ghsa-3r64-gppm-622w
Vulnerability from github
Published
2025-10-22 18:30
Modified
2025-10-22 18:30
Severity ?
5.5 (Medium) - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Details

In the Linux kernel, the following vulnerability has been resolved:

iommu/mediatek: Fix NULL pointer dereference when printing dev_name

When larbdev is NULL (in the case I hit, the node is incorrectly set iommus = <&iommu NUM>), it will cause device_link_add() fail and kernel crashes when we try to print dev_name(larbdev).

Let's fail the probe if a larbdev is NULL to avoid invalid inputs from dts.

It should work for normal correct setting and avoid the crash caused by my incorrect setting.

Error log: [ 18.189042][ T301] Unable to handle kernel NULL pointer dereference at virtual address 0000000000000050 ... [ 18.344519][ T301] pstate: a0400005 (NzCv daif +PAN -UAO) [ 18.345213][ T301] pc : mtk_iommu_probe_device+0xf8/0x118 [mtk_iommu] [ 18.346050][ T301] lr : mtk_iommu_probe_device+0xd0/0x118 [mtk_iommu] [ 18.346884][ T301] sp : ffffffc00a5635e0 [ 18.347392][ T301] x29: ffffffc00a5635e0 x28: ffffffd44a46c1d8 [ 18.348156][ T301] x27: ffffff80c39a8000 x26: ffffffd44a80cc38 [ 18.348917][ T301] x25: 0000000000000000 x24: ffffffd44a80cc38 [ 18.349677][ T301] x23: ffffffd44e4da4c6 x22: ffffffd44a80cc38 [ 18.350438][ T301] x21: ffffff80cecd1880 x20: 0000000000000000 [ 18.351198][ T301] x19: ffffff80c439f010 x18: ffffffc00a50d0c0 [ 18.351959][ T301] x17: ffffffffffffffff x16: 0000000000000004 [ 18.352719][ T301] x15: 0000000000000004 x14: ffffffd44eb5d420 [ 18.353480][ T301] x13: 0000000000000ad2 x12: 0000000000000003 [ 18.354241][ T301] x11: 00000000fffffad2 x10: c0000000fffffad2 [ 18.355003][ T301] x9 : a0d288d8d7142d00 x8 : a0d288d8d7142d00 [ 18.355763][ T301] x7 : ffffffd44c2bc640 x6 : 0000000000000000 [ 18.356524][ T301] x5 : 0000000000000080 x4 : 0000000000000001 [ 18.357284][ T301] x3 : 0000000000000000 x2 : 0000000000000005 [ 18.358045][ T301] x1 : 0000000000000000 x0 : 0000000000000000 [ 18.360208][ T301] Hardware name: MT6873 (DT) [ 18.360771][ T301] Call trace: [ 18.361168][ T301] dump_backtrace+0xf8/0x1f0 [ 18.361737][ T301] dump_stack_lvl+0xa8/0x11c [ 18.362305][ T301] dump_stack+0x1c/0x2c [ 18.362816][ T301] mrdump_common_die+0x184/0x40c [mrdump] [ 18.363575][ T301] ipanic_die+0x24/0x38 [mrdump] [ 18.364230][ T301] atomic_notifier_call_chain+0x128/0x2b8 [ 18.364937][ T301] die+0x16c/0x568 [ 18.365394][ T301] __do_kernel_fault+0x1e8/0x214 [ 18.365402][ T301] do_page_fault+0xb8/0x678 [ 18.366934][ T301] do_translation_fault+0x48/0x64 [ 18.368645][ T301] do_mem_abort+0x68/0x148 [ 18.368652][ T301] el1_abort+0x40/0x64 [ 18.368660][ T301] el1h_64_sync_handler+0x54/0x88 [ 18.368668][ T301] el1h_64_sync+0x68/0x6c [ 18.368673][ T301] mtk_iommu_probe_device+0xf8/0x118 [mtk_iommu] ...

