CVE-2022-48895

{"id": "CVE-2022-48895", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.5, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}, "impactScore": 3.6, "exploitabilityScore": 1.8}]}, "published": "2024-08-21T07:15:05.580", "references": [{"url": "https://git.kernel.org/stable/c/a1b9c7b1978aacf4b2f33e34bde1e2bb80b8497a", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/ce31e6ca68bd7639bd3e5ef97be215031842bbab", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-476"}]}], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\niommu/arm-smmu: Don't unregister on shutdown\n\nMichael Walle says he noticed the following stack trace while performing\na shutdown with \"reboot -f\". He suggests he got \"lucky\" and just hit the\ncorrect spot for the reboot while there was a packet transmission in\nflight.\n\nUnable to handle kernel NULL pointer dereference at virtual address 0000000000000098\nCPU: 0 PID: 23 Comm: kworker/0:1 Not tainted 6.1.0-rc5-00088-gf3600ff8e322 #1930\nHardware name: Kontron KBox A-230-LS (DT)\npc : iommu_get_dma_domain+0x14/0x20\nlr : iommu_dma_map_page+0x9c/0x254\nCall trace:\n iommu_get_dma_domain+0x14/0x20\n dma_map_page_attrs+0x1ec/0x250\n enetc_start_xmit+0x14c/0x10b0\n enetc_xmit+0x60/0xdc\n dev_hard_start_xmit+0xb8/0x210\n sch_direct_xmit+0x11c/0x420\n __dev_queue_xmit+0x354/0xb20\n ip6_finish_output2+0x280/0x5b0\n __ip6_finish_output+0x15c/0x270\n ip6_output+0x78/0x15c\n NF_HOOK.constprop.0+0x50/0xd0\n mld_sendpack+0x1bc/0x320\n mld_ifc_work+0x1d8/0x4dc\n process_one_work+0x1e8/0x460\n worker_thread+0x178/0x534\n kthread+0xe0/0xe4\n ret_from_fork+0x10/0x20\nCode: d503201f f9416800 d503233f d50323bf (f9404c00)\n---[ end trace 0000000000000000 ]---\nKernel panic - not syncing: Oops: Fatal exception in interrupt\n\nThis appears to be reproducible when the board has a fixed IP address,\nis ping flooded from another host, and \"reboot -f\" is used.\n\nThe following is one more manifestation of the issue:\n\n$ reboot -f\nkvm: exiting hardware virtualization\ncfg80211: failed to load regulatory.db\narm-smmu 5000000.iommu: disabling translation\nsdhci-esdhc 2140000.mmc: Removing from iommu group 11\nsdhci-esdhc 2150000.mmc: Removing from iommu group 12\nfsl-edma 22c0000.dma-controller: Removing from iommu group 17\ndwc3 3100000.usb: Removing from iommu group 9\ndwc3 3110000.usb: Removing from iommu group 10\nahci-qoriq 3200000.sata: Removing from iommu group 2\nfsl-qdma 8380000.dma-controller: Removing from iommu group 20\nplatform f080000.display: Removing from iommu group 0\netnaviv-gpu f0c0000.gpu: Removing from iommu group 1\netnaviv etnaviv: Removing from iommu group 1\ncaam_jr 8010000.jr: Removing from iommu group 13\ncaam_jr 8020000.jr: Removing from iommu group 14\ncaam_jr 8030000.jr: Removing from iommu group 15\ncaam_jr 8040000.jr: Removing from iommu group 16\nfsl_enetc 0000:00:00.0: Removing from iommu group 4\narm-smmu 5000000.iommu: Blocked unknown Stream ID 0x429; boot with \"arm-smmu.disable_bypass=0\" to allow, but this may have security implications\narm-smmu 5000000.iommu: GFSR 0x80000002, GFSYNR0 0x00000002, GFSYNR1 