CVE-2022-50649

Vulnerability

In the Linux kernel's power supply subsystem, the adp5061_get_chg_type() function in the ADP5061 charger driver performs a masked read of a status register without validating the result against the size of the lookup array. The status field ADP5061_CHG_STATUS_1_CHG_STATUS is masked with 0x07, allowing values 0-7, but the adp5061_chg_type[] array only has 4 elements. This mismatch can cause an out-of-bounds read when the masked value is >= 4 [1][2][3].

Exploitation

An attacker would need the ability to influence the charger status register, likely through physical access or a compromised I2C controller. The vulnerability is triggered during normal operation when the driver reads the charge type. No special privileges or authentication are required beyond the ability to interact with the hardware.

Impact

A successful out-of-bounds read can lead to disclosure of sensitive kernel memory if the read accesses unintended data. Depending on the surrounding memory layout, this could result in information leakage or potentially a system crash (denial of service). The impact is limited to the kernel's address space.

Mitigation

Patches have been incorporated into the Linux kernel stable releases. The fix involves adding a bounds check on the array index before accessing adp5061_chg_type[]. Users should update their kernel to a version containing the patch [1][2][3].