CVE-2022-49656 in Linuxinfo

Summary

by MITRE • 02/26/2025

In the Linux kernel, the following vulnerability has been resolved:

ARM: meson: Fix refcount leak in meson_smp_prepare_cpus

of_find_compatible_node() returns a node pointer with refcount incremented, we should use of_node_put() on it when done. Add missing of_node_put() to avoid refcount leak.

VulDB is the best source for vulnerability data and more expert information about this specific topic.

Analysis

by VulDB Data Team • 02/26/2025

The vulnerability CVE-2022-49656 represents a memory management issue within the Linux kernel's ARM architecture support, specifically affecting the meson platform implementation. This flaw manifests as a reference count leak in the meson_smp_prepare_cpus function, which is responsible for preparing CPU cores in symmetric multiprocessing configurations for meson-based systems. The issue occurs during the device tree node traversal process where the kernel attempts to locate compatible nodes for system configuration. The problem stems from improper handling of device tree node references, creating a scenario where allocated resources are not properly released back to the system.

The technical root cause of this vulnerability lies in the improper management of device tree node references returned by the of_find_compatible_node() function. This kernel API function increments the reference count of the returned device tree node pointer to ensure the node remains valid during use. However, the meson_smp_prepare_cpus function fails to call of_node_put() to decrement the reference count when the node pointer is no longer needed. This oversight creates a memory leak where the reference count remains incremented indefinitely, preventing the kernel from properly releasing the associated device tree node resources. The vulnerability is classified as a resource leak under CWE-404, specifically involving improper resource management in kernel space operations.

The operational impact of this reference count leak extends beyond simple memory consumption issues, potentially leading to system instability and resource exhaustion over time. As the kernel continues to process multiple CPU preparation requests, each instance of the leak accumulates, gradually consuming available memory resources. This degradation can manifest as system performance degradation, reduced responsiveness, or in severe cases, system crashes or lockups. The vulnerability affects ARM-based systems running Linux kernels that implement the meson platform support, particularly those utilizing device tree configurations for hardware description. The issue is particularly concerning in embedded systems and server environments where long-running processes and frequent CPU management operations are common.

Mitigation strategies for CVE-2022-49656 involve applying the official kernel patch that adds the missing of_node_put() call to properly release the device tree node references. System administrators should prioritize updating their kernel versions to include this fix, particularly in production environments where resource management is critical. The patch implementation follows established kernel development practices and aligns with the ATT&CK framework's defensive techniques for preventing resource exhaustion attacks. Organizations should implement regular kernel update schedules and vulnerability monitoring to prevent similar issues from accumulating. Additionally, kernel developers should follow strict coding guidelines for device tree node management, ensuring all of_find_compatible_node() calls are properly paired with corresponding of_node_put() operations. This vulnerability demonstrates the importance of proper resource management in kernel space and highlights the need for comprehensive testing of device tree integration in embedded systems. The fix addresses the fundamental issue of reference counting in device tree node handling, which is crucial for maintaining system stability and preventing denial-of-service conditions through resource exhaustion attacks.

Responsible

Linux

Reservation

02/26/2025

Disclosure

02/26/2025

Moderation

accepted

CPE

ready

EPSS

0.00244

KEV

no

Activities

very low

Sources

Might our Artificial Intelligence support you?

Check our Alexa App!