CVE-2022-50370

{"id": "CVE-2022-50370", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.5, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}, "impactScore": 3.6, "exploitabilityScore": 1.8}]}, "published": "2025-09-17T15:15:35.950", "references": [{"url": "https://git.kernel.org/stable/c/301c8f5c32c8fb79c67539bc23972dc3ef48024c", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/7fa5304c4b5b425d4a0b3acf10139a7f6108a85f", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/a206f7fbe9589c60fafad12884628c909ecb042f", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/aa59ac81e859006d3a1df035a19b3f2089110f93", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-476"}]}], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ni2c: designware: Fix handling of real but unexpected device interrupts\n\nCommit c7b79a752871 (\"mfd: intel-lpss: Add Intel Alder Lake PCH-S PCI\nIDs\") caused a regression on certain Gigabyte motherboards for Intel\nAlder Lake-S where system crashes to NULL pointer dereference in\ni2c_dw_xfer_msg() when system resumes from S3 sleep state (\"deep\").\n\nI was able to debug the issue on Gigabyte Z690 AORUS ELITE and made\nfollowing notes:\n\n- Issue happens when resuming from S3 but not when resuming from\n \"s2idle\"\n- PCI device 00:15.0 == i2c_designware.0 is already in D0 state when\n system enters into pci_pm_resume_noirq() while all other i2c_designware\n PCI devices are in D3. Devices were runtime suspended and in D3 prior\n entering into suspend\n- Interrupt comes after pci_pm_resume_noirq() when device interrupts are\n re-enabled\n- According to register dump the interrupt really comes from the\n i2c_designware.0. Controller is enabled, I2C target address register\n points to a one detectable I2C device address 0x60 and the\n DW_IC_RAW_INTR_STAT register START_DET, STOP_DET, ACTIVITY and\n TX_EMPTY bits are set indicating completed I2C transaction.\n\nMy guess is that the firmware uses this controller to communicate with\nan on-board I2C device during resume but does not disable the controller\nbefore giving control to an operating system.\n\nI was told the UEFI update fixes this but never the less it revealed the\ndriver is not ready to handle TX_EMPTY (or RX_FULL) interrupt when device\nis supposed to be idle and state variables are not set (especially the\ndev->msgs pointer which may point to NULL or stale old data).\n\nIntroduce a new software status flag STATUS_ACTIVE indicating when the\ncontroller is active in driver point of view. Now treat all interrupts\nthat occur when is not set as unexpected and mask all interrupts from\nthe controller."}], "lastModified": "2025-12-11T19:28:32.627", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "EAB8900F-C087-4F93-8E70-3D7FD81F7822", "versionEndExcluding": "5.15.75", "versionStartIncluding": "5.12"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "19B4C3A4-E5C3-41DC-BB14-BE72858E7D35", "versionEndExcluding": "5.19.17", "versionStartIncluding": "5.16"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "5BCD8201-B847-4442-B894-70D430128DEF", "versionEndExcluding": "6.0.3", "versionStartIncluding": "6.0"}], "operator": "OR"}]}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}