CVE CyberSecurity Database News

CVE-2022-48655 - How a Linux Kernel SCMI Reset Bug Could Crash Your System (with Code & Details)

Poster -

The Linux kernel is the heart of most servers, desktops, and phones today. When it has a bug, millions of systems may be at risk. In this post, we’ll break down CVE-2022-48655, a bug in the firmware's arm_scmi driver, walk through how it worked, how it was fixed, and even how attackers could have exploited it. It’s a great example of why careful coding and safety checks matter in low-level kernel code.

What Is SCMI and Why Should I Care?

SCMI stands for System Control and Management Interface. It's a protocol used by ARM platforms for communication between the main CPU and firmware. SCMI handles tasks like resetting domains (like CPUs or other chips) through its “reset” protocol.

The Bug In a Nutshell

Before the fix, when the SCMI reset driver was asked to perform operations—like resetting a CPU—it looked up internal tables (arrays of descriptors) using an index provided by the requesting driver. If that index was out of range (too high or even negative, after conversion), it would cause the kernel to read or write memory it shouldn’t (an *out-of-bounds* access).

This could lead to a system crash, information leak, or even a full system takeover if properly exploited.

Before the patch, the function that handled reset requests looked roughly like this (simplified)

// This is NOT the actual code, but conceptually similar
struct reset_domain *domain = &scmi_desc->domains[idx];
do_something_with(domain->some_member);

Here, idx could come straight from user input or a buggy driver, with no checks! If idx was out of the valid range, it would read past the end of the array—classic undefined behavior.

The solution was simple—always check that the index is inside the valid range

if (idx <  || idx >= scmi_desc->num_domains) {
    return -EINVAL;   // Return an error
}
struct reset_domain *domain = &scmi_desc->domains[idx];
do_something_with(domain->some_member);

This stops out-of-bounds memory accesses in their tracks, preventing crashes or bugs from cascading into major issues.

*Reference: The official patch commit on kernel.org*

Example Exploit Scenario

Let’s say you have a local user with permission to send SCMI reset requests to the kernel (common on systems using ARM Trusted Firmware). If you send a request with a bad index (say, 99999), here’s what could happen:

The index points way past the array — so the kernel reads or writes random memory.

3. If the attacker is lucky or smart, they could corrupt vital data—maybe overwrite function pointers or change privileges.

Proof-of-Concept (PoC) Sketch

> Note: Real exploitation is non-trivial and dangerous, but here’s a (HARDCODED / NON-WORKING) mockup:

// This is a sketch - not a working exploit!
int fd = open("/dev/scmi_reset", O_RDWR);
struct scmi_reset_args args;
args.domain_index = 99999; // Invalid, out-of-bounds index
ioctl(fd, SCMI_RESET_PERFORM, &args); // Dangerous before the fix!

Affected Systems: Linux running on ARM with SCMI firmware interface.

- Patched in: Linux kernel mainline commit 4668d7d489b506678def3f3ec3098dab828a8be (December 2022).

References

- CVE-2022-48655 on MITRE
- The official patch commit on kernel.org
- SCMI documentation in Linux kernel

Summary

CVE-2022-48655 shows how simple bounds checks can prevent nasty kernel bugs. If you’re in the ARM or Linux space, double-check your code. Tiny mistakes in kernel drivers can have big consequences!

Timeline

Published on: 04/28/2024 13:15:07 UTC
Last modified on: 05/25/2024 15:15:08 UTC