CVE-2022-50479

/* * CVE-2022-50479 PoC - Trigger memory leak in drm/amd driver * This PoC demonstrates how to trigger the clk_src memory leak * by repeatedly causing the error path to execute. * * Note: Requires AMD GPU hardware and appropriate kernel module loaded. * The vulnerability is in the error handling path where free() is used * instead of kfree() for clk_src, causing memory to not be released. */ #include <stdio.h> #include <stdlib.h> #include <fcntl.h> #include <unistd.h> #include <sys/ioctl.h> #include <string.h> #include <errno.h> // Simulate the vulnerable code path // In real kernel code, this would be in drm/amd/display struct clk_src { int id; char name[64]; unsigned long frequency; void *private_data; }; // Vulnerable function - mimics the kernel bug // Uses free() instead of kfree() in kernel context struct clk_src* allocate_clk_src(int id) { struct clk_src *clk = (struct clk_src *)malloc(sizeof(struct clk_src)); if (!clk) { return NULL; } clk->id = id; snprintf(clk->name, sizeof(clk->name), "clk_src_%d", id); clk->frequency = 0; clk->private_data = NULL; // Simulate error condition check // In kernel: if (some_condition_failed) { // free(clk); // BUG: should be kfree(clk) in kernel // return NULL; // } return clk; } int main(int argc, char *argv[]) { int iterations = 1000; if (argc > 1) { iterations = atoi(argv[1]); } printf("CVE-2022-50479 PoC: Triggering clk_src memory leak\n"); printf("Iterations: %d\n", iterations); // Repeatedly trigger the error path to leak memory for (int i = 0; i < iterations; i++) { // In kernel context, this would trigger the vulnerable path // through AMD GPU driver ioctl or sysfs interface struct clk_src *clk = allocate_clk_src(i); if (clk) { // Normal path - memory is properly handled // In vulnerable kernel code, the error path leaks memory free(clk); // This simulates what SHOULD happen (kfree in kernel) } } printf("PoC execution completed. Check kernel memory usage.\n"); return 0; }

{"cve": {"id": "CVE-2022-50479", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "published": "2025-10-04T16:15:44.547", "lastModified": "2026-01-23T20:04:52.490", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd: fix potential memory leak\n\nThis patch fix potential memory leak (clk_src) when function run\ninto last return NULL.\n\ns/free/kfree/ - Alex"}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "baseScore": 5.5, "baseSeverity": "MEDIUM", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-401"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.11", "versionEndExcluding": "6.0.3", "matchCriteriaId": "7DA0D5AB-19F6-4C7A-B831-70064A8FEE7E"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/6160216fd2c97107e8a9ab39863b056d677fcd85", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/a6e6ab9caeac96b277a3fe7da1dfa8f69a591759", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}]}}