CVE-2022-50659

Vulnerability

CVE-2022-50659 is a reference count leak in the Linux kernel's geode hardware random number generator (hwrng) driver. The driver uses for_each_pci_dev(), which internally calls pci_get_device(). This function increases the reference count of the returned pci_dev structure. When the loop breaks with a non-NULL pdev, the driver fails to call pci_dev_put() to decrement that reference count, leading to a leak. The fix introduces a new structure amd_geode_priv to track the PCI device pointer and memory base, ensuring pci_dev_put() is called in both normal and error paths. [1], [2], [3], [4]

Exploitation

An attacker would need local access to the system to trigger the driver's probe or removal paths repeatedly (e.g., via hotplug events or unbind/bind operations). No special privileges beyond local user access are required if the hardware is present, as the driver may be probed automatically. The root cause is a missing cleanup in the driver's error handling and teardown logic.

Impact

The leak causes the kernel's reference count for the PCI device to never reach zero, preventing proper release of the device's resources. Over time, this can lead to resource exhaustion, potentially causing denial-of-service conditions such as inability to allocate new PCI devices or memory. The issue is low severity (CVSS not provided but typically low) and affects systems with AMD Geode processors using the hardware RNG.

Mitigation

The fix was applied to the Linux kernel stable tree in commits [1], [2], [3], and [4]. Users should update to kernel versions containing these commits (e.g., 5.10.163, 5.15.88, 6.1.8, or later). No workaround is available; the patch must be applied.