fkie_cve-2022-49424
Vulnerability from fkie_nvd
Published
2025-02-26 07:01
Modified
2025-02-26 07:01
Severity ?
Summary
In the Linux kernel, the following vulnerability has been resolved: iommu/mediatek: Fix NULL pointer dereference when printing dev_name When larbdev is NULL (in the case I hit, the node is incorrectly set iommus = <&iommu NUM>), it will cause device_link_add() fail and kernel crashes when we try to print dev_name(larbdev). Let's fail the probe if a larbdev is NULL to avoid invalid inputs from dts. It should work for normal correct setting and avoid the crash caused by my incorrect setting. Error log: [ 18.189042][ T301] Unable to handle kernel NULL pointer dereference at virtual address 0000000000000050 ... [ 18.344519][ T301] pstate: a0400005 (NzCv daif +PAN -UAO) [ 18.345213][ T301] pc : mtk_iommu_probe_device+0xf8/0x118 [mtk_iommu] [ 18.346050][ T301] lr : mtk_iommu_probe_device+0xd0/0x118 [mtk_iommu] [ 18.346884][ T301] sp : ffffffc00a5635e0 [ 18.347392][ T301] x29: ffffffc00a5635e0 x28: ffffffd44a46c1d8 [ 18.348156][ T301] x27: ffffff80c39a8000 x26: ffffffd44a80cc38 [ 18.348917][ T301] x25: 0000000000000000 x24: ffffffd44a80cc38 [ 18.349677][ T301] x23: ffffffd44e4da4c6 x22: ffffffd44a80cc38 [ 18.350438][ T301] x21: ffffff80cecd1880 x20: 0000000000000000 [ 18.351198][ T301] x19: ffffff80c439f010 x18: ffffffc00a50d0c0 [ 18.351959][ T301] x17: ffffffffffffffff x16: 0000000000000004 [ 18.352719][ T301] x15: 0000000000000004 x14: ffffffd44eb5d420 [ 18.353480][ T301] x13: 0000000000000ad2 x12: 0000000000000003 [ 18.354241][ T301] x11: 00000000fffffad2 x10: c0000000fffffad2 [ 18.355003][ T301] x9 : a0d288d8d7142d00 x8 : a0d288d8d7142d00 [ 18.355763][ T301] x7 : ffffffd44c2bc640 x6 : 0000000000000000 [ 18.356524][ T301] x5 : 0000000000000080 x4 : 0000000000000001 [ 18.357284][ T301] x3 : 0000000000000000 x2 : 0000000000000005 [ 18.358045][ T301] x1 : 0000000000000000 x0 : 0000000000000000 [ 18.360208][ T301] Hardware name: MT6873 (DT) [ 18.360771][ T301] Call trace: [ 18.361168][ T301] dump_backtrace+0xf8/0x1f0 [ 18.361737][ T301] dump_stack_lvl+0xa8/0x11c [ 18.362305][ T301] dump_stack+0x1c/0x2c [ 18.362816][ T301] mrdump_common_die+0x184/0x40c [mrdump] [ 18.363575][ T301] ipanic_die+0x24/0x38 [mrdump] [ 18.364230][ T301] atomic_notifier_call_chain+0x128/0x2b8 [ 18.364937][ T301] die+0x16c/0x568 [ 18.365394][ T301] __do_kernel_fault+0x1e8/0x214 [ 18.365402][ T301] do_page_fault+0xb8/0x678 [ 18.366934][ T301] do_translation_fault+0x48/0x64 [ 18.368645][ T301] do_mem_abort+0x68/0x148 [ 18.368652][ T301] el1_abort+0x40/0x64 [ 18.368660][ T301] el1h_64_sync_handler+0x54/0x88 [ 18.368668][ T301] el1h_64_sync+0x68/0x6c [ 18.368673][ T301] mtk_iommu_probe_device+0xf8/0x118 [mtk_iommu] ...
