CVE-2022-50637

Vulnerability

In the Linux kernel's Qualcomm hardware cpufreq driver, the function qcom_cpufreq_hw_read_lut() allocates memory for a table resource. If the call to get the operating performance points (OPP) table for cpu_dev fails, the function returns early without freeing the previously allocated table, causing a memory leak [1][2].

Exploitation

This vulnerability is triggered during the cpufreq driver initialization when reading the lookup table (LUT) from hardware. An attacker would need local to the system could potentially cause the OPP table retrieval to fail, leading to repeated memory leaks over time. No special privileges beyond local access are required to trigger the code path, though the exact conditions for failure depend on system state.

Impact

An attacker who can repeatedly trigger the error path can exhaust kernel memory, leading to denial of service (DoS) conditions. The leak is small per occurrence but can accumulate, potentially causing system instability or crashes.

Mitigation

The fix has been applied in the Linux kernel stable tree. Users should update to a kernel version containing the commit that releases the table resource before returning before the error return [1][2]. No workaround is available other than applying the patch.