CVE-2022-49507: regulator: da9121: Fix uninit-value in da9121_assign_chip_model()
In the Linux kernel, the following vulnerability has been resolved:
regulator: da9121: Fix uninit-value in da9121_assign_chip_model()
KASAN report slab-out-of-bounds in __regmap_init as follows:
BUG: KASAN: slab-out-of-bounds in __regmap_init drivers/base/regmap/regmap.c:841
Read of size 1 at addr ffff88803678cdf1 by task xrun/9137
CPU: 0 PID: 9137 Comm: xrun Tainted: G W 5.18.0-rc2
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.13.0-1ubuntu1.1 04/01/2014
Call Trace:
<TASK>
dump_stack_lvl+0xe8/0x15a lib/dump_stack.c:88
print_report.cold+0xcd/0x69b mm/kasan/report.c:313
kasan_report+0x8e/0xc0 mm/kasan/report.c:491
__regmap_init+0x4540/0x4ba0 drivers/base/regmap/regmap.c:841
__devm_regmap_init+0x7a/0x100 drivers/base/regmap/regmap.c:1266
__devm_regmap_init_i2c+0x65/0x80 drivers/base/regmap/regmap-i2c.c:394
da9121_i2c_probe+0x386/0x6d1 drivers/regulator/da9121-regulator.c:1039
i2c_device_probe+0x959/0xac0 drivers/i2c/i2c-core-base.c:563
This happend when da9121 device is probe by da9121_i2c_id, but with
invalid dts. Thus, chip->subvariant_id is set to -EINVAL, and later
da9121_assign_chip_model() will access 'regmap' without init it.
Fix it by return -EINVAL from da9121_assign_chip_model() if
'chip->subvariant_id' is invalid.
Security readout for executives and security teams
Plain-English summary
A Linux kernel regulator driver can read memory out of bounds when it handles an invalid device-tree setup for the DA9121 device. The reported impact is availability: a local user with privileges could trigger a kernel fault or denial of service. The provided sources do not show active exploitation.
Executive priority
Treat as a targeted kernel availability risk, not a broad remote compromise. Prioritize patching embedded, appliance, or custom-hardware Linux deployments where device-tree inputs and regulator drivers are relevant.
Technical view
CVE-2022-49507 is an uninitialized-value flaw in da9121_assign_chip_model(). With an invalid DTS, chip->subvariant_id can become -EINVAL, after which the driver accesses an uninitialized regmap path during probe, producing a KASAN slab-out-of-bounds report. The kernel fix returns -EINVAL when subvariant_id is invalid.
Likely exposure
Exposure is most plausible on Linux systems using affected kernel versions with the DA9121 regulator driver and relevant I2C/device-tree configuration paths. General servers without this hardware, driver path, or mutable device-tree inputs are less likely to be exposed, but kernel package provenance should be verified.
Exploitation context
The CVSS vector is local, low complexity, low privileges, no user interaction, and high availability impact. KEV is false in the bundle, and no cited source reports active exploitation. The trigger described is an invalid DTS during device probe, not a remote network condition.
Researcher notes
The evidence is limited to the CVE record and Linux stable commits. The affected-version data in the bundle is not a clean vendor matrix, so rely on kernel or distribution advisories for exact fixed releases. Do not assume confidentiality or integrity impact from these sources.
Mitigation direction
Update to a kernel containing the referenced stable fixes or a distro backport.
Check your Linux vendor advisory for the patched package version.
Restrict device-tree, overlay, and boot-configuration changes to trusted administrators.
Prioritize systems using the DA9121 regulator driver or custom hardware images.
Validation and detection
Inventory kernel versions and compare them with vendor fixed builds.
Check whether the DA9121 regulator driver is built or loaded.
Review device-tree overlay and hardware configuration management paths.
Confirm patch presence by mapping your kernel package to the referenced stable commits.
Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.
Potential ATT&CK relevance
Conservative CVE-to-ATT&CK context
These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.
ATT&CK lookup starting points
Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.
cwe · low confidence lookup
CWE-908: Exact CWE lookup
Use the exact CWE identifier as the starting point before reviewing related ATT&CK behavior. Open the exact CWE lookup page first, then review the ATT&CK searches from that MITRE weakness context. This is a Glexia lookup hint, not an official ATT&CK mapping.
These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.
We collect every scored CVSS vector available in the official CNA and ADP containers. When more than one version is present, the table keeps the source vectors side by side instead of collapsing them into the highest score.
CWE links open Glexia weakness intelligence pages with official CWE context, developer remediation guidance, and related CVE mappings.
CWE-908 · source CWE mapping
Use of Uninitialized Resource
Use of Uninitialized Resource represents a recurring weakness pattern that can create exploitable paths when design, validation, or implementation controls are missing.