References
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/8837c2682b9b2eed83e6212bcf79850c593a6fee
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/c3c2734e28d7fac50228c4d2b8896e8695adf304
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/de78657e16f41417da9332f09c2d67d100096939
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/e9c63c0f73a1bbfd02624f5eae7e881df8b6830f
Impacted products
Vendor Product Version


To clipboard 

{
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "In the Linux kernel, the following vulnerability has been resolved:\n\niommu/mediatek: Fix NULL pointer dereference when printing dev_name\n\nWhen larbdev is NULL (in the case I hit, the node is incorrectly set\niommus = \u003c\u0026iommu NUM\u003e), it will cause device_link_add() fail and\nkernel crashes when we try to print dev_name(larbdev).\n\nLet\u0027s fail the probe if a larbdev is NULL to avoid invalid inputs from\ndts.\n\nIt should work for normal correct setting and avoid the crash caused\nby my incorrect setting.\n\nError log:\n[   18.189042][  T301] Unable to handle kernel NULL pointer dereference at virtual address 0000000000000050\n...\n[   18.344519][  T301] pstate: a0400005 (NzCv daif +PAN -UAO)\n[   18.345213][  T301] pc : mtk_iommu_probe_device+0xf8/0x118 [mtk_iommu]\n[   18.346050][  T301] lr : mtk_iommu_probe_device+0xd0/0x118 [mtk_iommu]\n[   18.346884][  T301] sp : ffffffc00a5635e0\n[   18.347392][  T301] x29: ffffffc00a5635e0 x28: ffffffd44a46c1d8\n[   18.348156][  T301] x27: ffffff80c39a8000 x26: ffffffd44a80cc38\n[   18.348917][  T301] x25: 0000000000000000 x24: ffffffd44a80cc38\n[   18.349677][  T301] x23: ffffffd44e4da4c6 x22: ffffffd44a80cc38\n[   18.350438][  T301] x21: ffffff80cecd1880 x20: 0000000000000000\n[   18.351198][  T301] x19: ffffff80c439f010 x18: ffffffc00a50d0c0\n[   18.351959][  T301] x17: ffffffffffffffff x16: 0000000000000004\n[   18.352719][  T301] x15: 0000000000000004 x14: ffffffd44eb5d420\n[   18.353480][  T301] x13: 0000000000000ad2 x12: 0000000000000003\n[   18.354241][  T301] x11: 00000000fffffad2 x10: c0000000fffffad2\n[   18.355003][  T301] x9 : a0d288d8d7142d00 x8 : a0d288d8d7142d00\n[   18.355763][  T301] x7 : ffffffd44c2bc640 x6 : 0000000000000000\n[   18.356524][  T301] x5 : 0000000000000080 x4 : 0000000000000001\n[   18.357284][  T301] x3 : 0000000000000000 x2 : 0000000000000005\n[   18.358045][  T301] x1 : 0000000000000000 x0 : 0000000000000000\n[   18.360208][  T301] Hardware name: MT6873 (DT)\n[   18.360771][  T301] Call trace:\n[   18.361168][  T301]  dump_backtrace+0xf8/0x1f0\n[   18.361737][  T301]  dump_stack_lvl+0xa8/0x11c\n[   18.362305][  T301]  dump_stack+0x1c/0x2c\n[   18.362816][  T301]  mrdump_common_die+0x184/0x40c [mrdump]\n[   18.363575][  T301]  ipanic_die+0x24/0x38 [mrdump]\n[   18.364230][  T301]  atomic_notifier_call_chain+0x128/0x2b8\n[   18.364937][  T301]  die+0x16c/0x568\n[   18.365394][  T301]  __do_kernel_fault+0x1e8/0x214\n[   18.365402][  T301]  do_page_fault+0xb8/0x678\n[   18.366934][  T301]  do_translation_fault+0x48/0x64\n[   18.368645][  T301]  do_mem_abort+0x68/0x148\n[   18.368652][  T301]  el1_abort+0x40/0x64\n[   18.368660][  T301]  el1h_64_sync_handler+0x54/0x88\n[   18.368668][  T301]  el1h_64_sync+0x68/0x6c\n[   18.368673][  T301]  mtk_iommu_probe_device+0xf8/0x118 [mtk_iommu]\n..."