0x00000429, GFSYNR2 0x00000000\nfsl_enetc 0000:00:00.1: Removing from iommu group 5\narm-smmu 5000000.iommu: Blocked unknown Stream ID 0x429; boot with \"arm-smmu.disable_bypass=0\" to allow, but this may have security implications\narm-smmu 5000000.iommu: GFSR 0x80000002, GFSYNR0 0x00000002, GFSYNR1 0x00000429, GFSYNR2 0x00000000\narm-smmu 5000000.iommu: Blocked unknown Stream ID 0x429; boot with \"arm-smmu.disable_bypass=0\" to allow, but this may have security implications\narm-smmu 5000000.iommu: GFSR 0x80000002, GFSYNR0 0x00000000, GFSYNR1 0x00000429, GFSYNR2 0x00000000\nfsl_enetc 0000:00:00.2: Removing from iommu group 6\nfsl_enetc_mdio 0000:00:00.3: Removing from iommu group 8\nmscc_felix 0000:00:00.5: Removing from iommu group 3\nfsl_enetc 0000:00:00.6: Removing from iommu group 7\npcieport 0001:00:00.0: Removing from iommu group 18\narm-smmu 5000000.iommu: Blocked unknown Stream ID 0x429; boot with \"arm-smmu.disable_bypass=0\" to allow, but this may have security implications\narm-smmu 5000000.iommu: GFSR 0x00000002, GFSYNR0 0x00000000, GFSYNR1 0x00000429, GFSYNR2 0x00000000\npcieport 0002:00:00.0: Removing from iommu group 19\nUnable to handle kernel NULL pointer dereference at virtual address 00000000000000a8\npc : iommu_get_dma_domain+0x14/0x20\nlr : iommu_dma_unmap_page+0x38/0xe0\nCall trace:\n iommu_get_dma_domain+0x14/0x20\n dma_unmap_page_attrs+0x38/0x1d0\n en\n---truncated---"}, {"lang": "es", "value": "En el kernel de Linux, se resolvi\u00f3 la siguiente vulnerabilidad: iommu/arm-smmu: no cancelar el registro al apagar Michael Walle dice que not\u00f3 el siguiente seguimiento de pila mientras realizaba un apagado con \"reboot -f\". Sugiere que tuvo \"suerte\" y dio en el lugar correcto para el reinicio mientras hab\u00eda una transmisi\u00f3n de paquetes en vuelo. No se puede manejar la desreferencia del puntero NULL del kernel en la direcci\u00f3n virtual 0000000000000098 CPU: 0 PID: 23 Comm: kworker/0:1 Not tainted 6.1.0-rc5-00088-gf3600ff8e322 #1930 Nombre de hardware: Kontron KBox A-230-LS (DT) pc: iommu_get_dma_domain+0x14/0x20 lr: iommu_dma_map_page+0x9c/0x254 Rastreo de llamadas: iommu_get_dma_domain+0x14/0x20 dma_map_page_attrs+0x1ec/0x250 enetc_start_xmit+0x14c/0x10b0 enetc_xmit+0x 60/0xdc dev_hard_start_xmit+0xb8/0x210 sch_direct_xmit+0x11c/0x420 __dev_queue_xmit+0x354 /0xb20 ip6_finish_output2+0x280/0x5b0 __ip6_finish_output+0x15c/0x270 ip6_output+0x78/0x15c NF_HOOK.constprop.0+0x50/0xd0 mld_sendpack+0x1bc/0x320 mld_ifc_work+0x1d8/0x4d c proceso_one_work+0x1e8/0x460 trabajador_thread+0x178/0x534 kthread+0xe0/ 0xe4 ret_from_fork+0x10/0x20 C\u00f3digo: d503201f f9416800 d503233f d50323bf (f9404c00) ---[ end trace 00000000000000000 ]--- P\u00e1nico del kernel - no se sincroniza: Ups: excepci\u00f3n fatal en la interrupci\u00f3n Esto parece ser reproducible cuando la placa tiene una IP direcci\u00f3n, se inunda el ping desde otro host y se utiliza \"reboot -f\". La siguiente es una manifestaci\u00f3n m\u00e1s del problema: $ reboot -f kvm: saliendo de la virtualizaci\u00f3n de hardware cfg80211: no se pudo cargar regulator.db arm-smmu 5000000.iommu: deshabilitando la traducci\u00f3n sdhci-esdhc 2140000.mmc: eliminando del grupo iommu 11 sdhci- esdhc 2150000.mmc: Eliminaci\u00f3n del grupo iommu 12 fsl-edma 22c0000.dma-controller: Eliminaci\u00f3n del grupo iommu 17 dwc3 3100000.usb: Eliminaci\u00f3n del grupo iommu 9 dwc3 3110000.usb: Eliminaci\u00f3n del grupo iommu 10 ahci-qoriq 3200000.sata : Eliminaci\u00f3n de iommu grupo 2 fsl-qdma 8380000.dma-controller: Eliminaci\u00f3n de iommu grupo 20 plataforma f080000.display: Eliminaci\u00f3n de iommu grupo 0 etnaviv-gpu f0c0000.gpu: Eliminaci\u00f3n de iommu grupo 1 etnaviv etnaviv: Eliminaci\u00f3n de iommu grupo 1 caam_jr 8010000.jr: Eliminando del grupo iommu 13 caam_jr 8020000.jr: Eliminando del grupo iommu 14 caam_jr 8030000.jr: Eliminando del grupo iommu 15 caam_jr 8040000.jr: Eliminando del grupo iommu 16 fsl_enetc 0000:00:00.0: Eliminando de iommu grupo 4 arm-smmu 5000000.iommu: ID de transmisi\u00f3n desconocida bloqueada 0x429; arranque con \"arm-smmu.disable_bypass=0\" para permitir, pero esto puede tener implicaciones de seguridad arm-smmu 5000000.iommu: GFSR 0x80000002, GFSYNR0 0x00000002, GFSYNR1 0x00000429, GFSYNR2 0x00000000 fsl_enetc 0000:00 :00.1: Eliminaci\u00f3n del grupo 5 de Iommu arm-smmu 5000000.iommu: ID de transmisi\u00f3n desconocida bloqueada 0x429; arranque con \"arm-smmu.disable_bypass=0\" para permitir, pero esto puede tener implicaciones de seguridad arm-smmu 5000000.iommu: GFSR 0x80000002, GFSYNR0 0x00000002, GFSYNR1 0x00000429, GFSYNR2 0x00000000 arm-smmu 5000000. iommu: ID de transmisi\u00f3n desconocida bloqueada 0x429 ; arranque con \"arm-smmu.disable_bypass=0\" para permitir, pero esto puede tener implicaciones de seguridad arm-smmu 5000000.iommu: GFSR 0x80000002, GFSYNR0 0x00000000, GFSYNR1 0x00000429, GFSYNR2 0x00000000 fsl_enetc 0000:00 :00.2: Eliminaci\u00f3n del grupo 6 de Iommu fsl_enetc_mdio 0000:00:00.3: Eliminaci\u00f3n del grupo iommu 8 mscc_felix 0000:00:00.5: Eliminaci\u00f3n del grupo iommu 3 fsl_enetc 0000:00:00.6: Eliminaci\u00f3n del grupo iommu 7 pcieport 0001:00:00.0: Eliminaci\u00f3n del grupo iommu 1 8 brazos- smmu 5000000.iommu: ID de transmisi\u00f3n desconocida bloqueada 0x429; arranque con \"arm-smmu.disable_bypass=0\" para permitir, pero esto puede tener implicaciones de seguridad arm-smmu 5000000.iommu: GFSR 0x00000002, GFSYNR0 0x00000000, GFSYNR1 0x00000429, GFSYNR2 0x00000000 pcieport 0002:00:00 .0: ---truncado---"}], "lastModified": "2024-09-11T16:01:23.487", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "043B7290-EDB8-4ACE-A87A-8FA7D130B565", "versionEndExcluding": "6.1.7", "versionStartIncluding": "6.1"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.2:rc1:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "FF501633-2F44-4913-A8EE-B021929F49F6"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.2:rc2:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "2BDA597B-CAC1-4DF0-86F0-42E142C654E9"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.2:rc3:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "725C78C9-12CE-406F-ABE8-0813A01D66E8"}], "operator": "OR"}]}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}