CVE-2022-50778 (GCVE-0-2022-50778)

Vulnerability from cvelistv5 – Published: 2025-12-24 13:06 – Updated: 2025-12-24 13:06
VLAI?
Title
fortify: Fix __compiletime_strlen() under UBSAN_BOUNDS_LOCAL
Summary
In the Linux kernel, the following vulnerability has been resolved: fortify: Fix __compiletime_strlen() under UBSAN_BOUNDS_LOCAL With CONFIG_FORTIFY=y and CONFIG_UBSAN_LOCAL_BOUNDS=y enabled, we observe a runtime panic while running Android's Compatibility Test Suite's (CTS) android.hardware.input.cts.tests. This is stemming from a strlen() call in hidinput_allocate(). __compiletime_strlen() is implemented in terms of __builtin_object_size(), then does an array access to check for NUL-termination. A quirk of __builtin_object_size() is that for strings whose values are runtime dependent, __builtin_object_size(str, 1 or 0) returns the maximum size of possible values when those sizes are determinable at compile time. Example: static const char *v = "FOO BAR"; static const char *y = "FOO BA"; unsigned long x (int z) { // Returns 8, which is: // max(__builtin_object_size(v, 1), __builtin_object_size(y, 1)) return __builtin_object_size(z ? v : y, 1); } So when FORTIFY_SOURCE is enabled, the current implementation of __compiletime_strlen() will try to access beyond the end of y at runtime using the size of v. Mixed with UBSAN_LOCAL_BOUNDS we get a fault. hidinput_allocate() has a local C string whose value is control flow dependent on a switch statement, so __builtin_object_size(str, 1) evaluates to the maximum string length, making all other cases fault on the last character check. hidinput_allocate() could be cleaned up to avoid runtime calls to strlen() since the local variable can only have literal values, so there's no benefit to trying to fortify the strlen call site there. Perform a __builtin_constant_p() check against index 0 earlier in the macro to filter out the control-flow-dependant case. Add a KUnit test for checking the expected behavioral characteristics of FORTIFY_SOURCE internals.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
Vendor Product Version
Linux Linux Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < ed42391164e6839a48aaf4c53eefda516835e799 (git)
Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 5d59ad2bfb35fccfe2ad5e8bb8801f6224d3f7d4 (git)
Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < d07c0acb4f41cc42a0d97530946965b3e4fa68c1 (git)
Create a notification for this product.
    Linux Linux Unaffected: 5.19.17 , ≤ 5.19.* (semver)
Unaffected: 6.0.3 , ≤ 6.0.* (semver)
Unaffected: 6.1 , ≤ * (original_commit_for_fix)
Create a notification for this product.
Show details on NVD website
To clipboard 

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "include/linux/fortify-string.h"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "ed42391164e6839a48aaf4c53eefda516835e799",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "5d59ad2bfb35fccfe2ad5e8bb8801f6224d3f7d4",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "d07c0acb4f41cc42a0d97530946965b3e4fa68c1",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "include/linux/fortify-string.h"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThanOrEqual": "5.19.*",
              "status": "unaffected",
              "version": "5.19.17",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.0.*",
              "status": "unaffected",
              "version": "6.0.3",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.1",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.19.17",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.0.3",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nfortify: Fix __compiletime_strlen() under UBSAN_BOUNDS_LOCAL\n\nWith CONFIG_FORTIFY=y and CONFIG_UBSAN_LOCAL_BOUNDS=y enabled, we observe\na runtime panic while running Android\u0027s Compatibility Test Suite\u0027s (CTS)\nandroid.hardware.input.cts.tests. This is stemming from a strlen()\ncall in hidinput_allocate().\n\n__compiletime_strlen() is implemented in terms of __builtin_object_size(),\nthen does an array access to check for NUL-termination. A quirk of\n__builtin_object_size() is that for strings whose values are runtime\ndependent, __builtin_object_size(str, 1 or 0) returns the maximum size\nof possible values when those sizes are determinable at compile time.