CVE-2022-49021

In the Linux kernel, the following vulnerability has been resolved: net: phy: fix null-ptr-deref while probe() failed I got a null-ptr-deref report as following when doing fault injection test: BUG: kernel NULL pointer dereference, address: 0000000000000058 Oops: 0000 [#1] PREEMPT SMP KASAN PTI CPU: 1 PID: 253 Comm: 507-spi-dm9051 Tainted: G B N 6.1.0-rc3+ Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.13.0-1ubuntu1.1 04/01/2014 RIP: 0010:klist_put+0x2d/0xd0 Call Trace: <TASK> klist_remove+0xf1/0x1c0 device_release_driver_internal+0x23e/0x2d0 bus_remove_device+0x1bd/0x240 device_del+0x357/0x770 phy_device_remove+0x11/0x30 mdiobus_unregister+0xa5/0x140 release_nodes+0x6a/0xa0 devres_release_all+0xf8/0x150 device_unbind_cleanup+0x19/0xd0 //probe path: phy_device_register() device_add() phy_connect phy_attach_direct() //set device driver probe() //it's failed, driver is not bound device_bind_driver() // probe failed, it's not called //remove path: phy_device_remove() device_del() device_release_driver_internal() __device_release_driver() //dev->drv is not NULL klist_remove() <- knode_driver is not added yet, cause null-ptr-deref In phy_attach_direct(), after setting the 'dev->driver', probe() fails, device_bind_driver() is not called, so the knode_driver->n_klist is not set, then it causes null-ptr-deref in __device_release_driver() while deleting device. Fix this by setting dev->driver to NULL in the error path in phy_attach_direct().
Configurations

Configuration 1 (hide)

OR cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.1:rc1:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.1:rc2:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.1:rc3:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.1:rc4:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.1:rc5:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.1:rc6:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.1:rc7:*:*:*:*:*:*

History

24 Oct 2024, 18:44

Type Values Removed Values Added
CWE CWE-476
CPE cpe:2.3:o:linux:linux_kernel:6.1:rc7:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.1:rc3:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.1:rc5:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.1:rc6:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.1:rc2:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.1:rc1:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.1:rc4:*:*:*:*:*:*
CVSS v2 : unknown
v3 : unknown
v2 : unknown
v3 : 5.5
First Time Linux linux Kernel
Linux
References () https://git.kernel.org/stable/c/0744c7be4de564db03e24527b2e096b7e0e20972 - () https://git.kernel.org/stable/c/0744c7be4de564db03e24527b2e096b7e0e20972 - Patch
References () https://git.kernel.org/stable/c/369eb2c9f1f72adbe91e0ea8efb130f0a2ba11a6 - () https://git.kernel.org/stable/c/369eb2c9f1f72adbe91e0ea8efb130f0a2ba11a6 - Patch
References () https://git.kernel.org/stable/c/3e21f85d87c836462bb52ef2078ea561260935c1 - () https://git.kernel.org/stable/c/3e21f85d87c836462bb52ef2078ea561260935c1 - Patch
References () https://git.kernel.org/stable/c/51d7f6b20fae8bae64ad1136f1e30d1fd5ba78f7 - () https://git.kernel.org/stable/c/51d7f6b20fae8bae64ad1136f1e30d1fd5ba78f7 - Patch
References () https://git.kernel.org/stable/c/7730904f50c7187dd16c76949efb56b5fb55cd57 - () https://git.kernel.org/stable/c/7730904f50c7187dd16c76949efb56b5fb55cd57 - Patch
References () https://git.kernel.org/stable/c/8aaafe0f71314f46a066382a047ba8bb3840d273 - () https://git.kernel.org/stable/c/8aaafe0f71314f46a066382a047ba8bb3840d273 - Patch
References () https://git.kernel.org/stable/c/eaa5722549ac2604ffa56c2e946acc83226f130c - () https://git.kernel.org/stable/c/eaa5722549ac2604ffa56c2e946acc83226f130c - Patch
References () https://git.kernel.org/stable/c/fe6bc99c27c21348f548966118867ed26a9a372c - () https://git.kernel.org/stable/c/fe6bc99c27c21348f548966118867ed26a9a372c - Patch

23 Oct 2024, 15:12

Type Values Removed Values Added
Summary
  • (es) En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: net: phy: fix null-ptr-deref while probe() failed Obtuve un informe null-ptr-deref como el siguiente al realizar la prueba de inyección de fallos: ERROR: desreferencia de puntero NULL del kernel, dirección: 0000000000000058 Oops: 0000 [#1] PREEMPT SMP KASAN PTI CPU: 1 PID: 253 Comm: 507-spi-dm9051 Tainted: GBN 6.1.0-rc3+ Nombre del hardware: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.13.0-1ubuntu1.1 04/01/2014 RIP: 0010:klist_put+0x2d/0xd0 Rastreo de llamadas: klist_remove+0xf1/0x1c0 device_release_driver_internal+0x23e/0x2d0 bus_remove_device+0x1bd/0x240 device_del+0x357/0x770 phy_device_remove+0x11/0x30 mdiobus_unregister+0xa5/0x140 release_nodes+0x6a/0xa0 devres_release_all+0xf8/0x150 device_unbind_cleanup+0x19/0xd0 //ruta de la sonda: phy_device_register() device_add() phy_connect phy_attach_direct() //establecer el controlador del dispositivo probe() //ha fallodo, el controlador no está vinculado device_bind_driver() //la sonda ha fallodo, no se llama //ruta de eliminación: phy_device_remove() device_del() device_release_driver_internal() __device_release_driver() //dev-&gt;drv no es NULL klist_remove() &lt;- knode_driver aún no se agregó, causa null-ptr-deref En phy_attach_direct(), después de configurar 'dev-&gt;driver', probe() fallo, device_bind_driver() no se llama, por lo que knode_driver-&gt;n_klist no está configurado, luego causa null-ptr-deref en __device_release_driver() mientras se elimina el dispositivo. Solucione esto configurando dev-&gt;driver en NULL en la ruta de error en phy_attach_direct().

21 Oct 2024, 20:15

Type Values Removed Values Added
New CVE

Information

Published : 2024-10-21 20:15

Updated : 2024-10-24 18:44


NVD link : CVE-2022-49021

Mitre link : CVE-2022-49021

CVE.ORG link : CVE-2022-49021


JSON object : View

Products Affected

linux

  • linux_kernel
CWE
CWE-476

NULL Pointer Dereference