CVE-2022-50642

Vulnerability

Description

In the Linux kernel's cros_ec_typec driver, the function cros_typec_get_switch_handles allocates four pointers when obtaining Type-C switch handles. If any of these allocations fail, all previously allocated pointers are freed, but the freed pointer values remain in the port structure. These stale pointers can later be dereferenced or freed again in other code paths, leading to use-after-free or double-free conditions [1].

Exploitation

An attacker who can trigger a partial allocation failure in the kernel's memory subsystem or influence the behavior of the Type-C hardware interface could cause the driver to leave stale pointers. The vulnerability is reachable through normal Type-C hotplug operations and does not require special privileges beyond physical access or the ability to manipulate USB-C connections [2].

Impact

Successful exploitation can result in kernel memory corruption, leading to a denial of service (system crash) or potentially arbitrary code execution with kernel privileges. The double-free scenario is particularly dangerous as it can be leveraged for privilege escalation from unprivileged user contexts.

Mitigation

The fix, introduced in Linux kernel version 6.2-rc1 and backported to various stable releases, zeros out all pointer fields after freeing them in cros_typec_get_switch_handles, preventing stale pointers from being used. Users are advised to apply the latest kernel updates from their distribution.