{ "threat_severity" : "Low", "public_date" : "2025-12-24T00:00:00Z", "bugzilla" : { "description" : "kernel: fortify: Fix __compiletime_strlen() under UBSAN_BOUNDS_LOCAL", "id" : "2425136", "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2425136" }, "cvss3" : { "cvss3_base_score" : "3.3", "cvss3_scoring_vector" : "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L", "status" : "verified" }, "cwe" : "CWE-125", "details" : [ "In the Linux kernel, the following vulnerability has been resolved:\nfortify: Fix __compiletime_strlen() under UBSAN_BOUNDS_LOCAL\nWith CONFIG_FORTIFY=y and CONFIG_UBSAN_LOCAL_BOUNDS=y enabled, we observe\na runtime panic while running Android's Compatibility Test Suite's (CTS)\nandroid.hardware.input.cts.tests. This is stemming from a strlen()\ncall in hidinput_allocate().\n__compiletime_strlen() is implemented in terms of __builtin_object_size(),\nthen does an array access to check for NUL-termination. A quirk of\n__builtin_object_size() is that for strings whose values are runtime\ndependent, __builtin_object_size(str, 1 or 0) returns the maximum size\nof possible values when those sizes are determinable at compile time.\nExample:\nstatic const char *v = \"FOO BAR\";\nstatic const char *y = \"FOO BA\";\nunsigned long x (int z) {\n// Returns 8, which is:\n// max(__builtin_object_size(v, 1), __builtin_object_size(y, 1))\nreturn __builtin_object_size(z ? v : y, 1);\n}\nSo when FORTIFY_SOURCE is enabled, the current implementation of\n__compiletime_strlen() will try to access beyond the end of y at runtime\nusing the size of v. Mixed with UBSAN_LOCAL_BOUNDS we get a fault.\nhidinput_allocate() has a local C string whose value is control flow\ndependent on a switch statement, so __builtin_object_size(str, 1)\nevaluates to the maximum string length, making all other cases fault on\nthe last character check. hidinput_allocate() could be cleaned up to\navoid runtime calls to strlen() since the local variable can only have\nliteral values, so there's no benefit to trying to fortify the strlen\ncall site there.\nPerform a __builtin_constant_p() check against index 0 earlier in the\nmacro to filter out the control-flow-dependant case. Add a KUnit test\nfor checking the expected behavioral characteristics of FORTIFY_SOURCE\ninternals." ], "affected_release" : [ { "product_name" : "Red Hat Enterprise Linux 8", "release_date" : "2023-11-14T00:00:00Z", "advisory" : "RHSA-2023:7077", "cpe" : "cpe:/o:redhat:enterprise_linux:8", "package" : "kernel-0:4.18.0-513.5.1.el8_9" }, { "product_name" : "Red Hat Enterprise Linux 9", "release_date" : "2023-05-09T00:00:00Z", "advisory" : "RHSA-2023:2458", "cpe" : "cpe:/a:redhat:enterprise_linux:9", "package" : "kernel-0:5.14.0-284.11.1.el9_2" }, { "product_name" : "Red Hat Enterprise Linux 9", "release_date" : "2023-05-09T00:00:00Z", "advisory" : "RHSA-2023:2458", "cpe" : "cpe:/o:redhat:enterprise_linux:9", "package" : "kernel-0:5.14.0-284.11.1.el9_2" } ], "package_state" : [ { "product_name" : "Red Hat Enterprise Linux 10", "fix_state" : "Not affected", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:10" }, { "product_name" : "Red Hat Enterprise Linux 6", "fix_state" : "Not affected", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:6" }, { "product_name" : "Red Hat Enterprise Linux 7", "fix_state" : "Not affected", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:7" }, { "product_name" : "Red Hat Enterprise Linux 7", "fix_state" : "Not affected", "package_name" : "kernel-rt", "cpe" : "cpe:/o:redhat:enterprise_linux:7" }, { "product_name" : "Red Hat Enterprise Linux 8", "fix_state" : "Fix deferred", "package_name" : "kernel-rt", "cpe" : "cpe:/o:redhat:enterprise_linux:8" }, { "product_name" : "Red Hat Enterprise Linux 9", "fix_state" : "Fix deferred", "package_name" : "kernel-rt", "cpe" : "cpe:/o:redhat:enterprise_linux:9" } ], "references" : [ "https://www.cve.org/CVERecord?id=CVE-2022-50778\nhttps://nvd.nist.gov/vuln/detail/CVE-2022-50778\nhttps://lore.kernel.org/linux-cve-announce/2025122400-CVE-2022-50778-0b9a@gregkh/T" ], "name" : "CVE-2022-50778", "csaw" : false }