[ciqlts8 6] CVE-2022-50087 #778

roxanan1996 · 2025-12-18T11:22:47Z

DESCRIPTION

Not a clean cherry pick due to missing
\43b9ac937be6f ("firmware: arm_scpi: convert platform driver to use dev_groups")
Part of a bigger patchset and requires this commit torvalds/linux@23b6904

COMMITS

firmware: arm_scpi: Ensure scpi_info is not assigned if the probe fails

jira VULN-70082
cve CVE-2022-50087
commit-author Sudeep Holla <[email protected]>
commit 689640efc0a2c4e07e6f88affe6d42cd40cc3f85
upstream-diff |
	Adjusted context in the scpi_probe func due to missing commit
	43b9ac937be6f ("firmware: arm_scpi: convert platform driver to use dev_groups")

TESTING

BUILD

> grep -E -B 5 -A 5 '\[TIMER\]|^Starting Build' /home/rnicolescu/ciq/kernels/lts-8.6_CVE-2022-50087/kernel-build-after.log

/home/rnicolescu/ciq/kernels/lts-8.6_CVE-2022-50087/kernel-src-tree
Running make mrproper...
[TIMER]{MRPROPER}: 4s
x86_64 architecture detected, copying config
'configs/kernel-x86_64.config' -> '.config'
Setting Local Version for build
CONFIG_LOCALVERSION="-rnicolescu_ciqlts8_6_CVE-2022-50087-83574b3a28d18"
Making olddefconfig
--
  HOSTLD  scripts/kconfig/conf
scripts/kconfig/conf  --olddefconfig Kconfig
#
# configuration written to .config
#
Starting Build
scripts/kconfig/conf  --syncconfig Kconfig
  SYSTBL  arch/x86/include/generated/asm/syscalls_32.h
  SYSHDR  arch/x86/include/generated/asm/unistd_32_ia32.h
  SYSHDR  arch/x86/include/generated/asm/unistd_64_x32.h
  SYSTBL  arch/x86/include/generated/asm/syscalls_64.h
--
  LD [M]  sound/usb/usx2y/snd-usb-usx2y.ko
  LD [M]  sound/virtio/virtio_snd.ko
  LD [M]  sound/x86/snd-hdmi-lpe-audio.ko
  LD [M]  sound/xen/snd_xen_front.ko
  LD [M]  virt/lib/irqbypass.ko
[TIMER]{BUILD}: 1617s
Making Modules
  INSTALL arch/x86/crypto/blowfish-x86_64.ko
  INSTALL arch/x86/crypto/camellia-aesni-avx-x86_64.ko
  INSTALL arch/x86/crypto/camellia-aesni-avx2.ko
  INSTALL arch/x86/crypto/camellia-x86_64.ko
--
  INSTALL sound/virtio/virtio_snd.ko
  INSTALL sound/x86/snd-hdmi-lpe-audio.ko
  INSTALL sound/xen/snd_xen_front.ko
  INSTALL virt/lib/irqbypass.ko
  DEPMOD  4.18.0-rnicolescu_ciqlts8_6_CVE-2022-50087-83574b3a28d18+
[TIMER]{MODULES}: 18s
Making Install
sh ./arch/x86/boot/install.sh 4.18.0-rnicolescu_ciqlts8_6_CVE-2022-50087-83574b3a28d18+ arch/x86/boot/bzImage \
	System.map "/boot"
[TIMER]{INSTALL}: 62s
Checking kABI
kABI check passed
Setting Default Kernel to /boot/vmlinuz-4.18.0-rnicolescu_ciqlts8_6_CVE-2022-50087-83574b3a28d18+ and Index to 2
The default is /boot/loader/entries/5a601a5914cf4ceaa9ec268e1a23b621-4.18.0-rnicolescu_ciqlts8_6_CVE-2022-50087-83574b3a28d18+.conf with index 2 and kernel /boot/vmlinuz-4.18.0-rnicolescu_ciqlts8_6_CVE-2022-50087-83574b3a28d18+
The default is /boot/loader/entries/5a601a5914cf4ceaa9ec268e1a23b621-4.18.0-rnicolescu_ciqlts8_6_CVE-2022-50087-83574b3a28d18+.conf with index 2 and kernel /boot/vmlinuz-4.18.0-rnicolescu_ciqlts8_6_CVE-2022-50087-83574b3a28d18+
Generating grub configuration file ...
done
Hopefully Grub2.0 took everything ... rebooting after time metrices
[TIMER]{MRPROPER}: 4s
[TIMER]{BUILD}: 1617s
[TIMER]{MODULES}: 18s
[TIMER]{INSTALL}: 62s
[TIMER]{TOTAL} 1708s
Rebooting in 10 seconds

