Linux Kernel up to 5.1.5 drm_edid_load.c drm_load_edid_firmware denial of service
| CVSS Meta Temp Score | Current Exploit Price (≈) |
|---|---|
| 5.5 | $0-$5k |
A vulnerability was found in Linux Kernel up to 5.1.5 (Operating System). It has been rated as critical. Affected by this issue is the function drm_load_edid_firmware of the file drivers/gpu/drm/drm_edid_load.c. The manipulation with an unknown input leads to a denial of service vulnerability (NULL Pointer Dereference). Using CWE to declare the problem leads to CWE-476. Impacted is availability.
The weakness was released 05/24/2019. The advisory is shared for download at lkml.org. This vulnerability is handled as CVE-2019-12382 since 05/27/2019. There are known technical details, but no exploit is available. The current price for an exploit might be approx. USD $0-$5k (estimation calculated on 05/28/2019). The following code is the reason for this vulnerability:
fwstr = kstrdup(edid_firmware, GFP_KERNEL);
edidstr = fwstr;
while ((edidname = strsep(&edidstr, ","))) {
Applying a patch is able to eliminate this problem. The bugfix is ready for download at cgit.freedesktop.org. A possible mitigation has been published immediately after the disclosure of the vulnerability. The vulnerability will be addressed with the following lines of code:
fwstr = kstrdup(edid_firmware, GFP_KERNEL);
if (!fwstr)
return ERR_PTR(-ENOMEM);
edidstr = fwstr;
while ((edidname = strsep(&edidstr, ","))) {
Entries connected to this vulnerability are available at 2, 3, 4 and 5.
Vendor
Name
VulDB Meta Base Score: 5.7
VulDB Meta Temp Score: 5.5
VulDB Base Score: ≈5.7
VulDB Temp Score: ≈5.5
VulDB Vector: ?
VulDB Reliability: ?
VulDB Base Score: ?
VulDB Temp Score: ?
VulDB Reliability: ?
Class: Denial of service / NULL Pointer Dereference (CWE-476)
Local: Yes
Remote: No
Availability: ?
Status: Not defined
Price Prediction: ?
Current Price Estimation: ?
| 0-Day | unlock | unlock | unlock | unlock |
|---|---|---|---|---|
| Today | unlock | unlock | unlock | unlock |
Threat Intelligence
Threat: ?
Adversaries: ?
Geopolitics: ?
Economy: ?
Predictions: ?
Remediation: ?Recommended: Patch
Status: ?
Reaction Time: ?
0-Day Time: ?
Exposure Time: ?
Patch: cgit.freedesktop.org
05/24/2019 Advisory disclosed
05/24/2019 Countermeasure disclosed
05/27/2019 CVE assigned
05/28/2019 VulDB entry created
05/28/2019 VulDB last updateVendor: kernel.org
Advisory: lkml.org
CVE: CVE-2019-12382 (?)
See also: ?
Created: 05/28/2019 10:04 AM
Complete: ?
Use the official API to access entries easily!
https://vuldb.com/?id.135656
Gloss