fkie_cve-2022-50239
Vulnerability from fkie_nvd
Published
2025-09-15 14:15
Modified
2025-09-15 15:21
Severity ?
Summary
In the Linux kernel, the following vulnerability has been resolved: cpufreq: qcom: fix writes in read-only memory region This commit fixes a kernel oops because of a write in some read-only memory: [ 9.068287] Unable to handle kernel write to read-only memory at virtual address ffff800009240ad8 ..snip.. [ 9.138790] Internal error: Oops: 9600004f [#1] PREEMPT SMP ..snip.. [ 9.269161] Call trace: [ 9.276271] __memcpy+0x5c/0x230 [ 9.278531] snprintf+0x58/0x80 [ 9.282002] qcom_cpufreq_msm8939_name_version+0xb4/0x190 [ 9.284869] qcom_cpufreq_probe+0xc8/0x39c ..snip.. The following line defines a pointer that point to a char buffer stored in read-only memory: char *pvs_name = "speedXX-pvsXX-vXX"; This pointer is meant to hold a template "speedXX-pvsXX-vXX" where the XX values get overridden by the qcom_cpufreq_krait_name_version function. Since the template is actually stored in read-only memory, when the function executes the following call we get an oops: snprintf(*pvs_name, sizeof("speedXX-pvsXX-vXX"), "speed%d-pvs%d-v%d", speed, pvs, pvs_ver); To fix this issue, we instead store the template name onto the stack by using the following syntax: char pvs_name_buffer[] = "speedXX-pvsXX-vXX"; Because the `pvs_name` needs to be able to be assigned to NULL, the template buffer is stored in the pvs_name_buffer and not under the pvs_name variable.
References
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/01039fb8e90c9cb684430414bff70cea9eb168c5
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/14d260f94ff89543597ffea13db8b277a810e08e
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/794ded0bc461287a268bed21fea2eebb6e5d232c
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/b74ee4e301ca01e431e240c046173332966e2431
Impacted products
Vendor Product Version


To clipboard 

{
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ncpufreq: qcom: fix writes in read-only memory region\n\nThis commit fixes a kernel oops because of a write in some read-only memory:\n\n\t[    9.068287] Unable to handle kernel write to read-only memory at virtual address ffff800009240ad8\n\t..snip..\n\t[    9.138790] Internal error: Oops: 9600004f [#1] PREEMPT SMP\n\t..snip..\n\t[    9.269161] Call trace:\n\t[    9.276271]  __memcpy+0x5c/0x230\n\t[    9.278531]  snprintf+0x58/0x80\n\t[    9.282002]  qcom_cpufreq_msm8939_name_version+0xb4/0x190\n\t[    9.284869]  qcom_cpufreq_probe+0xc8/0x39c\n\t..snip..\n\nThe following line defines a pointer that point to a char buffer stored\nin read-only memory:\n\n\tchar *pvs_name = \"speedXX-pvsXX-vXX\";\n\nThis pointer is meant to hold a template \"speedXX-pvsXX-vXX\" where the\nXX values get overridden by the qcom_cpufreq_krait_name_version function. Since\nthe template is actually stored in read-only memory, when the function\nexecutes the following call we get an oops:\n\n\tsnprintf(*pvs_name, sizeof(\"speedXX-pvsXX-vXX\"), \"speed%d-pvs%d-v%d\",\n\t\t speed, pvs, pvs_ver);\n\nTo fix this issue, we instead store the template name onto the stack by\nusing the following syntax:\n\n\tchar pvs_name_buffer[] = \"speedXX-pvsXX-vXX\";\n\nBecause the `pvs_name` needs to be able to be assigned to NULL, the\ntemplate buffer is stored in the pvs_name_buffer and not under the\npvs_name variable."
    }
  ],
  "id": "CVE-2022-50239",
  "lastModified": "2025-09-15T15:21:42.937",
  "metrics": {},
  "published": "2025-09-15T14:15:34.130",
  "references": [
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "url": "https://git.kernel.org/stable/c/01039fb8e90c9cb684430414bff70cea9eb168c5"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "url": "https://git.kernel.org/stable/c/14d260f94ff89543597ffea13db8b277a810e08e"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "url": "https://git.kernel.org/stable/c/794ded0bc461287a268bed21fea2eebb6e5d232c"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "url": "https://git.kernel.org/stable/c/b74ee4e301ca01e431e240c046173332966e2431"
    }
  ],
  "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
  "vulnStatus": "Awaiting Analysis"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.