ghsa-5xfg-8mp6-pr5f
Vulnerability from github
In the Linux kernel, the following vulnerability has been resolved:
cxl/region: Fix null pointer dereference for resetting decoder
Not all decoders have a reset callback.
The CXL specification allows a host bridge with a single root port to have no explicit HDM decoders. Currently the region driver assumes there are none. As such the CXL core creates a special pass through decoder instance without a commit/reset callback.
Prior to this patch, the ->reset() callback was called unconditionally when calling cxl_region_decode_reset. Thus a configuration with 1 Host Bridge, 1 Root Port, and one directly attached CXL type 3 device or multiple CXL type 3 devices attached to downstream ports of a switch can cause a null pointer dereference.
Before the fix, a kernel crash was observed when we destroy the region, and a pass through decoder is reset.
The issue can be reproduced as below, 1) create a region with a CXL setup which includes a HB with a single root port under which a memdev is attached directly. 2) destroy the region with cxl destroy-region regionX -f.
{
"affected": [],
"aliases": [
"CVE-2022-48707"
],
"database_specific": {
"cwe_ids": [
"CWE-476"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-05-21T16:15:12Z",
"severity": "MODERATE"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\ncxl/region: Fix null pointer dereference for resetting decoder\n\nNot all decoders have a reset callback.\n\nThe CXL specification allows a host bridge with a single root port to\nhave no explicit HDM decoders. Currently the region driver assumes there\nare none. As such the CXL core creates a special pass through decoder\ninstance without a commit/reset callback.\n\nPrior to this patch, the -\u003ereset() callback was called unconditionally when\ncalling cxl_region_decode_reset. Thus a configuration with 1 Host Bridge,\n1 Root Port, and one directly attached CXL type 3 device or multiple CXL\ntype 3 devices attached to downstream ports of a switch can cause a null\npointer dereference.\n\nBefore the fix, a kernel crash was observed when we destroy the region, and\na pass through decoder is reset.\n\nThe issue can be reproduced as below,\n 1) create a region with a CXL setup which includes a HB with a\n single root port under which a memdev is attached directly.\n 2) destroy the region with cxl destroy-region regionX -f.",
"id": "GHSA-5xfg-8mp6-pr5f",
"modified": "2024-12-31T21:30:44Z",
"published": "2024-05-21T18:31:17Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-48707"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/4fa4302d6dc7de7e8e74dc7405611a2efb4bf54b"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/a04c7d062b537ff787d00da95bdfe343260d4beb"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.