| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <2025102206-CVE-2022-50561-3b76@gregkh>
Date: Wed, 22 Oct 2025 15:24:09 +0200
From: Greg Kroah-Hartman <gregkh@...uxfoundation.org>
To: linux-cve-announce@...r.kernel.org
Cc: Greg Kroah-Hartman <gregkh@...nel.org>
Subject: CVE-2022-50561: iio: fix memory leak in iio_device_register_eventset()
From: Greg Kroah-Hartman <gregkh@...nel.org>
Description
===========
In the Linux kernel, the following vulnerability has been resolved:
iio: fix memory leak in iio_device_register_eventset()
When iio_device_register_sysfs_group() returns failed,
iio_device_register_eventset() needs to free attrs array.
Otherwise, kmemleak would scan & report memory leak as below:
unreferenced object 0xffff88810a1cc3c0 (size 32):
comm "100-i2c-vcnl302", pid 728, jiffies 4295052307 (age 156.027s)
backtrace:
__kmalloc+0x46/0x1b0
iio_device_register_eventset at drivers/iio/industrialio-event.c:541
__iio_device_register at drivers/iio/industrialio-core.c:1959
__devm_iio_device_register at drivers/iio/industrialio-core.c:2040
The Linux kernel CVE team has assigned CVE-2022-50561 to this issue.
Affected and fixed versions
===========================
Issue introduced in 5.13 with commit 32f171724e5cbecc80594fb6eced057cfdd6eb6f and fixed in 5.15.86 with commit dc6afd6070f3a5b086c8c5cfa6ded63ae44494da
Issue introduced in 5.13 with commit 32f171724e5cbecc80594fb6eced057cfdd6eb6f and fixed in 6.0.16 with commit 5de3add7509c95685f1185683b817dd206c4b1f1
Issue introduced in 5.13 with commit 32f171724e5cbecc80594fb6eced057cfdd6eb6f and fixed in 6.1.2 with commit a154b1c139fbf6a49762159be81d425d41ceec87
Issue introduced in 5.13 with commit 32f171724e5cbecc80594fb6eced057cfdd6eb6f and fixed in 6.2 with commit 86fdd15e10e404e70ecb2a3bff24d70356d42b36
Please see https://www.kernel.org for a full list of currently supported
kernel versions by the kernel community.
Unaffected versions might change over time as fixes are backported to
older supported kernel versions. The official CVE entry at
https://cve.org/CVERecord/?id=CVE-2022-50561
will be updated if fixes are backported, please check that for the most
up to date information about this issue.
Affected files
==============
The file(s) affected by this issue are:
drivers/iio/industrialio-event.c
Mitigation
==========
The Linux kernel CVE team recommends that you update to the latest
stable kernel version for this, and many other bugfixes. Individual
changes are never tested alone, but rather are part of a larger kernel
release. Cherry-picking individual commits is not recommended or
supported by the Linux kernel community at all. If however, updating to
the latest release is impossible, the individual changes to resolve this
issue can be found at these commits:
https://git.kernel.org/stable/c/dc6afd6070f3a5b086c8c5cfa6ded63ae44494da
https://git.kernel.org/stable/c/5de3add7509c95685f1185683b817dd206c4b1f1
https://git.kernel.org/stable/c/a154b1c139fbf6a49762159be81d425d41ceec87
https://git.kernel.org/stable/c/86fdd15e10e404e70ecb2a3bff24d70356d42b36
Powered by blists - more mailing lists