CVE-2022-50703

Root

Cause

The Linux kernel's Qualcomm Shared Memory State Machine (SMSM) driver contains two reference-count leak bugs in the qcom_smsm_probe() function. The first leak occurs when the local_node variable exits a for_each_child_of_node() loop early via a break statement; the driver fails to call of_node_put() on that node in the error path or after use. The second leak involves the node variable, which escapes a for_each_available_child_of_node() loop via a goto statement; the function's error-handling target also omits the necessary of_node_put() call for that node. [1]

Attack

Surface and Exploitation

Both bugs are triggered during device probe, meaning an attacker would need to influence device tree binding or module loading to reach the vulnerable code path. No authentication or special privileges are required beyond the ability to cause the driver to probe with a crafted or malformed device-tree entry. The vulnerability is local to the kernel and requires physical or logical access to the system's device tree configuration (e.g., through a device tree overlay or a platform device that uses the SMSM driver). [2]

Impact

If exploited, the reference-count leaks can lead to object lifetime mismanagement, potentially causing memory corruption, use-after-free conditions, or a denial of service (system crash or instability). An attacker who can control the device tree or hot-plug mechanisms might be able to trigger the leaks repeatedly to exhaust kernel memory or corrupt driver state. [3]

Mitigation

Patches have been backported to stable kernel releases. Users should update to kernels that include the fix, identified by commits referenced in the stable git tree [4]. No workaround is available; applying the patch is the recommended mitigation.