CVE-2022-50672

Vulnerability

Analysis

The vulnerability resides in the zynq-ipi mailbox driver within the Linux kernel. When device_register() fails, the driver does not properly release the name allocated by dev_set_name(), leading to a memory leak. Additionally, the parent device pointer is not cleared, causing device_unregister() to be called on a device that was never successfully registered, which results in a kernel crash due to a null-pointer dereference [1].

Exploitation

An attacker would need to trigger a failure in device_register() for the Zynq-IPI mailbox device. This could occur under specific system conditions, such as memory pressure or resource exhaustion, that cause the registration to fail. No special privileges are required beyond the ability to influence device registration, which may be possible from user space in some configurations.

Impact

Successful exploitation leads to a denial of service disruption (kernel crash) and potential memory exhaustion due to the leaked name allocation. The crash can be used as a denial-of-service vector. There is no evidence of privilege escalation or data corruption.

Mitigation

The fix was applied in Linux kernel stable releases. The commit referenced in [1] and [2] adds a put_device() call to free the name and introduces a check in zynqmp_ipi_free_mboxes() to avoid calling device_unregister() on a device that was not successfully registered. Users should update to a kernel version containing this fix.