Show details on source website

To clipboard 

{
  "affected": [],
  "aliases": [
    "CVE-2022-49424"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-476"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-02-26T07:01:18Z",
    "severity": "MODERATE"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\niommu/mediatek: Fix NULL pointer dereference when printing dev_name\n\nWhen larbdev is NULL (in the case I hit, the node is incorrectly set\niommus = \u003c\u0026iommu NUM\u003e), it will cause device_link_add() fail and\nkernel crashes when we try to print dev_name(larbdev).\n\nLet\u0027s fail the probe if a larbdev is NULL to avoid invalid inputs from\ndts.\n\nIt should work for normal correct setting and avoid the crash caused\nby my incorrect setting.\n\nError log:\n[   18.189042][  T301] Unable to handle kernel NULL pointer dereference at virtual address 0000000000000050\n...\n[   18.344519][  T301] pstate: a0400005 (NzCv daif +PAN -UAO)\n[   18.345213][  T301] pc : mtk_iommu_probe_device+0xf8/0x118 [mtk_iommu]\n[   18.346050][  T301] lr : mtk_iommu_probe_device+0xd0/0x118 [mtk_iommu]\n[   18.346884][  T301] sp : ffffffc00a5635e0\n[   18.347392][  T301] x29: ffffffc00a5635e0 x28: ffffffd44a46c1d8\n[   18.348156][  T301] x27: ffffff80c39a8000 x26: ffffffd44a80cc38\n[   18.348917][  T301] x25: 0000000000000000 x24: ffffffd44a80cc38\n[   18.349677][  T301] x23: ffffffd44e4da4c6 x22: ffffffd44a80cc38\n[   18.350438][  T301] x21: ffffff80cecd1880 x20: 0000000000000000\n[   18.351198][  T301] x19: ffffff80c439f010 x18: ffffffc00a50d0c0\n[   18.351959][  T301] x17: ffffffffffffffff x16: 0000000000000004\n[   18.352719][  T301] x15: 0000000000000004 x14: ffffffd44eb5d420\n[   18.353480][  T301] x13: 0000000000000ad2 x12: 0000000000000003\n[   18.354241][  T301] x11: 00000000fffffad2 x10: c0000000fffffad2\n[   18.355003][  T301] x9 : a0d288d8d7142d00 x8 : a0d288d8d7142d00\n[   18.355763][  T301] x7 : ffffffd44c2bc640 x6 : 0000000000000000\n[   18.356524][  T301] x5 : 0000000000000080 x4 : 0000000000000001\n[   18.357284][  T301] x3 : 0000000000000000 x2 : 0000000000000005\n[   18.358045][  T301] x1 : 0000000000000000 x0 : 0000000000000000\n[   18.360208][  T301] Hardware name: MT6873 (DT)\n[   18.360771][  T301] Call trace:\n[   18.361168][  T301]  dump_backtrace+0xf8/0x1f0\n[   18.361737][  T301]  dump_stack_lvl+0xa8/0x11c\n[   18.362305][  T301]  dump_stack+0x1c/0x2c\n[   18.362816][  T301]  mrdump_common_die+0x184/0x40c [mrdump]\n[   18.363575][  T301]  ipanic_die+0x24/0x38 [mrdump]\n[   18.364230][  T301]  atomic_notifier_call_chain+0x128/0x2b8\n[   18.364937][  T301]  die+0x16c/0x568\n[   18.365394][  T301]  __do_kernel_fault+0x1e8/0x214\n[   18.365402][  T301]  do_page_fault+0xb8/0x678\n[   18.366934][  T301]  do_translation_fault+0x48/0x64\n[   18.368645][  T301]  do_mem_abort+0x68/0x148\n[   18.368652][  T301]  el1_abort+0x40/0x64\n[   18.368660][  T301]  el1h_64_sync_handler+0x54/0x88\n[   18.368668][  T301]  el1h_64_sync+0x68/0x6c\n[   18.368673][  T301]  mtk_iommu_probe_device+0xf8/0x118 [mtk_iommu]\n...",
  "id": "GHSA-3r64-gppm-622w",
  "modified": "2025-10-22T18:30:30Z",
  "published": "2025-10-22T18:30:30Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-49424"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/8837c2682b9b2eed83e6212bcf79850c593a6fee"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/c3c2734e28d7fac50228c4d2b8896e8695adf304"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/de78657e16f41417da9332f09c2d67d100096939"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/e9c63c0f73a1bbfd02624f5eae7e881df8b6830f"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.