CVE-2022-50778
Description
In the Linux kernel, the following vulnerability has been resolved:
fortify: Fix __compiletime_strlen() under UBSAN_BOUNDS_LOCAL
With CONFIG_FORTIFY=y and CONFIG_UBSAN_LOCAL_BOUNDS=y enabled, we observe a runtime panic while running Android's Compatibility Test Suite's (CTS) android.hardware.input.cts.tests. This is stemming from a strlen() call in hidinput_allocate().
__compiletime_strlen() is implemented in terms of __builtin_object_size(), then does an array access to check for NUL-termination. A quirk of __builtin_object_size() is that for strings whose values are runtime dependent, __builtin_object_size(str, 1 or 0) returns the maximum size of possible values when those sizes are determinable at compile time. Example:
static const char *v = "FOO BAR"; static const char *y = "FOO BA"; unsigned long x (int z) { // Returns 8, which is: // max(__builtin_object_size(v, 1), __builtin_object_size(y, 1)) return __builtin_object_size(z ? v : y, 1); }
So when FORTIFY_SOURCE is enabled, the current implementation of __compiletime_strlen() will try to access beyond the end of y at runtime using the size of v. Mixed with UBSAN_LOCAL_BOUNDS we get a fault.
hidinput_allocate() has a local C string whose value is control flow dependent on a switch statement, so __builtin_object_size(str, 1) evaluates to the maximum string length, making all other cases fault on the last character check. hidinput_allocate() could be cleaned up to avoid runtime calls to strlen() since the local variable can only have literal values, so there's no benefit to trying to fortify the strlen call site there.
Perform a __builtin_constant_p() check against index 0 earlier in the macro to filter out the control-flow-dependant case. Add a KUnit test for checking the expected behavioral characteristics of FORTIFY_SOURCE internals.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A kernel panic can occur when FORTIFY and UBSAN are enabled due to a flaw in __compiletime_strlen() handling control-flow-dependent strings.
The vulnerability resides in the Linux kernel's FORTIFY_SOURCE implementation, specifically in the __compiletime_strlen() macro. Due to a quirk of __builtin_object_size(), when a string's value is determined at runtime (e.g., via a switch statement), the macro returns the maximum possible string length across all control flow paths. This causes an out-of-bounds array access when checking for NUL-termination at runtime, leading to a kernel panic when CONFIG_UBSAN_LOCAL_BOUNDS=y is also enabled. The issue was discovered in the hidinput_allocate() function, which uses a local C string that depends on a switch statement.
Exploitation requires local access to the system and the ability to trigger the vulnerable code path, such as through the Android Compatibility Test Suite (CTS) test for HID input. The kernel must be built with both CONFIG_FORTIFY=y and CONFIG_UBSAN_LOCAL_BOUNDS=y. The attack surface is limited to systems with these debug options enabled and that use the HID input subsystem.
The sole impact is a denial of service via a kernel panic; there is no indication of privilege escalation or data leakage. The fix involves adding an early __builtin_constant_p() check to prevent runtime-dependent strings from being processed by the macro. Additionally, a KUnit test was added to verify the expected behavior. The patch has been applied to the stable kernel tree [1].
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1Patches
3ed42391164e65d59ad2bfb35d07c0acb4f41Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
3News mentions
0No linked articles in our index yet.