Integer Overflow Vulnerability in Linux Kernel Firmware Handling
CVE-2022-50330
What is CVE-2022-50330?
In the Linux kernel, an integer overflow vulnerability has been identified when loading untrusted firmware. This issue arises from the calculation involving the 'code_length' value from a firmware file, specifically during the multiplication of 'ntohl(ucode->code_length) * 2'. If the firmware is compromised or untrusted, the integer overflow could lead to unexpected behavior or potential exploitation of the system. Efforts to mitigate the risk include marking data read from the filesystem as untrusted and providing warnings when not properly capped. This vulnerability emphasizes the importance of secure firmware handling practices.
Affected Version(s)
Linux 9e2c7d99941d000a36f68a3594cec27a1bbea274
Linux 9e2c7d99941d000a36f68a3594cec27a1bbea274 < 90e483e7f20c32287d2a9da967e122938f52737a
Linux 9e2c7d99941d000a36f68a3594cec27a1bbea274 < 584561e94260268abe1c83e00d9c205565cb7bc5