CVE-2022-50778
Unknown Unknown - Not Provided
Buffer Overflow in Linux Kernel hidinput_allocate() Causes Panic

Publication date: 2025-12-24

Last updated on: 2025-12-24

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: fortify: Fix __compiletime_strlen() under UBSAN_BOUNDS_LOCAL With CONFIG_FORTIFY=y and CONFIG_UBSAN_LOCAL_BOUNDS=y enabled, we observe a runtime panic while running Android's Compatibility Test Suite's (CTS) android.hardware.input.cts.tests. This is stemming from a strlen() call in hidinput_allocate(). __compiletime_strlen() is implemented in terms of __builtin_object_size(), then does an array access to check for NUL-termination. A quirk of __builtin_object_size() is that for strings whose values are runtime dependent, __builtin_object_size(str, 1 or 0) returns the maximum size of possible values when those sizes are determinable at compile time. Example: static const char *v = "FOO BAR"; static const char *y = "FOO BA"; unsigned long x (int z) { // Returns 8, which is: // max(__builtin_object_size(v, 1), __builtin_object_size(y, 1)) return __builtin_object_size(z ? v : y, 1); } So when FORTIFY_SOURCE is enabled, the current implementation of __compiletime_strlen() will try to access beyond the end of y at runtime using the size of v. Mixed with UBSAN_LOCAL_BOUNDS we get a fault. hidinput_allocate() has a local C string whose value is control flow dependent on a switch statement, so __builtin_object_size(str, 1) evaluates to the maximum string length, making all other cases fault on the last character check. hidinput_allocate() could be cleaned up to avoid runtime calls to strlen() since the local variable can only have literal values, so there's no benefit to trying to fortify the strlen call site there. Perform a __builtin_constant_p() check against index 0 earlier in the macro to filter out the control-flow-dependant case. Add a KUnit test for checking the expected behavioral characteristics of FORTIFY_SOURCE internals.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-12-24
Last Modified
2025-12-24
Generated
2026-05-07
AI Q&A
2025-12-24
EPSS Evaluated
2026-05-05
NVD
CVE-2022-50778
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
linux kernel *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

This vulnerability occurs in the Linux kernel when both CONFIG_FORTIFY and CONFIG_UBSAN_LOCAL_BOUNDS are enabled. It involves the __compiletime_strlen() function, which uses __builtin_object_size() to check string lengths at compile time. However, for strings whose values depend on runtime control flow, __builtin_object_size() returns the maximum possible size, causing __compiletime_strlen() to access memory beyond the actual string length at runtime. This leads to a runtime panic during certain Android Compatibility Test Suite tests, specifically in the hidinput_allocate() function where a local string's length is miscalculated due to control flow dependency.


How can this vulnerability impact me? :

This vulnerability can cause a runtime panic (crash) in the Linux kernel when running specific tests or potentially in other scenarios where the affected code path is executed. This can lead to system instability or denial of service due to the kernel fault triggered by out-of-bounds memory access in the __compiletime_strlen() function.


What immediate steps should I take to mitigate this vulnerability?

To mitigate this vulnerability, ensure that your Linux kernel is updated to a version where the fix for __compiletime_strlen() under UBSAN_BOUNDS_LOCAL is applied. Specifically, the fix involves cleaning up the hidinput_allocate() function to avoid runtime calls to strlen() on control-flow-dependent local strings and adding a __builtin_constant_p() check in the macro to prevent faults. Enabling CONFIG_FORTIFY=y and CONFIG_UBSAN_LOCAL_BOUNDS=y with the patched kernel will prevent the runtime panic.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart