CVE-2022-50394

Summary

In the Linux kernel, the following vulnerability has been resolved:

i2c: ismt: Fix an out-of-bounds bug in ismt_access()

When the driver does not check the data from the user, the variable 'data->block[0]' may be very large to cause an out-of-bounds bug.

The following log can reveal it:

[ 33.995542] i2c i2c-1: ioctl, cmd=0x720, arg=0x7ffcb3dc3a20 [ 33.995978] ismt_smbus 0000:00:05.0: I2C_SMBUS_BLOCK_DATA: WRITE [ 33.996475] ================================================================== [ 33.996995] BUG: KASAN: out-of-bounds in ismt_access.cold+0x374/0x214b [ 33.997473] Read of size 18446744073709551615 at addr ffff88810efcfdb1 by task ismt_poc/485 [ 33.999450] Call Trace: [ 34.001849] memcpy+0x20/0x60 [ 34.002077] ismt_access.cold+0x374/0x214b [ 34.003382] __i2c_smbus_xfer+0x44f/0xfb0 [ 34.004007] i2c_smbus_xfer+0x10a/0x390 [ 34.004291] i2cdev_ioctl_smbus+0x2c8/0x710 [ 34.005196] i2cdev_ioctl+0x5ec/0x74c

Fix this bug by checking the size of 'data->block[0]' first.

Affected Software

VendorProductVersion RangeStatus
LinuxLinux13f35ac14cd0a9a1c4f0034c4c40d0ae98844ce9 < 4a7bb1d93addb2f67e36fed00a53cb7f270d7b7aaffected
LinuxLinux13f35ac14cd0a9a1c4f0034c4c40d0ae98844ce9 < 03b7ef7a6c5ca1ff553470166b4919db88b810f6affected
LinuxLinux13f35ac14cd0a9a1c4f0034c4c40d0ae98844ce9 < bfe41d966c860a8ad4c735639d616da270c92735affected
LinuxLinux13f35ac14cd0a9a1c4f0034c4c40d0ae98844ce9 < cdcbae2c5003747ddfd14e29db9c1d5d7e7c44ddaffected
LinuxLinux13f35ac14cd0a9a1c4f0034c4c40d0ae98844ce9 < 9ac541a0898e8ec187a3fa7024b9701cffae6bf2affected
LinuxLinux13f35ac14cd0a9a1c4f0034c4c40d0ae98844ce9 < 96c12fd0ec74641295e1c3c34dea3dce1b6c3422affected
LinuxLinux13f35ac14cd0a9a1c4f0034c4c40d0ae98844ce9 < a642469d464b2780a25a49b51ae56623c65eac34affected
LinuxLinux13f35ac14cd0a9a1c4f0034c4c40d0ae98844ce9 < 233348a04becf133283f0076e20b317302de21d9affected
LinuxLinux13f35ac14cd0a9a1c4f0034c4c40d0ae98844ce9 < 39244cc754829bf707dccd12e2ce37510f5b1f8daffected
LinuxLinux3.9affected
LinuxLinux0 < 3.9unaffected
LinuxLinux4.9.337 <= 4.9.*unaffected
LinuxLinux4.14.303 <= 4.14.*unaffected
LinuxLinux4.19.270 <= 4.19.*unaffected
LinuxLinux5.4.229 <= 5.4.*unaffected
LinuxLinux5.10.163 <= 5.10.*unaffected
LinuxLinux5.15.86 <= 5.15.*unaffected
LinuxLinux6.0.16 <= 6.0.*unaffected
LinuxLinux6.1.2 <= 6.1.*unaffected
LinuxLinux6.2 <= *unaffected

Weaknesses

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

References