CVE-2022-50653

Root

Cause

The vulnerability resides in the Atmel MCI driver (drivers/mmc/host/atmel-mci.c). The function mmc_add_host() can return an error, but the driver does not check its return value. This oversight can result in two issues: first, memory allocated by mmc_alloc_host() is leaked if mmc_add_host() fails; second, in the remove path, mmc_remove_host() is called even if the host was never added, leading to a null-pointer dereference in device_del().

Exploitation

An attacker with the ability to trigger a failure condition in mmc_add_host() (e.g., through resource exhaustion or hardware misconfiguration) could cause the driver to proceed with an invalid state. No authentication is required; an unprivileged user may trigger this by manipulating the system to cause the MMC subsystem to probe the device in a low-memory scenario.

Impact

Successful exploitation causes a kernel crash (denial of service) due to a null-pointer dereference. Additionally, memory leaks may degrade system performance over time. The vulnerability is rated medium severity (CVSS 5.5) as it requires local access and results in a temporary denial of service.

Mitigation

The Linux kernel stable branch includes commits that fix the issue by checking the return value of mmc_add_host() and calling mmc_free_host() on failure. The fix was applied in commits such as [1]. Users should update to a kernel version containing this patch.