CVE-2022-50094

Summary

In the Linux kernel, the following vulnerability has been resolved:

spmi: trace: fix stack-out-of-bound access in SPMI tracing functions

trace_spmi_write_begin() and trace_spmi_read_end() both call memcpy() with a length of "len + 1". This leads to one extra byte being read beyond the end of the specified buffer. Fix this out-of-bound memory access by using a length of "len" instead.

Here is a KASAN log showing the issue:

BUG: KASAN: stack-out-of-bounds in trace_event_raw_event_spmi_read_end+0x1d0/0x234 Read of size 2 at addr ffffffc0265b7540 by task thermal@2.0-ser/1314 … Call trace: dump_backtrace+0x0/0x3e8 show_stack+0x2c/0x3c dump_stack_lvl+0xdc/0x11c print_address_description+0x74/0x384 kasan_report+0x188/0x268 kasan_check_range+0x270/0x2b0 memcpy+0x90/0xe8 trace_event_raw_event_spmi_read_end+0x1d0/0x234 spmi_read_cmd+0x294/0x3ac spmi_ext_register_readl+0x84/0x9c regmap_spmi_ext_read+0x144/0x1b0 [regmap_spmi] _regmap_raw_read+0x40c/0x754 regmap_raw_read+0x3a0/0x514 regmap_bulk_read+0x418/0x494 adc5_gen3_poll_wait_hs+0xe8/0x1e0 [qcom_spmi_adc5_gen3] … __arm64_sys_read+0x4c/0x60 invoke_syscall+0x80/0x218 el0_svc_common+0xec/0x1c8 …

addr ffffffc0265b7540 is located in stack of task thermal@2.0-ser/1314 at offset 32 in frame: adc5_gen3_poll_wait_hs+0x0/0x1e0 [qcom_spmi_adc5_gen3]

this frame has 1 object: [32, 33) 'status'

Memory state around the buggy address: ffffffc0265b7400: 00 00 00 00 00 00 00 00 00 00 00 00 f1 f1 f1 f1 ffffffc0265b7480: 04 f3 f3 f3 00 00 00 00 00 00 00 00 00 00 00 00 >ffffffc0265b7500: 00 00 00 00 f1 f1 f1 f1 01 f3 f3 f3 00 00 00 00 ^ ffffffc0265b7580: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ffffffc0265b7600: f1 f1 f1 f1 01 f2 07 f2 f2 f2 01 f3 00 00 00 00

Affected Software

VendorProductVersion RangeStatus
LinuxLinuxa9fce374815d8ab94a3e6259802a944e2cc21408 < 80f7c93e573ea9f524924bb529c2af8cb28b1c43affected
LinuxLinuxa9fce374815d8ab94a3e6259802a944e2cc21408 < dc6033a7761254e5a5ba7df36b64db787a53313caffected
LinuxLinuxa9fce374815d8ab94a3e6259802a944e2cc21408 < ac730c72bddc889f5610d51d8a7abf425e08da1aaffected
LinuxLinuxa9fce374815d8ab94a3e6259802a944e2cc21408 < 37690cb8662cec672cacda19e6e4fd2ca7b13f0baffected
LinuxLinuxa9fce374815d8ab94a3e6259802a944e2cc21408 < dd02510fb43168310abfd0b9ccf49993a722fb91affected
LinuxLinuxa9fce374815d8ab94a3e6259802a944e2cc21408 < 1e0ca3d809c36ad3d1f542917718fc22ec6316e7affected
LinuxLinuxa9fce374815d8ab94a3e6259802a944e2cc21408 < bcc1b6b1ed3f42ed25858c1f1eb24a2f741db93faffected
LinuxLinuxa9fce374815d8ab94a3e6259802a944e2cc21408 < 504090815c1ad3fd3fa34618b54d706727f8911caffected
LinuxLinuxa9fce374815d8ab94a3e6259802a944e2cc21408 < 2af28b241eea816e6f7668d1954f15894b45d7e3affected
LinuxLinux4.3affected
LinuxLinux0 < 4.3unaffected
LinuxLinux4.9.326 <= 4.9.*unaffected
LinuxLinux4.14.291 <= 4.14.*unaffected
LinuxLinux4.19.256 <= 4.19.*unaffected
LinuxLinux5.4.211 <= 5.4.*unaffected
LinuxLinux5.10.137 <= 5.10.*unaffected
LinuxLinux5.15.61 <= 5.15.*unaffected
LinuxLinux5.18.18 <= 5.18.*unaffected
LinuxLinux5.19.2 <= 5.19.*unaffected
LinuxLinux6.0 <= *unaffected

Weaknesses

References