CVE-2022-50867

Root

Cause

The vulnerability resides in the drm/msm/a6xx GPU driver. The function adreno_show_object() re-allocates its pointer argument on first call using kvmalloc/kvfree, but the driver previously used state_kcalloc() (which uses kcalloc) to allocate the data passed to it. This mismatch means the initial allocation uses the wrong allocator; when adreno_show_object() attempts to kvfree the old pointer, it fails to free the original kcalloc-allocated memory, leading to a memory leak [1]. The attempted fix in commit ec8f1813bf8d replaced kcalloc with kvzalloc but omitted the necessary kvfree() call, thus neither fixing the leak nor properly handling the deallocation [1].

Exploitation

This bug is triggered on the first call to adreno_show_object() with an ascii85-encoded data path. No special privileges or user interaction are needed beyond normal GPU operation that invokes this function; it is a kernel memory leak that accumulates over time. The attack surface is local, requiring the ability to trigger the relevant GPU debugfs or show functionality, which may be accessible to unprivileged users depending on system configuration.

Impact

An unprivileged local attacker can cause a kernel memory leak by repeatedly triggering the vulnerable code path. Over time, this depletes system memory, potentially leading to denial of service (system hang or crash). The vulnerability does not directly provide code execution or privilege escalation, but memory exhaustion can destabilize the system.

Mitigation

The fix is included in the Linux kernel stable branch as commit 4b1bbc0571a5d7ee10f754186dc3d619b9ced5c1 [1]. This commit reverts the problematic portion of ec8f1813bf8d, adds the missing kvfree() call, and documents the allocation requirement with a warning comment. System administrators should apply the latest kernel updates from their distribution. No workarounds are documented; limiting access to GPU debugfs interfaces can reduce exposure.