CVE-2022-50742

Vulnerability

CVE-2022-50742 is a reference count leak vulnerability in the Linux kernel's OpenCAPI (ocxl) driver. The issue resides in the afu_ioctl() function, where eventfd_ctx_fdget() is used to obtain a reference to an eventfd context. If the subsequent call to ocxl_irq_set_handler() fails, the code path does not release the previously acquired reference via eventfd_ctx_put(), causing the reference count to remain elevated indefinitely [1].

Exploitation

The vulnerability is triggered through a specific ioctl call on an ocxl device file. An attacker must have local access to the system and the ability to open an ocxl device, which typically requires root privileges or membership in the ocxl group. By sending a crafted ioctl that passes a valid eventfd file descriptor but causes ocxl_irq_set_handler() to fail, the refcount leak occurs. No additional authentication or network access is needed once local access to the device is obtained.

Impact

A successful exploitation results in a memory leak as the eventfd context object is never freed. Over time, repeated exploitation could exhaust kernel memory, potentially leading to a denial of service (system instability or crash). The vulnerability does not directly allow privilege escalation or code execution.

Mitigation

The vulnerability has been patched in the Linux kernel by adding the missing eventfd_ctx_put() call in the error path of afu_ioctl(). The fix is included in kernel versions 5.16.14 and later, and also backported to various stable branches [1][2]. Users are advised to update their kernels to a patched version. No workaround is available aside from restricting access to ocxl devices.