CVE-2023-54116
Unknown Unknown - Not Provided
Out-of-Bounds Write in Linux drm/fbdev-generic Causes Kernel Hang

Publication date: 2025-12-24

Last updated on: 2025-12-24

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: drm/fbdev-generic: prohibit potential out-of-bounds access The fbdev test of IGT may write after EOF, which lead to out-of-bound access for drm drivers with fbdev-generic. For example, run fbdev test on a x86+ast2400 platform, with 1680x1050 resolution, will cause the linux kernel hang with the following call trace: Oops: 0000 [#1] PREEMPT SMP PTI [IGT] fbdev: starting subtest eof Workqueue: events drm_fb_helper_damage_work [drm_kms_helper] [IGT] fbdev: starting subtest nullptr RIP: 0010:memcpy_erms+0xa/0x20 RSP: 0018:ffffa17d40167d98 EFLAGS: 00010246 RAX: ffffa17d4eb7fa80 RBX: ffffa17d40e0aa80 RCX: 00000000000014c0 RDX: 0000000000001a40 RSI: ffffa17d40e0b000 RDI: ffffa17d4eb80000 RBP: ffffa17d40167e20 R08: 0000000000000000 R09: ffff89522ecff8c0 R10: ffffa17d4e4c5000 R11: 0000000000000000 R12: ffffa17d4eb7fa80 R13: 0000000000001a40 R14: 000000000000041a R15: ffffa17d40167e30 FS: 0000000000000000(0000) GS:ffff895257380000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: ffffa17d40e0b000 CR3: 00000001eaeca006 CR4: 00000000001706e0 Call Trace: <TASK> ? drm_fbdev_generic_helper_fb_dirty+0x207/0x330 [drm_kms_helper] drm_fb_helper_damage_work+0x8f/0x170 [drm_kms_helper] process_one_work+0x21f/0x430 worker_thread+0x4e/0x3c0 ? __pfx_worker_thread+0x10/0x10 kthread+0xf4/0x120 ? __pfx_kthread+0x10/0x10 ret_from_fork+0x2c/0x50 </TASK> CR2: ffffa17d40e0b000 ---[ end trace 0000000000000000 ]--- The is because damage rectangles computed by drm_fb_helper_memory_range_to_clip() function is not guaranteed to be bound in the screen's active display area. Possible reasons are: 1) Buffers are allocated in the granularity of page size, for mmap system call support. The shadow screen buffer consumed by fbdev emulation may also choosed be page size aligned. 2) The DIV_ROUND_UP() used in drm_fb_helper_memory_range_to_clip() will introduce off-by-one error. For example, on a 16KB page size system, in order to store a 1920x1080 XRGB framebuffer, we need allocate 507 pages. Unfortunately, the size 1920*1080*4 can not be divided exactly by 16KB. 1920 * 1080 * 4 = 8294400 bytes 506 * 16 * 1024 = 8290304 bytes 507 * 16 * 1024 = 8306688 bytes line_length = 1920*4 = 7680 bytes 507 * 16 * 1024 / 7680 = 1081.6 off / line_length = 507 * 16 * 1024 / 7680 = 1081 DIV_ROUND_UP(507 * 16 * 1024, 7680) will yeild 1082 memcpy_toio() typically issue the copy line by line, when copy the last line, out-of-bound access will be happen. Because: 1082 * line_length = 1082 * 7680 = 8309760, and 8309760 > 8306688 Note that userspace may still write to the invisiable area if a larger buffer than width x stride is exposed. But it is not a big issue as long as there still have memory resolve the access if not drafting so far. - Also limit the y1 (Daniel) - keep fix patch it to minimal (Daniel) - screen_size is page size aligned because of it need mmap (Thomas) - Adding fixes tag (Thomas)
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-12-24
Last Modified
2025-12-24
Generated
2026-05-07
AI Q&A
2025-12-24
EPSS Evaluated
2026-05-05
NVD
CVE-2023-54116
EUVD
EUVD-2023-60329
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
linux linux_kernel *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

This vulnerability in the Linux kernel's drm/fbdev-generic component involves a potential out-of-bounds memory access. Specifically, the fbdev test of IGT may write beyond the end of a buffer (after EOF), causing out-of-bound access in drm drivers using fbdev-generic. This happens because the damage rectangles computed by drm_fb_helper_memory_range_to_clip() are not guaranteed to be within the screen's active display area due to page size alignment and rounding errors. When copying framebuffer data line by line, the last line copy can exceed the allocated buffer size, potentially causing the kernel to hang or crash.


How can this vulnerability impact me? :

This vulnerability can cause the Linux kernel to hang or crash due to out-of-bounds memory access when running certain framebuffer tests or operations. This may lead to system instability or denial of service on affected systems using drm drivers with fbdev-generic, especially on platforms like x86+ast2400 with specific resolutions.


What immediate steps should I take to mitigate this vulnerability?

The vulnerability has been resolved in the Linux kernel by prohibiting potential out-of-bounds access in the drm/fbdev-generic driver. Immediate mitigation involves updating the Linux kernel to a version that includes the fix for this issue, which addresses the out-of-bound access caused by the fbdev test of IGT. There are no specific workaround commands provided.


How can this vulnerability be detected on my network or system? Can you suggest some commands?

This vulnerability can be detected by running the fbdev test of IGT (Intel Graphics Test) on a vulnerable system, especially on platforms like x86+ast2400 with specific resolutions (e.g., 1680x1050). The test may cause the Linux kernel to hang and produce a call trace indicating out-of-bounds access. To detect it, you can run the fbdev test from the IGT test suite using the command: `igt_fbdev --run=fbdev` or specifically the subtest that triggers the issue. Monitoring kernel logs (e.g., using `dmesg`) for Oops messages or call traces related to drm_fb_helper_damage_work or memcpy_erms can also help identify the problem.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart