CVE-2022-50390

See a problem?
Please try reporting it to the source first.
Source
https://cve.org/CVERecord?id=CVE-2022-50390
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2022-50390.json
JSON Data
https://api.test.osv.dev/v1/vulns/CVE-2022-50390
Downstream
Related
Published
2025-09-18T13:33:10.073Z
Modified
2026-04-11T12:44:57.050313Z
Severity
  • 5.5 (Medium) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVSS Calculator
Summary
drm/ttm: fix undefined behavior in bit shift for TTM_TT_FLAG_PRIV_POPULATED
Details

In the Linux kernel, the following vulnerability has been resolved:

drm/ttm: fix undefined behavior in bit shift for TTMTTFLAGPRIVPOPULATED

Shifting signed 32-bit value by 31 bits is undefined, so changing significant bit to unsigned. The UBSAN warning calltrace like below:

UBSAN: shift-out-of-bounds in ./include/drm/ttm/ttmtt.h:122:26 left shift of 1 by 31 places cannot be represented in type 'int' Call Trace: <TASK> dumpstacklvl+0x7d/0xa5 dumpstack+0x15/0x1b ubsan_epilogue+0xe/0x4e __ubsanhandleshiftoutofbounds+0x1e7/0x20c ttmbomovememcpy+0x3b4/0x460 [ttm] bodrivermove+0x32/0x40 [drmvramhelper] ttmbohandlemovemem+0x118/0x200 [ttm] ttmbovalidate+0xfa/0x220 [ttm] drmgemvrampinlocked+0x70/0x1b0 [drmvramhelper] drmgemvrampin+0x48/0xb0 [drmvramhelper] drmgemvramplanehelperpreparefb+0x53/0xe0 [drmvramhelper] drmgemvramsimpledisplaypipepreparefb+0x26/0x30 [drmvramhelper] drmsimplekmsplanepreparefb+0x4d/0xe0 [drmkmshelper] drmatomichelperprepareplanes+0xda/0x210 [drmkmshelper] drmatomichelpercommit+0xc3/0x1e0 [drmkmshelper] drmatomiccommit+0x9c/0x160 [drm] drmclientmodesetcommitatomic+0x33a/0x380 [drm] drmclientmodesetcommitlocked+0x77/0x220 [drm] drmclientmodeset_commit+0x31/0x60 [drm] __drmfbhelperrestorefbdevmodeunlocked+0xa7/0x170 [drmkmshelper] drmfbhelpersetpar+0x51/0x90 [drmkmshelper] fbconinit+0x316/0x790 visualinit+0x113/0x1d0 dobindcondriver+0x2a3/0x5c0 dotakeoverconsole+0xa9/0x270 dofbcontakeover+0xa1/0x170 dofbregistered+0x2a8/0x340 fbconfbregistered+0x47/0xe0 register_framebuffer+0x294/0x4a0 __drmfbhelperinitialconfigandunlock+0x43c/0x880 [drmkmshelper] drmfbhelperinitialconfig+0x52/0x80 [drmkmshelper] drmfbdevclienthotplug+0x156/0x1b0 [drmkmshelper] drmfbdevgenericsetup+0xfc/0x290 [drmkmshelper] bochspciprobe+0x6ca/0x772 [bochs] localpciprobe+0x4d/0xb0 pcideviceprobe+0x119/0x320 really_probe+0x181/0x550 __driverprobedevice+0xc6/0x220 driverprobedevice+0x32/0x100 __driverattach+0x195/0x200 busforeachdev+0xbb/0x120 driverattach+0x27/0x30 busadddriver+0x22e/0x2f0 driverregister+0xa9/0x190 __pciregisterdriver+0x90/0xa0 bochspcidriverinit+0x52/0x1000 [bochs] dooneinitcall+0x76/0x430 doinitmodule+0x61/0x28a loadmodule+0x1f82/0x2e50 __dosysfinit_module+0xf8/0x190 _x64sysfinitmodule+0x23/0x30 dosyscall64+0x58/0x80 entrySYSCALL64afterhwframe+0x63/0xcd </TASK>

Database specific 
{
    "cna_assigner": "Linux",
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2022/50xxx/CVE-2022-50390.json"
}
References

Affected packages

Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git

Affected ranges

Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
3312be8f6fc8a8dc7cef01986dbd436eab7af0f7
Fixed
c4079a34c0adef9f35a16783fb13a9084406f96d
Fixed
2ff0309b73d86e8591881ac035af06e01c112e89
Fixed
6528971fdce0dfc0a28fec42c151a1eccdabadf5
Fixed
387659939c00156f8d6bab0fbc55b4eaf2b6bc5b

Database specific

source 
"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2022-50390.json"

Linux / Kernel

Package

Name
Kernel

Affected ranges

Type
ECOSYSTEM
Events
Introduced
5.10.0
Fixed
5.15.199
Type
ECOSYSTEM
Events
Introduced
5.16.0
Fixed
6.0.16
Type
ECOSYSTEM
Events
Introduced
6.1.0
Fixed
6.1.2

Database specific

source 
"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2022-50390.json"