\nExample:\n\n  static const char *v = \"FOO BAR\";\n  static const char *y = \"FOO BA\";\n  unsigned long x (int z) {\n      // Returns 8, which is:\n      // max(__builtin_object_size(v, 1), __builtin_object_size(y, 1))\n      return __builtin_object_size(z ? v : y, 1);\n  }\n\nSo when FORTIFY_SOURCE is enabled, the current implementation of\n__compiletime_strlen() will try to access beyond the end of y at runtime\nusing the size of v. Mixed with UBSAN_LOCAL_BOUNDS we get a fault.\n\nhidinput_allocate() has a local C string whose value is control flow\ndependent on a switch statement, so __builtin_object_size(str, 1)\nevaluates to the maximum string length, making all other cases fault on\nthe last character check. hidinput_allocate() could be cleaned up to\navoid runtime calls to strlen() since the local variable can only have\nliteral values, so there\u0027s no benefit to trying to fortify the strlen\ncall site there.\n\nPerform a __builtin_constant_p() check against index 0 earlier in the\nmacro to filter out the control-flow-dependant case. Add a KUnit test\nfor checking the expected behavioral characteristics of FORTIFY_SOURCE\ninternals."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-12-24T13:06:07.182Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/ed42391164e6839a48aaf4c53eefda516835e799"
        },
        {
          "url": "https://git.kernel.org/stable/c/5d59ad2bfb35fccfe2ad5e8bb8801f6224d3f7d4"
        },
        {
          "url": "https://git.kernel.org/stable/c/d07c0acb4f41cc42a0d97530946965b3e4fa68c1"
        }
      ],
      "title": "fortify: Fix __compiletime_strlen() under UBSAN_BOUNDS_LOCAL",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2022-50778",
    "datePublished": "2025-12-24T13:06:07.182Z",
    "dateReserved": "2025-12-24T13:02:21.547Z",
    "dateUpdated": "2025-12-24T13:06:07.182Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2022-50778\",\"sourceIdentifier\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"published\":\"2025-12-24T13:16:04.640\",\"lastModified\":\"2025-12-24T13:16:04.640\",\"vulnStatus\":\"Received\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"In the Linux kernel, the following vulnerability has been resolved:\\n\\nfortify: Fix __compiletime_strlen() under UBSAN_BOUNDS_LOCAL\\n\\nWith CONFIG_FORTIFY=y and CONFIG_UBSAN_LOCAL_BOUNDS=y enabled, we observe\\na runtime panic while running Android\u0027s Compatibility Test Suite\u0027s (CTS)\\nandroid.hardware.input.cts.tests. This is stemming from a strlen()\\ncall in hidinput_allocate().\\n\\n__compiletime_strlen() is implemented in terms of __builtin_object_size(),\\nthen does an array access to check for NUL-termination. A quirk of\\n__builtin_object_size() is that for strings whose values are runtime\\ndependent, __builtin_object_size(str, 1 or 0) returns the maximum size\\nof possible values when those sizes are determinable at compile time.\\nExample:\\n\\n  static const char *v = \\\"FOO BAR\\\";\\n  static const char *y = \\\"FOO BA\\\";\\n  unsigned long x (int z) {\\n      // Returns 8, which is:\\n      // max(__builtin_object_size(v, 1), __builtin_object_size(y, 1))\\n      return __builtin_object_size(z ? v : y, 1);\\n  }\\n\\nSo when FORTIFY_SOURCE is enabled, the current implementation of\\n__compiletime_strlen() will try to access beyond the end of y at runtime\\nusing the size of v. Mixed with UBSAN_LOCAL_BOUNDS we get a fault.\\n\\nhidinput_allocate() has a local C string whose value is control flow\\ndependent on a switch statement, so __builtin_object_size(str, 1)\\nevaluates to the maximum string length, making all other cases fault on\\nthe last character check. hidinput_allocate() could be cleaned up to\\navoid runtime calls to strlen() since the local variable can only have\\nliteral values, so there\u0027s no benefit to trying to fortify the strlen\\ncall site there.\\n\\nPerform a __builtin_constant_p() check against index 0 earlier in the\\nmacro to filter out the control-flow-dependant case. Add a KUnit test\\nfor checking the expected behavioral characteristics of FORTIFY_SOURCE\\ninternals.\"}],\"metrics\":{},\"references\":[{\"url\":\"https://git.kernel.org/stable/c/5d59ad2bfb35fccfe2ad5e8bb8801f6224d3f7d4\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/d07c0acb4f41cc42a0d97530946965b3e4fa68c1\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/ed42391164e6839a48aaf4c53eefda516835e799\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"}]}}"
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.