1. What is this vulnerability and why does it matter?

This vulnerability, CVE-2022-50322, concerns a function prototype mismatch within the Linux kernel's `rtc: msc313` driver, specifically in the `msc313_rtc_probe()` function. When `clk_disable_unprepare()` was passed directly as a callback argument to `devm_add_action_or_reset()`, their prototypes did not match. This issue is particularly relevant for systems where Clang's kernel control flow integrity (kCFI, CONFIG_CFI_CLANG) is enabled. kCFI is designed to validate indirect call targets against expected function pointer prototypes to mitigate Return-Oriented Programming (ROP) attacks. A prototype mismatch under kCFI leads to a runtime failure, manifesting as either a kernel panic or the affected thread being killed. Therefore, this vulnerability matters because it can cause system instability (denial of service) on kCFI-enabled systems and, by undermining kCFI's integrity checks, could potentially weaken a system's defense against ROP attacks.

2. What are the CVSS score, severity level, and disclosure details?

The CVSS score for this vulnerability is 5.5, which typically categorizes it as a Medium severity level vulnerability.

Disclosure Details:

• Published: 2025-09-15 14:48:55 UTC
• Modified: 2025-09-16 08:02:08 UTC

3. Which products, vendors, systems, and versions are affected?

Product: Linux kernel
Vendor: Linux
Systems Affected: Systems running the Linux kernel with Clang's kernel control flow integrity (kCFI, CONFIG_CFI_CLANG) enabled, specifically those utilizing the `rtc: msc313` driver.
Versions Affected: Specific Linux kernel versions containing the described function prototype mismatch in `msc313_rtc_probe()` prior to the implementation of the fix. The provided data does not specify exact version ranges but indicates that versions before the stated "resolved" status are affected.

4. What is the technical root cause and attack vector?

Technical Root Cause: The root cause is a function prototype mismatch in the `msc313_rtc_probe()` function within the `rtc: msc313` driver in the Linux kernel. Specifically, `clk_disable_unprepare()` was directly passed to `devm_add_action_or_reset()` as a callback argument, but their function prototypes were not identical. This discrepancy was highlighted by Clang's `-Wcast-function-type-strict` flag.

Attack Vector: The vulnerability itself does not describe a direct external attack vector leading to arbitrary code execution. Instead, it describes an internal kernel integrity issue. When kCFI is enabled, this prototype mismatch causes a runtime failure (kernel panic or thread termination). While not a direct attack vector for remote code execution, it signifies a denial of service vector and a potential weakening of kernel security mechanisms designed to prevent ROP attacks if an attacker could trigger the vulnerable code path.

5. How can this vulnerability be exploited?

This vulnerability is not described as being exploitable to gain arbitrary code execution or elevate privileges directly. Instead, it manifests as a reliability issue. If a system running an affected Linux kernel with kCFI enabled attempts to execute the `msc313_rtc_probe()` function with the mismatched prototype, the kCFI mechanism will detect the inconsistency. This detection will result in a runtime failure, such as a kernel panic or the affected thread being killed. Therefore, exploitation would primarily lead to a denial of service condition rather than direct system compromise. An attacker would likely need local access or the ability to trigger the module's initialization to cause this state.

6. What mitigation steps and patches are available?

The vulnerability has been resolved in subsequent Linux kernel versions. The fix involves refactoring the `msc313_rtc_probe()` function to use `devm_clk_get_enabled()` instead of directly passing `clk_disable_unprepare()` to `devm_add_action_or_reset()`. This ensures that the function prototypes match, preventing the kCFI runtime failure.

Mitigation:

• Update the Linux kernel to a version that includes the fix for CVE-2022-50322.
• If immediate patching is not possible, and if the `rtc: msc313` driver is not critical for system operation, consider disabling or blacklisting the module if feasible (though this is a less robust solution).

7. How can vulnerable systems be detected?

Vulnerable systems can be detected by examining the following:

• Kernel Version: Identify the running Linux kernel version. Compare it against the versions where the fix for CVE-2022-50322 was integrated. Specific patch information would typically be available in the kernel changelog or vendor advisories.
• Kernel Configuration: Check if Clang's kernel control flow integrity (kCFI, `CONFIG_CFI_CLANG`) is enabled in the kernel configuration. The vulnerability primarily impacts systems where kCFI is active.
• Driver Usage: Verify if the `rtc: msc313` driver is in use or loaded on the system. The vulnerability is specific to this driver.

8. What are the indicators of compromise (IOCs)?

For this specific vulnerability, the primary indicators of compromise (IOCs) are related to system instability and errors under specific conditions:

• Kernel Panic: Detection of unexpected kernel panics, particularly when the `rtc: msc313` driver is being initialized or accessed, and kCFI is enabled.
• Thread Termination: Unexplained termination or killing of kernel threads related to the `rtc: msc313` functionality.
• System Logs: Reviewing kernel logs (`dmesg`, `/var/log/kern.log`, etc.) for messages indicating kCFI failures, function prototype mismatches, or errors related to `msc313_rtc_probe()`.

These IOCs primarily indicate the manifestation of the vulnerability rather than a successful external attack leveraging it for code execution.

9. Which threat actors are known to exploit this vulnerability?

Based on the provided CVE data, there is no information indicating specific threat actors are known to exploit CVE-2022-50322. This vulnerability primarily results in system instability (kernel panic or thread termination) rather than a direct path to compromise, making it less attractive for typical exploit chains aiming for data exfiltration or persistent access.

10. What public intelligence references and advisories exist?

The primary public intelligence reference for this vulnerability is its CVE identifier:

• CVE-2022-50322

Further details and specific patch information would typically be found in:

• Linux kernel mailing list archives.
• Official advisories from Linux kernel distributors (e.g., Red Hat, Debian, Ubuntu, SUSE) once the fix is integrated into their respective kernel packages.
• Security vulnerability databases that aggregate CVE information.

11. What is the risk assessment and urgency level?

Risk Assessment: The risk associated with CVE-2022-50322 is rated as Medium, with a CVSS score of 5.5. The direct impact of this vulnerability is a denial of service (kernel panic or thread killed) when the affected code path is triggered on systems with kCFI enabled. While this does not lead to direct arbitrary code execution, repeated or targeted triggering could disrupt critical services. Furthermore, kCFI is a security mechanism designed to mitigate ROP attacks. A flaw that causes kCFI to fail could, indirectly, reduce the overall exploit mitigation posture of the system, potentially making it more susceptible to other ROP-based vulnerabilities if they were present and could leverage the kCFI failure.

Urgency Level: The urgency level to address this vulnerability is Moderate to High, especially for environments where system stability and kernel integrity are paramount, or where kCFI is considered a critical security control. Although it doesn't provide direct remote code execution, a denial of service can be disruptive. For critical infrastructure or systems requiring high availability, patching should be prioritized to prevent potential instability and maintain the integrity of kernel security features. Regular patching cycles should include this fix.