CVE-2022-50094

Source
https://cve.org/CVERecord?id=CVE-2022-50094
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2022-50094.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2022-50094
Downstream
Related
Published
2025-06-18T11:02:32.591Z
Modified
2026-07-08T06:42:46.914070984Z
Summary
spmi: trace: fix stack-out-of-bound access in SPMI tracing functions
Details

In the Linux kernel, the following vulnerability has been resolved:

spmi: trace: fix stack-out-of-bound access in SPMI tracing functions

tracespmiwritebegin() and tracespmireadend() both call memcpy() with a length of "len + 1". This leads to one extra byte being read beyond the end of the specified buffer. Fix this out-of-bound memory access by using a length of "len" instead.

Here is a KASAN log showing the issue:

BUG: KASAN: stack-out-of-bounds in traceeventraweventspmireadend+0x1d0/0x234 Read of size 2 at addr ffffffc0265b7540 by task thermal@2.0-ser/1314 ... Call trace: dumpbacktrace+0x0/0x3e8 showstack+0x2c/0x3c dumpstacklvl+0xdc/0x11c printaddressdescription+0x74/0x384 kasanreport+0x188/0x268 kasancheckrange+0x270/0x2b0 memcpy+0x90/0xe8 traceeventraweventspmireadend+0x1d0/0x234 spmireadcmd+0x294/0x3ac spmiextregisterreadl+0x84/0x9c regmapspmiextread+0x144/0x1b0 [regmapspmi] regmaprawread+0x40c/0x754 regmaprawread+0x3a0/0x514 regmapbulkread+0x418/0x494 adc5gen3pollwaiths+0xe8/0x1e0 [qcomspmiadc5gen3] ... _arm64sysread+0x4c/0x60 invokesyscall+0x80/0x218 el0svccommon+0xec/0x1c8 ...

addr ffffffc0265b7540 is located in stack of task thermal@2.0-ser/1314 at offset 32 in frame: adc5gen3pollwaiths+0x0/0x1e0 [qcomspmiadc5_gen3]

this frame has 1 object: [32, 33) 'status'

Memory state around the buggy address: ffffffc0265b7400: 00 00 00 00 00 00 00 00 00 00 00 00 f1 f1 f1 f1 ffffffc0265b7480: 04 f3 f3 f3 00 00 00 00 00 00 00 00 00 00 00 00

ffffffc0265b7500: 00 00 00 00 f1 f1 f1 f1 01 f3 f3 f3 00 00 00 00 ^ ffffffc0265b7580: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

ffffffc0265b7600: f1 f1 f1 f1 01 f2 07 f2 f2 f2 01 f3 00 00 00 00

Database specific
{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2022/50xxx/CVE-2022-50094.json",
    "cna_assigner": "Linux"
}
References

Affected packages

Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git

Affected ranges

Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
a9fce374815d8ab94a3e6259802a944e2cc21408
Fixed
80f7c93e573ea9f524924bb529c2af8cb28b1c43
Fixed
dc6033a7761254e5a5ba7df36b64db787a53313c
Fixed
ac730c72bddc889f5610d51d8a7abf425e08da1a
Fixed
37690cb8662cec672cacda19e6e4fd2ca7b13f0b
Fixed
dd02510fb43168310abfd0b9ccf49993a722fb91
Fixed
1e0ca3d809c36ad3d1f542917718fc22ec6316e7
Fixed
bcc1b6b1ed3f42ed25858c1f1eb24a2f741db93f
Fixed
504090815c1ad3fd3fa34618b54d706727f8911c
Fixed
2af28b241eea816e6f7668d1954f15894b45d7e3

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2022-50094.json"

Linux / Kernel

Package

Name
Kernel

Affected ranges

Type
ECOSYSTEM
Events
Introduced
4.3.0
Fixed
4.9.326
Type
ECOSYSTEM
Events
Introduced
4.10.0
Fixed
4.14.291
Type
ECOSYSTEM
Events
Introduced
4.15.0
Fixed
4.19.256
Type
ECOSYSTEM
Events
Introduced
4.20.0
Fixed
5.4.211
Type
ECOSYSTEM
Events
Introduced
5.5.0
Fixed
5.10.137
Type
ECOSYSTEM
Events
Introduced
5.11.0
Fixed
5.15.61
Type
ECOSYSTEM
Events
Introduced
5.16.0
Fixed
5.18.18
Type
ECOSYSTEM
Events
Introduced
5.19.0
Fixed
5.19.2

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2022-50094.json"