CVE-2022-50846

Vulnerability

Details

In the Linux kernel's via-sdmmc MMC/SD host controller driver, the return value of mmc_add_host() is not checked. According to the CVE description, if mmc_add_host() fails, two issues arise: first, the memory allocated by mmc_alloc_host() is leaked; second, in the driver's remove path, mmc_remove_host() is called on a device that was never added, leading to a null-pointer dereference in device_del() and a kernel crash.

Exploitation

The vulnerability is triggered during driver initialization when mmc_add_host() returns an error. An attacker who can cause this failure—for example, by exhausting system memory or providing faulty hardware—could exploit the missing check. No authentication is required, as the driver may be loaded automatically based on hardware presence. The attack surface is local, requiring the ability to influence the driver's probe sequence.

Impact

Successful exploitation results in a kernel crash (denial of service) due to the null-ptr-deref, or a memory leak if the error path is taken without freeing the host structure. This can lead to system instability or resource exhaustion.

Mitigation

The fix involves checking the return value of mmc_add_host() and jumping to an error path that calls mmc_free_host() to properly clean up. Patches have been applied to multiple stable kernel branches as commits [1], [2], [3], and [4]. Users should update to a patched kernel version.