CVE-2022-50094

{"id": "CVE-2022-50094", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.1, "attackVector": "LOCAL", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 5.2, "exploitabilityScore": 1.8}]}, "published": "2025-06-18T11:15:38.620", "references": [{"url": "https://git.kernel.org/stable/c/1e0ca3d809c36ad3d1f542917718fc22ec6316e7", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/2af28b241eea816e6f7668d1954f15894b45d7e3", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/37690cb8662cec672cacda19e6e4fd2ca7b13f0b", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/504090815c1ad3fd3fa34618b54d706727f8911c", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/80f7c93e573ea9f524924bb529c2af8cb28b1c43", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/ac730c72bddc889f5610d51d8a7abf425e08da1a", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/bcc1b6b1ed3f42ed25858c1f1eb24a2f741db93f", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/dc6033a7761254e5a5ba7df36b64db787a53313c", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/dd02510fb43168310abfd0b9ccf49993a722fb91", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-125"}]}], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nspmi: trace: fix stack-out-of-bound access in SPMI tracing functions\n\ntrace_spmi_write_begin() and trace_spmi_read_end() both call\nmemcpy() with a length of \"len + 1\". This leads to one extra\nbyte being read beyond the end of the specified buffer. Fix\nthis out-of-bound memory access by using a length of \"len\"\ninstead.\n\nHere is a KASAN log showing the issue:\n\nBUG: KASAN: stack-out-of-bounds in trace_event_raw_event_spmi_read_end+0x1d0/0x234\nRead of size 2 at addr ffffffc0265b7540 by task thermal@2.0-ser/1314\n...\nCall trace:\n dump_backtrace+0x0/0x3e8\n show_stack+0x2c/0x3c\n dump_stack_lvl+0xdc/0x11c\n print_address_description+0x74/0x384\n kasan_report+0x188/0x268\n kasan_check_range+0x270/0x2b0\n memcpy+0x90/0xe8\n trace_event_raw_event_spmi_read_end+0x1d0/0x234\n spmi_read_cmd+0x294/0x3ac\n spmi_ext_register_readl+0x84/0x9c\n regmap_spmi_ext_read+0x144/0x1b0 [regmap_spmi]\n _regmap_raw_read+0x40c/0x754\n regmap_raw_read+0x3a0/0x514\n regmap_bulk_read+0x418/0x494\n adc5_gen3_poll_wait_hs+0xe8/0x1e0 [qcom_spmi_adc5_gen3]\n ...\n __arm64_sys_read+0x4c/0x60\n invoke_syscall+0x80/0x218\n el0_svc_common+0xec/0x1c8\n ...\n\naddr ffffffc0265b7540 is located in stack of task thermal@2.0-ser/1314 at offset 32 in frame:\n adc5_gen3_poll_wait_hs+0x0/0x1e0 [qcom_spmi_adc5_gen3]\n\nthis frame has 1 object:\n [32, 33) 'status'\n\nMemory state around the buggy address:\n ffffffc0265b7400: 00 00 00 00 00 00 00 00 00 00 00 00 f1 f1 f1 f1\n ffffffc0265b7480: 04 f3 f3 f3 00 00 00 00 00 00 00 00 00 00 00 00\n>ffffffc0265b7500: 00 00 00 00 f1 f1 f1 f1 01 f3 f3 f3 00 00 00 00\n ^\n ffffffc0265b7580: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\n ffffffc0265b7600: f1 f1 f1 f1 01 f2 07 f2 f2 f2 01 f3 00 00 00 00\n=================================================================="}, {"lang": "es", "value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: spmi: trace: se corrige el acceso fuera de los l\u00edmites de la pila en las funciones de seguimiento de SPMI. Las funciones trace_spmi_write_begin() y trace_spmi_read_end() llaman a memcpy() con una longitud de \"len + 1\". Esto provoca la lectura de un byte adicional m\u00e1s all\u00e1 del final del b\u00fafer especificado. Corrija este acceso fuera de los l\u00edmites de la pila utilizando una longitud de \"len\". Aqu\u00ed hay un registro de KASAN que muestra el problema: ERROR: KASAN: pila fuera de los l\u00edmites en trace_event_raw_event_spmi_read_end+0x1d0/0x234 Lectura de tama\u00f1o 2 en la direcci\u00f3n ffffffc0265b7540 por la tarea thermal@2.0-ser/1314 ... Seguimiento de llamadas: dump_backtrace+0x0/0x3e8 show_stack+0x2c/0x3c dump_stack_lvl+0xdc/0x11c print_address_description+0x74/0x384 kasan_report+0x188/0x268 kasan_check_range+0x270/0x2b0 memcpy+0x90/0xe8 trace_event_raw_event_spmi_read_end+0x1d0/0x234 spmi_read_cmd+0x294/0x3ac spmi_ext_register_readl+0x84/0x9c regmap_spmi_ext_read+0x144/0x1b0 [regmap_spmi] _regmap_raw_read+0x40c/0x754 regmap_raw_read+0x3a0/0x514 regmap_bulk_read+0x418/0x494 adc5_gen3_poll_wait_hs+0xe8/0x1e0 [qcom_spmi_adc5_gen3] ... __arm64_sys_read+0x4c/0x60 invoke_syscall+0x80/0x218 el0_svc_common+0xec/0x1c8 ... la direcci\u00f3n ffffffc0265b7540 se encuentra en la pila de tareas thermal@2.0-ser/1314 en el desplazamiento 32 en el marco: adc5_gen3_poll_wait_hs+0x0/0x1e0 [qcom_spmi_adc5_gen3] este marco tiene 1 objeto: [32, 33) 'status' Estado de la memoria alrededor de la direcci\u00f3n con errores: ffffffc0265b7400: 00 00 00 00 00 00 00 00 00 00 00 00 f1 f1 f1 f1 fffffc0265b7480: 04 f3 f3 f3 00 00 00 00 00 00 00 00 00 00 00 00 >fffffc0265b7500: 00 00 00 00 f1 f1 f1 f1 01 f3 f3 f3 00 00 00 00 ^ ffffffc0265b7580: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ffffffc0265b7600: f1 f1 f1 f1 01 f2 07 f2 f2 f2 01 f3 00 00 00 00 ===================================================================="}], "lastModified": "2025-11-18T02:45:05.577", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "CA31F53B-AA1E-486E-8FFA-876484D8D2D9", "versionEndExcluding": "4.9.326", "versionStartIncluding": "4.3"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "3BBC7E43-6161-4F21-977C-5BB7792C6C94", "versionEndExcluding": "4.14.291", "versionStartIncluding": "4.10"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "6C47CDE3-B039-4AE5-B8E4-1DC820E473FF", "versionEndExcluding": "4.19.256", "versionStartIncluding": "4.15"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "B1C63D19-C08C-4308-A848-B2523C9275BD", "versionEndExcluding": "5.4.211", "versionStartIncluding": "4.20"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "C2BF720F-C5EE-4DE2-9BDF-CE4CFBC767F4", "versionEndExcluding": "5.10.137", "versionStartIncluding": "5.5"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "51861563-7F40-460F-82CD-2D3FBDAD6618", "versionEndExcluding": "5.15.61", "versionStartIncluding": "5.11"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "5B42E453-8837-49D0-A5EF-03F818A6DC11", "versionEndExcluding": "5.18.18", "versionStartIncluding": "5.16"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "A1A2A5A5-4598-4D7E-BA07-4660398D6C8F", "versionEndExcluding": "5.19.2", "versionStartIncluding": "5.19"}], "operator": "OR"}]}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}