobedevice+0x32/0x100 __driverattach+0x195/0x200 busforeachdev+0xbb/0x120 driverattach+0x27/0x30 busadddriver+0x22e/0x2f0 driverregister+0xa9/0x190 __pciregisterdriver+0x90/0xa0 bochspcidriverinit+0x52/0x1000 [bochs] dooneinitcall+0x76/0x430 doinitmodule+0x61/0x28a loadmodule+0x1f82/0x2e50 __dosysfinit_module+0xf8/0x190 _x64sysfinitmodule+0x23/0x30 dosyscall64+0x58/0x80 entrySYSCALL64afterhwframe+0x63/0xcd </TASK>

Database specific 
{
    "cna_assigner": "Linux",
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2022/50xxx/CVE-2022-50390.json"
}
References

Affected packages

Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git

Affected ranges

Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
3312be8f6fc8a8dc7cef01986dbd436eab7af0f7
Fixed
c4079a34c0adef9f35a16783fb13a9084406f96d
Fixed
2ff0309b73d86e8591881ac035af06e01c112e89
Fixed
6528971fdce0dfc0a28fec42c151a1eccdabadf5
Fixed
387659939c00156f8d6bab0fbc55b4eaf2b6bc5b

Database specific

source 
"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2022-50390.json"