CVE-2022-39842

2022-09-0507:15:08

CWE-190

[email protected]

web.nvd.nist.gov

linux kernel

pxa3xx-gcu.c

integer overflow

size check

heap overflow

CVSS3

6.1

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

LOW

Availability Impact

HIGH

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H

EPSS

0.001

Percentile

19.0%

JSON

An issue was discovered in the Linux kernel before 5.19. In pxa3xx_gcu_write in drivers/video/fbdev/pxa3xx-gcu.c, the count parameter has a type conflict of size_t versus int, causing an integer overflow and bypassing the size check. After that, because it is used as the third argument to copy_from_user(), a heap overflow may occur. NOTE: the original discoverer disputes that the overflow can actually happen.

Affected configurations

Nvd

Node

linuxlinux_kernelRange<5.19

linuxlinux_kernelMatch5.19rc1

linuxlinux_kernelMatch5.19rc2

linuxlinux_kernelMatch5.19rc3

Node

debiandebian_linuxMatch10.0

Node

debiandebian_linuxMatch10.0

debiandebian_linuxMatch11.0

VendorProductVersionCPE
linuxlinux_kernel*cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
linuxlinux_kernel5.19cpe:2.3:o:linux:linux_kernel:5.19:rc1:*:*:*:*:*:*
linuxlinux_kernel5.19cpe:2.3:o:linux:linux_kernel:5.19:rc2:*:*:*:*:*:*
linuxlinux_kernel5.19cpe:2.3:o:linux:linux_kernel:5.19:rc3:*:*:*:*:*:*
debiandebian_linux10.0cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*
debiandebian_linux11.0cpe:2.3:o:debian:debian_linux:11.0:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
linux	linux_kernel	*	cpe:2.3:o:linux:linux_kernel::::::::
linux	linux_kernel	5.19	cpe:2.3:o:linux:linux_kernel:5.19:rc1::::::
linux	linux_kernel	5.19	cpe:2.3:o:linux:linux_kernel:5.19:rc2::::::
linux	linux_kernel	5.19	cpe:2.3:o:linux:linux_kernel:5.19:rc3::::::
debian	debian_linux	10.0	cpe:2.3:o:debian:debian_linux:10.0:::::::*
debian	debian_linux	11.0	cpe:2.3:o:debian:debian_linux:11.0:::::::*