{ "threat_severity" : "Moderate", "public_date" : "2025-02-26T00:00:00Z", "bugzilla" : { "description" : "kernel: ASoC: cs35l41: Fix an out-of-bounds access in otp_packed_element_t", "id" : "2347879", "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2347879" }, "cvss3" : { "cvss3_base_score" : "7.0", "cvss3_scoring_vector" : "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "status" : "verified" }, "details" : [ "In the Linux kernel, the following vulnerability has been resolved:\nASoC: cs35l41: Fix an out-of-bounds access in otp_packed_element_t\nThe CS35L41_NUM_OTP_ELEM is 100, but only 99 entries are defined in\nthe array otp_map_1/2[CS35L41_NUM_OTP_ELEM], this will trigger UBSAN\nto report a shift-out-of-bounds warning in the cs35l41_otp_unpack()\nsince the last entry in the array will result in GENMASK(-1, 0).\nUBSAN reports this problem:\nUBSAN: shift-out-of-bounds in /home/hwang4/build/jammy/jammy/sound/soc/codecs/cs35l41-lib.c:836:8\nshift exponent 64 is too large for 64-bit type 'long unsigned int'\nCPU: 10 PID: 595 Comm: systemd-udevd Not tainted 5.15.0-23-generic #23\nHardware name: LENOVO \\x02MFG_IN_GO/\\x02MFG_IN_GO, BIOS N3GET19W (1.00 ) 03/11/2022\nCall Trace:\n\nshow_stack+0x52/0x58\ndump_stack_lvl+0x4a/0x5f\ndump_stack+0x10/0x12\nubsan_epilogue+0x9/0x45\n__ubsan_handle_shift_out_of_bounds.cold+0x61/0xef\n? regmap_unlock_mutex+0xe/0x10\ncs35l41_otp_unpack.cold+0x1c6/0x2b2 [snd_soc_cs35l41_lib]\ncs35l41_hda_probe+0x24f/0x33a [snd_hda_scodec_cs35l41]\ncs35l41_hda_i2c_probe+0x65/0x90 [snd_hda_scodec_cs35l41_i2c]\n? cs35l41_hda_i2c_remove+0x20/0x20 [snd_hda_scodec_cs35l41_i2c]\ni2c_device_probe+0x252/0x2b0", "A vulnerability was found in the Linux kernel's CS35L41 driver. The constant `CS35L41_NUM_OTP_ELEM` is defined as 100 but is used by the arrays `otp_map_1` and `otp_map_2`, which are both expected to contain only 99 elements. This mismatch causes the code to access memory past the array boundaries when accessing an element at the 99th index, resulting in out-of-bounds access, which can lead to system instability, memory corruption, or potential code execution." ], "affected_release" : [ { "product_name" : "Red Hat Enterprise Linux 8", "release_date" : "2022-11-08T00:00:00Z", "advisory" : "RHSA-2022:7683", "cpe" : "cpe:/o:redhat:enterprise_linux:8", "package" : "kernel-0:4.18.0-425.3.1.el8" }, { "product_name" : "Red Hat Enterprise Linux 9", "release_date" : "2022-11-15T00:00:00Z", "advisory" : "RHSA-2022:8267", "cpe" : "cpe:/a:redhat:enterprise_linux:9", "package" : "kernel-0:5.14.0-162.6.1.el9_1" }, { "product_name" : "Red Hat Enterprise Linux 9", "release_date" : "2022-11-15T00:00:00Z", "advisory" : "RHSA-2022:8267", "cpe" : "cpe:/o:redhat:enterprise_linux:9", "package" : "kernel-0:5.14.0-162.6.1.el9_1" } ], "package_state" : [ { "product_name" : "Red Hat Enterprise Linux 10", "fix_state" : "Not affected", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:10" }, { "product_name" : "Red Hat Enterprise Linux 6", "fix_state" : "Not affected", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:6" }, { "product_name" : "Red Hat Enterprise Linux 7", "fix_state" : "Not affected", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:7" }, { "product_name" : "Red Hat Enterprise Linux 7", "fix_state" : "Not affected", "package_name" : "kernel-rt", "cpe" : "cpe:/o:redhat:enterprise_linux:7" }, { "product_name" : "Red Hat Enterprise Linux 8", "fix_state" : "Will not fix", "package_name" : "kernel-rt", "cpe" : "cpe:/o:redhat:enterprise_linux:8" }, { "product_name" : "Red Hat Enterprise Linux 9", "fix_state" : "Will not fix", "package_name" : "kernel-rt", "cpe" : "cpe:/o:redhat:enterprise_linux:9" } ], "references" : [ "https://www.cve.org/CVERecord?id=CVE-2022-49515\nhttps://nvd.nist.gov/vuln/detail/CVE-2022-49515\nhttps://lore.kernel.org/linux-cve-announce/2025022610-CVE-2022-49515-61ba@gregkh/T" ], "name" : "CVE-2022-49515", "csaw" : false }