CVE-2022-50239

Summary

In the Linux kernel, the following vulnerability has been resolved:

cpufreq: qcom: fix writes in read-only memory region

This commit fixes a kernel oops because of a write in some read-only memory:

[    9.068287] Unable to handle kernel write to read-only memory at virtual address ffff800009240ad8
..snip..
[    9.138790] Internal error: Oops: 9600004f [#1] PREEMPT SMP
..snip..
[    9.269161] Call trace:
[    9.276271]  __memcpy+0x5c/0x230
[    9.278531]  snprintf+0x58/0x80
[    9.282002]  qcom_cpufreq_msm8939_name_version+0xb4/0x190
[    9.284869]  qcom_cpufreq_probe+0xc8/0x39c
..snip..

The following line defines a pointer that point to a char buffer stored in read-only memory:

char *pvs_name = "speedXX-pvsXX-vXX";

This pointer is meant to hold a template "speedXX-pvsXX-vXX" where the XX values get overridden by the qcom_cpufreq_krait_name_version function. Since the template is actually stored in read-only memory, when the function executes the following call we get an oops:

snprintf(*pvs_name, sizeof("speedXX-pvsXX-vXX"), "speed%d-pvs%d-v%d",
	 speed, pvs, pvs_ver);

To fix this issue, we instead store the template name onto the stack by using the following syntax:

char pvs_name_buffer[] = "speedXX-pvsXX-vXX";

Because the pvs_name needs to be able to be assigned to NULL, the template buffer is stored in the pvs_name_buffer and not under the pvs_name variable.

Affected Software

VendorProductVersion RangeStatus
LinuxLinuxa8811ec764f95a04ba82f6f457e28c5e9e36e36b < 794ded0bc461287a268bed21fea2eebb6e5d232caffected
LinuxLinuxa8811ec764f95a04ba82f6f457e28c5e9e36e36b < 14d260f94ff89543597ffea13db8b277a810e08eaffected
LinuxLinuxa8811ec764f95a04ba82f6f457e28c5e9e36e36b < b74ee4e301ca01e431e240c046173332966e2431affected
LinuxLinuxa8811ec764f95a04ba82f6f457e28c5e9e36e36b < 01039fb8e90c9cb684430414bff70cea9eb168c5affected
LinuxLinux5.7affected
LinuxLinux0 < 5.7unaffected
LinuxLinux5.10.152 <= 5.10.*unaffected
LinuxLinux5.15.76 <= 5.15.*unaffected
LinuxLinux6.0.6 <= 6.0.*unaffected
LinuxLinux6.1 <= *unaffected

Weaknesses

References