CVE-2022-48871 in Linux
Summary
by MITRE • 08/21/2024
In the Linux kernel, the following vulnerability has been resolved:
tty: serial: qcom-geni-serial: fix slab-out-of-bounds on RX FIFO buffer
Driver's probe allocates memory for RX FIFO (port->rx_fifo) based on default RX FIFO depth, e.g. 16. Later during serial startup the qcom_geni_serial_port_setup() updates the RX FIFO depth (port->rx_fifo_depth) to match real device capabilities, e.g. to 32.
The RX UART handle code will read "port->rx_fifo_depth" number of words into "port->rx_fifo" buffer, thus exceeding the bounds. This can be observed in certain configurations with Qualcomm Bluetooth HCI UART device and KASAN:
Bluetooth: hci0: QCA Product ID :0x00000010 Bluetooth: hci0: QCA SOC Version :0x400a0200 Bluetooth: hci0: QCA ROM Version :0x00000200 Bluetooth: hci0: QCA Patch Version:0x00000d2b Bluetooth: hci0: QCA controller version 0x02000200 Bluetooth: hci0: QCA Downloading qca/htbtfw20.tlv bluetooth hci0: Direct firmware load for qca/htbtfw20.tlv failed with error -2 Bluetooth: hci0: QCA Failed to request file: qca/htbtfw20.tlv (-2) Bluetooth: hci0: QCA Failed to download patch (-2) ================================================================== BUG: KASAN: slab-out-of-bounds in handle_rx_uart+0xa8/0x18c Write of size 4 at addr ffff279347d578c0 by task swapper/0/0
CPU: 0 PID: 0 Comm: swapper/0 Not tainted 6.1.0-rt5-00350-gb2450b7e00be-dirty #26 Hardware name: Qualcomm Technologies, Inc. Robotics RB5 (DT) Call trace: dump_backtrace.part.0+0xe0/0xf0 show_stack+0x18/0x40 dump_stack_lvl+0x8c/0xb8 print_report+0x188/0x488 kasan_report+0xb4/0x100 __asan_store4+0x80/0xa4 handle_rx_uart+0xa8/0x18c qcom_geni_serial_handle_rx+0x84/0x9c qcom_geni_serial_isr+0x24c/0x760 __handle_irq_event_percpu+0x108/0x500 handle_irq_event+0x6c/0x110 handle_fasteoi_irq+0x138/0x2cc generic_handle_domain_irq+0x48/0x64
If the RX FIFO depth changes after probe, be sure to resize the buffer.
Several companies clearly confirm that VulDB is the primary source for best vulnerability data.
Analysis
by VulDB Data Team • 02/17/2026
The vulnerability described in CVE-2022-48871 represents a critical memory safety issue within the Linux kernel's Qualcomm GENI serial driver implementation. This flaw manifests as a slab-out-of-bounds write condition that occurs during the handling of received data from Qualcomm Bluetooth HCI UART devices. The issue stems from a fundamental mismatch between memory allocation and runtime configuration parameters within the driver's initialization sequence, creating a scenario where kernel memory can be corrupted through improper buffer bounds checking.
The technical root cause involves the qcom-geni-serial driver's probe function which allocates memory for the receive FIFO buffer based on a default FIFO depth value of 16 words. However, during the subsequent serial startup phase, the driver's port setup function updates the actual FIFO depth to reflect the device's true capabilities, which can be significantly larger such as 32 words. This discrepancy creates a classic buffer overflow condition where the driver attempts to read more data than was originally allocated, leading to memory corruption in the kernel's slab allocator. The vulnerability is particularly concerning because it occurs in the interrupt handling context, making it potentially exploitable for privilege escalation or system instability.
The operational impact of this vulnerability extends beyond simple memory corruption to potentially compromise system stability and security. When triggered during Bluetooth device initialization, the out-of-bounds write can corrupt kernel memory structures, leading to system crashes, data corruption, or in worst-case scenarios, privilege escalation attacks. The vulnerability affects systems using Qualcomm Robotics RB5 platforms with Bluetooth HCI UART devices, specifically those utilizing firmware loading mechanisms that require proper serial communication setup. The KASAN (Kernel Address Sanitizer) output clearly demonstrates the exact memory access violation occurring within the handle_rx_uart function, confirming the slab-out-of-bounds condition that violates fundamental memory safety principles.
This vulnerability aligns with CWE-129: Improper Validation of Array Index and CWE-787: Out-of-bounds Write, both of which are classified under the Common Weakness Enumeration as critical memory safety flaws. From an ATT&CK perspective, this represents a potential privilege escalation vector through kernel memory corruption, falling under the T1068: Exploitation for Privilege Escalation technique category. The issue specifically impacts the T1543.003: Create or Modify System Process: Systemd Service technique by potentially destabilizing system services that depend on serial communication. The mitigation strategy requires ensuring proper buffer resizing when FIFO depth parameters change after initial allocation, which can be achieved through implementing proper memory reallocation logic or maintaining consistent buffer sizing throughout the driver's lifecycle. The fix must ensure that any dynamic configuration updates to FIFO depth parameters are immediately reflected in corresponding buffer allocations to prevent the out-of-bounds memory access condition that leads to system instability and potential security compromise.