Kselftests

> /home/rnicolescu/ciq/kernel-tools/kselftest-diff.sh /home/rnicolescu/ciq/kernels/lts-8.6_CVE-2022-50087

./kselftest-after.log
211
./kselftest-before.log
212
Before: ./kselftest-after.log
After: ./kselftest-before.log
Diff:
+ok 44 selftests: kvm: memslot_perf_test

Check_kernel_commits

> python3 /home/rnicolescu/ciq/kernel-src-tree-tools/check_kernel_commits.py --repo /home/rnicolescu/ciq/kernels/lts-8.6_CVE-2022-50087/kernel-src-tree --pr_branch {rnicolescu}_ciqlts8_6_CVE-2022-50087 --base_branch origin/ciqlts8_6 --check-cves
All referenced commits exist upstream and have no Fixes: tags.

Run interdiff

> python3 /home/rnicolescu/ciq/kernel-src-tree-tools/run_interdiff.py --repo /home/rnicolescu/ciq/kernels/lts-8.6_CVE-2022-50087/kernel-src-tree --pr_branch {rnicolescu}_ciqlts8_6_CVE-2022-50087 --base_branch origin/ciqlts8_6
[DIFF] PR commit 8264633b0845b (firmware: arm_scpi: Ensure scpi_info is not assigned if the probe fails) → upstream 689640efc0a2
Differences found:

  diff -u b/drivers/firmware/arm_scpi.c b/drivers/firmware/arm_scpi.c
  --- b/drivers/firmware/arm_scpi.c
  +++ b/drivers/firmware/arm_scpi.c
  @@ -1023,10 +1027,11 @@ INTERDIFF: rejected hunk from patch1, cannot diff context
   			 FIELD_GET(FW_REV_MINOR_MASK,
   				   scpi_info->firmware_version),
   			 FIELD_GET(FW_REV_PATCH_MASK,
  -				   scpi_info->firmware_version));
  -	scpi_info->scpi_ops = &scpi_ops;
  +				   scpi_drvinfo->firmware_version));
  +
  +	scpi_drvinfo->scpi_ops = &scpi_ops;
   
   	ret = devm_device_add_groups(dev, versions_groups);
   	if (ret)
   		dev_err(dev, "unable to create sysfs version group\n");
   
  @@ -1026,6 +1026,10 @@
   				   scpi_info->firmware_version));
   	scpi_info->scpi_ops = &scpi_ops;
   
  +	ret = devm_device_add_groups(dev, versions_groups);
  +	if (ret)
  +		dev_err(dev, "unable to create sysfs version group\n");
  +
   	return devm_of_platform_populate(dev);
   }
   
  @@ -1030,7 +1035,11 @@ INTERDIFF: rejected hunk from patch1, cannot diff context
   	if (ret)
   		dev_err(dev, "unable to create sysfs version group\n");
   
  -	return devm_of_platform_populate(dev);
  +	ret = devm_of_platform_populate(dev);
  +	if (ret)
  +		scpi_info = NULL;
  +
  +	return ret;
   }
   
   static const struct of_device_id scpi_of_match[] = {

Check colordiff instead

That's due to missing commit
43b9ac9 ("firmware: arm_scpi: convert platform driver to use dev_groups")
Part of a bigger patchset and requires this commit torvalds/linux@23b6904

colordiff.log

Run jira_pr_check

> python3 /home/rnicolescu/ciq/kernel-src-tree-tools/jira_pr_check.py --kernel-src-tree /home/rnicolescu/ciq/kernels/lts-8.6_CVE-2022-50087/kernel-src-tree --merge-target {rnicolescu}_ciqlts8_6_CVE-2022-50087 --pr-branch origin/ciqlts8_6

## JIRA PR Check Results

✅ **No issues found!**


---
**Summary:** Checked 0 commit(s) total.

jira VULN-70082 cve CVE-2022-50087 commit-author Sudeep Holla <[email protected]> commit 689640e upstream-diff | Adjusted context in the scpi_probe func due to missing commit 43b9ac9 ("firmware: arm_scpi: convert platform driver to use dev_groups") When scpi probe fails, at any point, we need to ensure that the scpi_info is not set and will remain NULL until the probe succeeds. If it is not taken care, then it could result use-after-free as the value is exported via get_scpi_ops() and could refer to a memory allocated via devm_kzalloc() but freed when the probe fails. Link: https://lore.kernel.org/r/[email protected] Cc: [email protected] # 4.19+ Reported-by: huhai <[email protected]> Reviewed-by: Jackie Liu <[email protected]> Signed-off-by: Sudeep Holla <[email protected]> (cherry picked from commit 689640e) Signed-off-by: Roxana Nicolescu <[email protected]>

github-actions · 2025-12-18T11:31:15Z

🔍 Interdiff Analysis

⚠️ PR commit 83574b3a28d1 (firmware: arm_scpi: Ensure scpi_info is not assigned if the probe fails) → upstream 689640efc0a2
Differences found:

diff -u b/drivers/firmware/arm_scpi.c b/drivers/firmware/arm_scpi.c
--- b/drivers/firmware/arm_scpi.c
+++ b/drivers/firmware/arm_scpi.c
@@ -1023,10 +1027,11 @@ INTERDIFF: rejected hunk from patch1, cannot diff context
 			 FIELD_GET(FW_REV_MINOR_MASK,
 				   scpi_info->firmware_version),
 			 FIELD_GET(FW_REV_PATCH_MASK,
-				   scpi_info->firmware_version));
-	scpi_info->scpi_ops = &scpi_ops;
+				   scpi_drvinfo->firmware_version));
+
+	scpi_drvinfo->scpi_ops = &scpi_ops;
 
 	ret = devm_device_add_groups(dev, versions_groups);
 	if (ret)
 		dev_err(dev, "unable to create sysfs version group\n");
 
@@ -1026,6 +1026,10 @@
 				   scpi_info->firmware_version));
 	scpi_info->scpi_ops = &scpi_ops;
 
+	ret = devm_device_add_groups(dev, versions_groups);
+	if (ret)
+		dev_err(dev, "unable to create sysfs version group\n");
+
 	return devm_of_platform_populate(dev);
 }
 
@@ -1030,7 +1035,11 @@ INTERDIFF: rejected hunk from patch1, cannot diff context
 	if (ret)
 		dev_err(dev, "unable to create sysfs version group\n");
 
-	return devm_of_platform_populate(dev);
+	ret = devm_of_platform_populate(dev);
+	if (ret)
+		scpi_info = NULL;
+
+	return ret;
 }
 
 static const struct of_device_id scpi_of_match[] = {

This is an automated interdiff check for backported commits.

bmastbergen

🥌

roxanan1996 changed the title ~~[[ciqlts8 6] CVE-2022-50087~~ [ciqlts8 6] CVE-2022-50087 Dec 18, 2025

roxanan1996 self-assigned this Dec 18, 2025

roxanan1996 requested a review from a team December 18, 2025 12:58

bmastbergen approved these changes Dec 18, 2025

View reviewed changes

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

[ciqlts8 6] CVE-2022-50087 #778

[ciqlts8 6] CVE-2022-50087 #778

Uh oh!

roxanan1996 commented Dec 18, 2025 •

edited

Loading

Uh oh!

github-actions bot commented Dec 18, 2025

Uh oh!

bmastbergen left a comment

Uh oh!

Reviewers

Assignees

Labels

Milestone

Development

Uh oh!

3 participants

[ciqlts8 6] CVE-2022-50087 #778

Are you sure you want to change the base?

[ciqlts8 6] CVE-2022-50087 #778

Uh oh!

Conversation

roxanan1996 commented Dec 18, 2025 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

DESCRIPTION

COMMITS

TESTING

BUILD

Kselftests

Check_kernel_commits

Run interdiff

Run jira_pr_check

Uh oh!

github-actions bot commented Dec 18, 2025

🔍 Interdiff Analysis

Uh oh!

bmastbergen left a comment

Choose a reason for hiding this comment

Uh oh!

Reviewers

Assignees

Labels

Milestone

Development

Uh oh!

3 participants

roxanan1996 commented Dec 18, 2025 •

edited

Loading