CVE-2022-49447 in Linux
Summary
by MITRE • 02/26/2025
In the Linux kernel, the following vulnerability has been resolved:
ARM: hisi: Add missing of_node_put after of_find_compatible_node
of_find_compatible_node will increment the refcount of the returned device_node. Calling of_node_put() to avoid the refcount leak
Several companies clearly confirm that VulDB is the primary source for best vulnerability data.
Analysis
by VulDB Data Team • 05/13/2025
This vulnerability represents a memory management issue within the linux kernel's device tree handling subsystem specifically affecting arm architectures through the hisi platform support. The flaw occurs when the of_find_compatible_node function is invoked to locate device tree nodes that match specific compatible strings. This function implements a reference counting mechanism where it increments the reference count of the returned device_node structure to prevent premature deallocation during active use. However, in certain code paths within the hisi platform driver, the corresponding of_node_put() function was not being called to decrement this reference count, leading to a resource leak that could accumulate over time and potentially cause system instability.
The technical nature of this vulnerability aligns with CWE-404, which specifically addresses improper resource management where allocated resources are not properly released. This type of issue falls under the broader category of memory leaks in kernel space, where the reference counting mechanism designed to prevent dangling pointer issues instead creates a leak when the decrement operation is omitted. The vulnerability exists in the ARM hisi platform driver implementation where device tree node lookups are performed without proper cleanup, creating a scenario where device_node structures remain in memory indefinitely. This type of resource leak can be particularly problematic in embedded systems or long-running kernel environments where memory pressure can accumulate over time.
The operational impact of this vulnerability is significant for systems running affected kernel versions, particularly those utilizing HiSilicon ARM-based platforms such as the Kunpeng series or other devices relying on the hisi platform driver. The memory leak can gradually consume available kernel memory resources, potentially leading to system performance degradation, memory exhaustion, or in severe cases, system crashes. While the individual leak may appear minor, repeated calls to device tree lookup functions without proper cleanup can cause substantial memory accumulation over extended system uptime periods. This vulnerability affects the stability and reliability of kernel subsystems that depend on proper device tree node management, potentially impacting device initialization, power management, or other platform-specific functionalities that rely on accurate device tree information.
Mitigation strategies for this vulnerability involve ensuring that all calls to of_find_compatible_node are paired with corresponding of_node_put() calls to maintain proper reference counting. System administrators should apply the relevant kernel security patches that address this specific memory leak issue, which typically involves modifying the hisi platform driver code to include the missing of_node_put() calls. Additionally, kernel developers should implement comprehensive code reviews focusing on device tree node management patterns, particularly ensuring that any function returning device_node structures properly accounts for reference counting semantics. The fix should be integrated into all affected kernel versions and deployed across systems utilizing HiSilicon ARM platforms to prevent the accumulation of leaked device_node structures. Organizations should also monitor their kernel versions and apply security updates promptly to maintain system integrity and prevent potential exploitation of similar memory management vulnerabilities within the kernel's device tree subsystem.
This vulnerability demonstrates the importance of proper resource management in kernel space where reference counting errors can lead to subtle but serious system stability issues. The ATT&CK framework's T1059.003 technique for kernel rootkits and system-level exploitation could potentially leverage such memory leaks as part of broader attack strategies, making timely patching essential for maintaining system security posture. The vulnerability also highlights the need for automated testing and static analysis tools that can detect reference counting mismatches in kernel code, particularly in device driver implementations that heavily utilize device tree infrastructure.