CVE-2022-49518

{"id": "CVE-2022-49518", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.1, "attackVector": "LOCAL", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 5.2, "exploitabilityScore": 1.8}]}, "published": "2025-02-26T07:01:27.837", "references": [{"url": "https://git.kernel.org/stable/c/896b03bb7c7010042786cfae2115083d4c241dd3", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/a962890a5a3cce903ff7c7a19fadee63ed9efdc7", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-125"}]}], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nASoC: SOF: ipc3-topology: Correct get_control_data for non bytes payload\n\nIt is possible to craft a topology where sof_get_control_data() would do\nout of bounds access because it expects that it is only called when the\npayload is bytes type.\nConfusingly it also handles other types of controls, but the payload\nparsing implementation is only valid for bytes.\n\nFix the code to count the non bytes controls and instead of storing a\npointer to sof_abi_hdr in sof_widget_data (which is only valid for bytes),\nstore the pointer to the data itself and add a new member to save the size\nof the data.\n\nIn case of non bytes controls we store the pointer to the chanv itself,\nwhich is just an array of values at the end.\n\nIn case of bytes control, drop the wrong cdata->data (wdata[i].pdata) check\nagainst NULL since it is incorrect and invalid in this context.\nThe data is pointing to the end of cdata struct, so it should never be\nnull."}, {"lang": "es", "value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: ASoC: SOF: ipc3-topology: get_control_data correcto para payload que no sea de bytes Es posible crear una topolog\u00eda donde sof_get_control_data() har\u00eda acceso fuera de los l\u00edmites porque espera que solo se llame cuando el payload sea de tipo bytes. Confusamente tambi\u00e9n maneja otros tipos de controles, pero la implementaci\u00f3n del an\u00e1lisis del payload solo es v\u00e1lida para bytes. Corrija el c\u00f3digo para contar los controles que no sean de bytes y en lugar de almacenar un puntero a sof_abi_hdr en sof_widget_data (que solo es v\u00e1lido para bytes), almacene el puntero a los datos en s\u00ed y agregue un nuevo miembro para guardar el tama\u00f1o de los datos. En el caso de controles que no sean de bytes, almacenamos el puntero al chanv en s\u00ed, que es solo una matriz de valores al final. En el caso del control de bytes, elimine la comprobaci\u00f3n incorrecta cdata->data (wdata[i].pdata) contra NULL ya que es incorrecta e inv\u00e1lida en este contexto. Los datos apuntan al final de la estructura cdata, por lo que nunca deben ser nulos."}], "lastModified": "2025-10-21T12:07:55.643", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "8E122216-2E9E-4B3E-B7B8-D575A45BA3C2", "versionEndExcluding": "5.18.3", "versionStartIncluding": "5.18"}], "operator": "OR"}]}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}