-
CVE-2022-50094
- EPSS 0.05%
- Published 18.06.2025 11:02:32
- Last modified 18.06.2025 13:47:40
- Source 416baaa9-dc9f-4396-8d5f-8c081f
- Teams watchlist Login
- Open Login
In the Linux kernel, the following vulnerability has been resolved:
spmi: trace: fix stack-out-of-bound access in SPMI tracing functions
trace_spmi_write_begin() and trace_spmi_read_end() both call
memcpy() with a length of "len + 1". This leads to one extra
byte being read beyond the end of the specified buffer. Fix
this out-of-bound memory access by using a length of "len"
instead.
Here is a KASAN log showing the issue:
BUG: KASAN: stack-out-of-bounds in trace_event_raw_event_spmi_read_end+0x1d0/0x234
Read of size 2 at addr ffffffc0265b7540 by task thermal@2.0-ser/1314
...
Call trace:
dump_backtrace+0x0/0x3e8
show_stack+0x2c/0x3c
dump_stack_lvl+0xdc/0x11c
print_address_description+0x74/0x384
kasan_report+0x188/0x268
kasan_check_range+0x270/0x2b0
memcpy+0x90/0xe8
trace_event_raw_event_spmi_read_end+0x1d0/0x234
spmi_read_cmd+0x294/0x3ac
spmi_ext_register_readl+0x84/0x9c
regmap_spmi_ext_read+0x144/0x1b0 [regmap_spmi]
_regmap_raw_read+0x40c/0x754
regmap_raw_read+0x3a0/0x514
regmap_bulk_read+0x418/0x494
adc5_gen3_poll_wait_hs+0xe8/0x1e0 [qcom_spmi_adc5_gen3]
...
__arm64_sys_read+0x4c/0x60
invoke_syscall+0x80/0x218
el0_svc_common+0xec/0x1c8
...
addr ffffffc0265b7540 is located in stack of task thermal@2.0-ser/1314 at offset 32 in frame:
adc5_gen3_poll_wait_hs+0x0/0x1e0 [qcom_spmi_adc5_gen3]
this frame has 1 object:
[32, 33) 'status'
Memory state around the buggy address:
ffffffc0265b7400: 00 00 00 00 00 00 00 00 00 00 00 00 f1 f1 f1 f1
ffffffc0265b7480: 04 f3 f3 f3 00 00 00 00 00 00 00 00 00 00 00 00
>ffffffc0265b7500: 00 00 00 00 f1 f1 f1 f1 01 f3 f3 f3 00 00 00 00
^
ffffffc0265b7580: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
ffffffc0265b7600: f1 f1 f1 f1 01 f2 07 f2 f2 f2 01 f3 00 00 00 00
==================================================================Verknüpft mit AI von unstrukturierten Daten zu bestehenden CPE der NVD
This information is available to logged-in users. Login
Daten sind bereitgestellt durch das CVE Programm von einer CVE Numbering Authority (CNA) (Unstrukturiert).
VendorLinux
≫
Product
Linux
Default Statusunaffected
Version <
80f7c93e573ea9f524924bb529c2af8cb28b1c43
Version
a9fce374815d8ab94a3e6259802a944e2cc21408
Status
affected
Version <
dc6033a7761254e5a5ba7df36b64db787a53313c
Version
a9fce374815d8ab94a3e6259802a944e2cc21408
Status
affected
Version <
ac730c72bddc889f5610d51d8a7abf425e08da1a
Version
a9fce374815d8ab94a3e6259802a944e2cc21408
Status
affected
Version <
37690cb8662cec672cacda19e6e4fd2ca7b13f0b
Version
a9fce374815d8ab94a3e6259802a944e2cc21408
Status
affected
Version <
dd02510fb43168310abfd0b9ccf49993a722fb91
Version
a9fce374815d8ab94a3e6259802a944e2cc21408
Status
affected
Version <
1e0ca3d809c36ad3d1f542917718fc22ec6316e7
Version
a9fce374815d8ab94a3e6259802a944e2cc21408
Status
affected
Version <
bcc1b6b1ed3f42ed25858c1f1eb24a2f741db93f
Version
a9fce374815d8ab94a3e6259802a944e2cc21408
Status
affected
Version <
504090815c1ad3fd3fa34618b54d706727f8911c
Version
a9fce374815d8ab94a3e6259802a944e2cc21408
Status
affected
Version <
2af28b241eea816e6f7668d1954f15894b45d7e3
Version
a9fce374815d8ab94a3e6259802a944e2cc21408
Status
affected
VendorLinux
≫
Product
Linux
Default Statusaffected
Version
4.3
Status
affected
Version <
4.3
Version
0
Status
unaffected
Version <=
4.9.*
Version
4.9.326
Status
unaffected
Version <=
4.14.*
Version
4.14.291
Status
unaffected
Version <=
4.19.*
Version
4.19.256
Status
unaffected
Version <=
5.4.*
Version
5.4.211
Status
unaffected
Version <=
5.10.*
Version
5.10.137
Status
unaffected
Version <=
5.15.*
Version
5.15.61
Status
unaffected
Version <=
5.18.*
Version
5.18.18
Status
unaffected
Version <=
5.19.*
Version
5.19.2
Status
unaffected
Version <=
*
Version
6.0
Status
unaffected
Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.
| Type | Source | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 0.05% | 0.147 |
| Source | Base Score | Exploit Score | Impact Score | Vector string |
|---|