Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

CVE-2022-50094

Severity CVSS v4.0:
Pending analysis
Type:
CWE-125 Out-of-bounds Read
Publication date:
18/06/2025
Last modified:
18/11/2025

Description

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> spmi: trace: fix stack-out-of-bound access in SPMI tracing functions<br /> <br /> trace_spmi_write_begin() and trace_spmi_read_end() both call<br /> memcpy() with a length of "len + 1". This leads to one extra<br /> byte being read beyond the end of the specified buffer. Fix<br /> this out-of-bound memory access by using a length of "len"<br /> instead.<br /> <br /> Here is a KASAN log showing the issue:<br /> <br /> BUG: KASAN: stack-out-of-bounds in trace_event_raw_event_spmi_read_end+0x1d0/0x234<br /> Read of size 2 at addr ffffffc0265b7540 by task thermal@2.0-ser/1314<br /> ...<br /> Call trace:<br /> dump_backtrace+0x0/0x3e8<br /> show_stack+0x2c/0x3c<br /> dump_stack_lvl+0xdc/0x11c<br /> print_address_description+0x74/0x384<br /> kasan_report+0x188/0x268<br /> kasan_check_range+0x270/0x2b0<br /> memcpy+0x90/0xe8<br /> trace_event_raw_event_spmi_read_end+0x1d0/0x234<br /> spmi_read_cmd+0x294/0x3ac<br /> spmi_ext_register_readl+0x84/0x9c<br /> regmap_spmi_ext_read+0x144/0x1b0 [regmap_spmi]<br /> _regmap_raw_read+0x40c/0x754<br /> regmap_raw_read+0x3a0/0x514<br /> regmap_bulk_read+0x418/0x494<br /> adc5_gen3_poll_wait_hs+0xe8/0x1e0 [qcom_spmi_adc5_gen3]<br /> ...<br /> __arm64_sys_read+0x4c/0x60<br /> invoke_syscall+0x80/0x218<br /> el0_svc_common+0xec/0x1c8<br /> ...<br /> <br /> addr ffffffc0265b7540 is located in stack of task thermal@2.0-ser/1314 at offset 32 in frame:<br /> adc5_gen3_poll_wait_hs+0x0/0x1e0 [qcom_spmi_adc5_gen3]<br /> <br /> this frame has 1 object:<br /> [32, 33) &amp;#39;status&amp;#39;<br /> <br /> Memory state around the buggy address:<br /> ffffffc0265b7400: 00 00 00 00 00 00 00 00 00 00 00 00 f1 f1 f1 f1<br /> ffffffc0265b7480: 04 f3 f3 f3 00 00 00 00 00 00 00 00 00 00 00 00<br /> &gt;ffffffc0265b7500: 00 00 00 00 f1 f1 f1 f1 01 f3 f3 f3 00 00 00 00<br /> ^<br /> ffffffc0265b7580: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00<br /> ffffffc0265b7600: f1 f1 f1 f1 01 f2 07 f2 f2 f2 01 f3 00 00 00 00<br /> ==================================================================

Impact

Vector 3.x
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H CVSS v3.1 Severity and Metrics:

Base Score: 7.10 HIGH
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H

Attack Vector (AV): Local
Attack Complexity (AC): Low
Privileges Required (PR): Low
User Interaction (UI): None
Scope (S): Unchanged
Confidentiality (C): High
Integrity (I): None
Availability (A): High

Base Score 3.x
7.10
Severity 3.x
HIGH

Vulnerable products and versions

CPE From Up to
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 4.3 (including) 4.9.326 (excluding)
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 4.10 (including) 4.14.291 (excluding)
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 4.15 (including) 4.19.256 (excluding)
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 4.20 (including) 5.4.211 (excluding)
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 5.5 (including) 5.10.137 (excluding)
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 5.11 (including) 5.15.61 (excluding)
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 5.16 (including) 5.18.18 (excluding)
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 5.19 (including) 5.19.2 (excluding)

To consult the complete list of CPE names with products and versions, see this page


References to Advisories, Solutions, and Tools