CVE-2022-50708

Vulnerability

CVE-2022-50708 is a resource leak vulnerability in the Linux kernel's HSI (High-Speed Synchronous Serial Interface) subsystem, specifically in the ssip_pn_open() function of the ssi_protocol module. The function claims the HSI client's port via hsi_claim_port() but does not release it if a subsequent call to hsi_register_port_event() fails. This missing release path can lead to a resource leak, leaving the port permanently claimed and unavailable for other consumers [1][2].

Exploitation

Exploitation requires only that the error path in hsi_register_port_event() be triggered, which can occur during normal systemically due to transient resource constraints or configuration issues. No special privileges are needed beyond the ability to open the HSI protocol port are needed, making the attack surface accessible from user space or through device initialization [1].

Impact

An attacker or system condition that consistently triggers the error can exhaust available HSI ports, leading to denial of service (DoS) for any functionality relying on HSI communication. The leaked port will remain in a claimed state until the kernel is rebooted, as there is no automatic cleanup mechanism [2].

Mitigation

The fix, incorporated into the Linux kernel stable tree, adds a call to hsi_release_port() in the error path of ssip_pn_open() before returning. Users should apply the relevant kernel updates from their distribution to eliminate the leak [1][2].