About CVE-2022-39842 – PXA3xx graphics controller drivers design weakness (5th Aug 2022)

Preface: The slogan in past stated that Linux is secure because vulnerability not often happen compare to Microsoft Windows OS. Perhaps the dream was broken. Linux like a free of charge Lego toys.
Since there are plenty of opensource driver and library around. As a result, it is hard to avoid the vulnerability happen.
Sometimes, when vulnerability occurs in Linux just do a minor modification in a C langauge written program file can fix.
Even through vulnerability occurs in Linux daily. But I still a Linux lover.

Background: XScale is a microarchitecture for central processing units initially designed by Intel implementing the ARM architecture (version 5) instruction set. XScale comprises several distinct families: IXP, IXC, IOP, PXA and CE (see more below), with some later models designed as SoCs. Intel sold the PXA family to Marvell Technology Group in June 2006.[1] Marvell then extended the brand to include processors with other microarchitectures, like ARM’s Cortex.
XScale processors are a range of reduced instruction set computer (RISC) CPUs. XScale is an advanced RISC machines (ARM) processor with a few extra features. Codenamed Monahan P, the PXA320 is the fastest processror in the PXA3xx familt and is designed to power high-end handheld devices like Smartphones, PDAs and even UMPCs.

Vulnerability details: An issue was discovered in the Linux kernel before 5.19. In pxa3xx_gcu_write in drivers/video/fbdev/pxa3xx-gcu[.]c, the count parameter has a type conflict of size_t versus int, causing an integer overflow and bypassing the size check. After that, because it is used as the third argument to copy_from_user(), a heap overflow may occur.
Ref 1: pxa3xx-gcu.c – Linux kernel module for PXA3xx graphics controllers. This driver needs a DirectFB counterpart in user space, communication is handled via mmap()ed memory areas and an ioctl.

Solution: video: fbdev: pxa3xx-gcu: Fix integer overflow in pxa3xx_gcu_write – https://github.com/torvalds/linux/commit/a09d2d00af53b43c6f11e6ab3cb58443c2cac8a7

Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.