    },
    {
      "lang": "es",
      "value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: iommu/mediatek: Arreglar la desreferencia del puntero NULL al imprimir dev_name Cuando larbdev es NULL (en el caso que encontr\u00e9, el nodo est\u00e1 configurado incorrectamente iommus = \u0026lt;\u0026amp;iommu NUM\u0026gt;), provocar\u00e1 un error en device_link_add() y el kernel se bloquea cuando intentamos imprimir dev_name(larbdev). Hagamos que falle la sonda si un larbdev es NULL para evitar entradas no v\u00e1lidas de dts. Deber\u00eda funcionar para una configuraci\u00f3n correcta normal y evitar el bloqueo causado por mi configuraci\u00f3n incorrecta. Registro de errores: [18.189042][T301] No se puede manejar la desreferencia del puntero NULL del kernel en la direcci\u00f3n virtual 0000000000000050 ... [ 18.344519][ T301] pstate: a0400005 (NzCv daif +PAN -UAO) [ 18.345213][ T301] pc : mtk_iommu_probe_device+0xf8/0x118 [mtk_iommu] [ 18.346050][ T301] lr : mtk_iommu_probe_device+0xd0/0x118 [mtk_iommu] [ 18.346884][ T301] sp : ffffffc00a5635e0 [ 18.347392][ T301] x29: ffffffc00a5635e0 x28: ffffffd44a46c1d8 [ 18.348156][ T301] x27: ffffff80c39a8000 x26: ffffffd44a80cc38 [ 18.348917][ T301] x25: 0000000000000000 x24: ffffffd44a80cc38 [ 18.349677][ T301] x23: ffffffd44e4da4c6 x22: ffffffd44a80cc38 [ 18.350438][ T301] x21: ffffff80cecd1880 x20: 0000000000000000 [ 18.351198][ T301] x19: ffffff80c439f010 x18: ffffffc00a50d0c0 [ 18.351959][ T301] x17: ffffffffffffffff x16: 0000000000000004 [ 18.352719][ T301] x15: 0000000000000004 x14: ffffffd44eb5d420 [ 18.353480][ T301] x13: 0000000000000ad2 x12: 0000000000000003 [ 18.354241][ T301] x11: 00000000fffffad2 x10: c0000000fffffad2 [ 18.355003][ T301] x9 : a0d288d8d7142d00 x8 : a0d288d8d7142d00 [ 18.355763][ T301] x7 : ffffffd44c2bc640 x6 : 0000000000000000 [ 18.356524][ T301] x5 : 0000000000000080 x4 : 0000000000000001 [ 18.357284][ T301] x3 : 0000000000000000 x2 : 0000000000000005 [ 18.358045][ T301] x1 : 0000000000000000 x0 : 0000000000000000 [ 18.360208][ T301] Hardware name: MT6873 (DT) [ 18.360771][ T301] Call trace: [ 18.361168][ T301] dump_backtrace+0xf8/0x1f0 [ 18.361737][ T301] dump_stack_lvl+0xa8/0x11c [ 18.362305][ T301] dump_stack+0x1c/0x2c [ 18.362816][ T301] mrdump_common_die+0x184/0x40c [mrdump] [ 18.363575][ T301] ipanic_die+0x24/0x38 [mrdump] [ 18.364230][ T301] atomic_notifier_call_chain+0x128/0x2b8 [ 18.364937][ T301] die+0x16c/0x568 [ 18.365394][ T301] __do_kernel_fault+0x1e8/0x214 [ 18.365402][ T301] do_page_fault+0xb8/0x678 [ 18.366934][ T301] do_translation_fault+0x48/0x64 [ 18.368645][ T301] do_mem_abort+0x68/0x148 [ 18.368652][ T301] el1_abort+0x40/0x64 [ 18.368660][ T301] el1h_64_sync_handler+0x54/0x88 [ 18.368668][ T301] el1h_64_sync+0x68/0x6c [ 18.368673][ T301] mtk_iommu_probe_device+0xf8/0x118 [mtk_iommu] ... "
    }
  ],
  "id": "CVE-2022-49424",
  "lastModified": "2025-02-26T07:01:18.880",
  "metrics": {},
  "published": "2025-02-26T07:01:18.880",
  "references": [
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "url": "https://git.kernel.org/stable/c/8837c2682b9b2eed83e6212bcf79850c593a6fee"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "url": "https://git.kernel.org/stable/c/c3c2734e28d7fac50228c4d2b8896e8695adf304"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "url": "https://git.kernel.org/stable/c/de78657e16f41417da9332f09c2d67d100096939"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "url": "https://git.kernel.org/stable/c/e9c63c0f73a1bbfd02624f5eae7e881df8b6830f"
    }
  ],
  "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
  "vulnStatus": "Awaiting Analysis"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.