CVE-2022-50226
- Source
- https://nvd.nist.gov/vuln/detail/CVE-2022-50226
- Import Source
- https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2022-50226.json
- JSON Data
- https://api.osv.dev/v1/vulns/CVE-2022-50226
- Downstream
- Related
- Published
- 2025-06-18T11:15:53Z
- Modified
- 2025-06-18T16:49:20.336580Z
- Summary
- [none]
- Details
-
In the Linux kernel, the following vulnerability has been resolved:
crypto: ccp - Use kzalloc for sev ioctl interfaces to prevent kernel memory leak
For some sev ioctl interfaces, input may be passed that is less than or equal to SEVFWBLOBMAXSIZE, but larger than the data that PSP firmware returns. In this case, kmalloc will allocate memory that is the size of the input rather than the size of the data. Since PSP firmware doesn't fully overwrite the buffer, the sev ioctl interfaces with the issue may return uninitialized slab memory.
Currently, all of the ioctl interfaces in the ccp driver are safe, but to prevent future problems, change all ioctl interfaces that allocate memory with kmalloc to use kzalloc and memset the data buffer to zero in sevioctldoplatformstatus.
- References
-
- https://git.kernel.org/stable/c/13dc15a3f5fd7f884e4bfa8c011a0ae868df12ae
- https://git.kernel.org/stable/c/4c5300f6f5e18b11c02a92f136e69b98fddba15e
- https://git.kernel.org/stable/c/caa395aa16e7c9193fd7fa6cde462dd8229d4953
- https://git.kernel.org/stable/c/e11fb0a3a39bb42da35fa662c46ce7391f277436
- https://git.kernel.org/stable/c/f2a920daa780956b987c14b9f23de7c3c8915bf2
- https://security-tracker.debian.org/tracker/CVE-2022-50226
Affected packages
Debian:11 / linux
Package
- Name
- linux
- Purl
- pkg:deb/debian/linux?arch=source
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affectedFixed5.10.178-1
Affected versions
5.*
Debian:12 / linux
Package
- Name
- linux
- Purl
- pkg:deb/debian/linux?arch=source
Debian:13 / linux
Package
- Name
- linux
- Purl
- pkg:deb/debian/linux?arch=source