CVE-2022-50537
📋 TL;DR
This CVE describes a memory leak vulnerability in the Raspberry Pi firmware driver within the Linux kernel. When the mbox_request_channel() function fails during device probing, the allocated firmware structure is not properly freed, leading to a memory leak. This affects Linux systems using the Raspberry Pi firmware driver, particularly those running on Raspberry Pi hardware or emulating it.
💻 Affected Systems
- Linux kernel with Raspberry Pi firmware driver
⚠️ Risk & Real-World Impact
Worst Case
Sustained exploitation could lead to kernel memory exhaustion, causing system instability, denial of service, or potential kernel crashes.
Likely Case
Memory leak gradually consumes kernel memory over time, potentially leading to performance degradation or system instability after repeated device probe failures.
If Mitigated
With proper kernel memory management and monitoring, impact is limited to minor resource consumption that gets cleaned up on system restart.
🎯 Exploit Status
Exploitation requires local access and ability to trigger device probe failures. No known public exploits exist.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Linux kernel versions with fixes from the provided git commits
Vendor Advisory: https://git.kernel.org/stable/c/62ac943eb2a9d655e431b9bc98ff6d7bd51a0e49
Restart Required: Yes
Instructions:
1. Update Linux kernel to version containing the fix commits. 2. For Raspberry Pi OS: Use 'sudo apt update && sudo apt upgrade'. 3. For other distributions: Update through standard kernel update channels. 4. Reboot system after update.
🔧 Temporary Workarounds
Disable Raspberry Pi firmware module
linuxPrevent loading of the vulnerable driver if not needed
echo 'blacklist raspberrypi-firmware' | sudo tee /etc/modprobe.d/blacklist-raspberrypi-firmware.conf
sudo update-initramfs -u
sudo reboot
🧯 If You Can't Patch
- Monitor kernel memory usage for unusual increases using tools like 'free', 'top', or 'vmstat'
- Implement system restart schedules to clear accumulated memory leaks
🔍 How to Verify
Check if Vulnerable:
Check if Raspberry Pi firmware module is loaded: 'lsmod | grep raspberrypi_firmware'. If loaded and kernel version is unpatched, system may be vulnerable.Check Version:
uname -rVerify Fix Applied:
Verify kernel version includes fix commits: 'uname -r' and check against patched versions. Confirm module loads without errors in dmesg.📡 Detection & Monitoring
Log Indicators:
- Kernel oops messages
- Out of memory errors in dmesg
- Repeated 'rpi_firmware_probe' failures in kernel logs
Network Indicators:
- None - this is a local kernel vulnerability
SIEM Query:
source="kernel" AND ("rpi_firmware" OR "out of memory" OR "kernel panic")🔗 References
- https://git.kernel.org/stable/c/62ac943eb2a9d655e431b9bc98ff6d7bd51a0e49
- https://git.kernel.org/stable/c/6757dd2193fe18c5c5fe3050e7f2ff9dcbd1ff34
- https://git.kernel.org/stable/c/71d2abab374f707ab8ac8dcef191fd2b3b67b8bd
- https://git.kernel.org/stable/c/7b51161696e803fd5f9ad55b20a64c2df313f95c
- https://git.kernel.org/stable/c/b308fdedef095aac14569f810d46edf773ea7d1e
- https://git.kernel.org/stable/c/d34742245e4366579f9a80f8cfe4a63248e838e0
