cve/published/2022/CVE-2022-48953.mbox - pub/scm/linux/security/vulns - Git at Google

 From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
 From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 To: <linux-cve-announce@vger.kernel.org>
 Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
 Subject: CVE-2022-48953: rtc: cmos: Fix event handler registration ordering issue

 Description
 ===========

 In the Linux kernel, the following vulnerability has been resolved:

 rtc: cmos: Fix event handler registration ordering issue

 Because acpi_install_fixed_event_handler() enables the event
 automatically on success, it is incorrect to call it before the
 handler routine passed to it is ready to handle events.

 Unfortunately, the rtc-cmos driver does exactly the incorrect thing
 by calling cmos_wake_setup(), which passes rtc_handler() to
 acpi_install_fixed_event_handler(), before cmos_do_probe(), because
 rtc_handler() uses dev_get_drvdata() to get to the cmos object
 pointer and the driver data pointer is only populated in
 cmos_do_probe().

 This leads to a NULL pointer dereference in rtc_handler() on boot
 if the RTC fixed event happens to be active at the init time.

 To address this issue, change the initialization ordering of the
 driver so that cmos_wake_setup() is always called after a successful
 cmos_do_probe() call.

 While at it, change cmos_pnp_probe() to call cmos_do_probe() after
 the initial if () statement used for computing the IRQ argument to
 be passed to cmos_do_probe() which is cleaner than calling it in
 each branch of that if () (local variable "irq" can be of type int,
 because it is passed to that function as an argument of type int).

 Note that commit 6492fed7d8c9 ("rtc: rtc-cmos: Do not check
 ACPI_FADT_LOW_POWER_S0") caused this issue to affect a larger number
 of systems, because previously it only affected systems with
 ACPI_FADT_LOW_POWER_S0 set, but it is present regardless of that
 commit.

 The Linux kernel CVE team has assigned CVE-2022-48953 to this issue.


 Affected and fixed versions
 ===========================

 	Issue introduced in 2.6.28 with commit a474aaedac99ba86e28ef6c912a7647c482db6dd and fixed in 5.10.163 with commit 0bcfccb48696aba475f046c2021f0733659ce0ef
 	Issue introduced in 2.6.28 with commit a474aaedac99ba86e28ef6c912a7647c482db6dd and fixed in 5.15.86 with commit 60c6e563a843032cf6ff84b2fb732cd8754fc10d
 	Issue introduced in 2.6.28 with commit a474aaedac99ba86e28ef6c912a7647c482db6dd and fixed in 6.0.14 with commit 1ba745fce13d19775100eece30b0bfb8b8b10ea6
 	Issue introduced in 2.6.28 with commit a474aaedac99ba86e28ef6c912a7647c482db6dd and fixed in 6.1 with commit 4919d3eb2ec0ee364f7e3cf2d99646c1b224fae8

 Please see https://www.kernel.org for a full list of currently supported
 kernel versions by the kernel community.

 Unaffected versions might change over time as fixes are backported to
 older supported kernel versions.  The official CVE entry at
 	https://cve.org/CVERecord/?id=CVE-2022-48953
 will be updated if fixes are backported, please check that for the most
 up to date information about this issue.


 Affected files
 ==============

 The file(s) affected by this issue are:
 	drivers/rtc/rtc-cmos.c


 Mitigation
 ==========

 The Linux kernel CVE team recommends that you update to the latest
 stable kernel version for this, and many other bugfixes.  Individual
 changes are never tested alone, but rather are part of a larger kernel
 release.  Cherry-picking individual commits is not recommended or
 supported by the Linux kernel community at all.  If however, updating to
 the latest release is impossible, the individual changes to resolve this
 issue can be found at these commits:
 	https://git.kernel.org/stable/c/0bcfccb48696aba475f046c2021f0733659ce0ef
 	https://git.kernel.org/stable/c/60c6e563a843032cf6ff84b2fb732cd8754fc10d
 	https://git.kernel.org/stable/c/1ba745fce13d19775100eece30b0bfb8b8b10ea6
 	https://git.kernel.org/stable/c/4919d3eb2ec0ee364f7e3cf2d99646c1b224fae8
	From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
	From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	To: <linux-cve-announce@vger.kernel.org>
	Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
	Subject: CVE-2022-48953: rtc: cmos: Fix event handler registration ordering issue

	Description
	===========

	In the Linux kernel, the following vulnerability has been resolved:

	rtc: cmos: Fix event handler registration ordering issue

	Because acpi_install_fixed_event_handler() enables the event
	automatically on success, it is incorrect to call it before the
	handler routine passed to it is ready to handle events.

	Unfortunately, the rtc-cmos driver does exactly the incorrect thing
	by calling cmos_wake_setup(), which passes rtc_handler() to
	acpi_install_fixed_event_handler(), before cmos_do_probe(), because
	rtc_handler() uses dev_get_drvdata() to get to the cmos object
	pointer and the driver data pointer is only populated in
	cmos_do_probe().

	This leads to a NULL pointer dereference in rtc_handler() on boot
	if the RTC fixed event happens to be active at the init time.

	To address this issue, change the initialization ordering of the
	driver so that cmos_wake_setup() is always called after a successful
	cmos_do_probe() call.

	While at it, change cmos_pnp_probe() to call cmos_do_probe() after
	the initial if () statement used for computing the IRQ argument to
	be passed to cmos_do_probe() which is cleaner than calling it in
	each branch of that if () (local variable "irq" can be of type int,
	because it is passed to that function as an argument of type int).

	Note that commit 6492fed7d8c9 ("rtc: rtc-cmos: Do not check
	ACPI_FADT_LOW_POWER_S0") caused this issue to affect a larger number
	of systems, because previously it only affected systems with
	ACPI_FADT_LOW_POWER_S0 set, but it is present regardless of that
	commit.

	The Linux kernel CVE team has assigned CVE-2022-48953 to this issue.


	Affected and fixed versions
	===========================

	Issue introduced in 2.6.28 with commit a474aaedac99ba86e28ef6c912a7647c482db6dd and fixed in 5.10.163 with commit 0bcfccb48696aba475f046c2021f0733659ce0ef
	Issue introduced in 2.6.28 with commit a474aaedac99ba86e28ef6c912a7647c482db6dd and fixed in 5.15.86 with commit 60c6e563a843032cf6ff84b2fb732cd8754fc10d
	Issue introduced in 2.6.28 with commit a474aaedac99ba86e28ef6c912a7647c482db6dd and fixed in 6.0.14 with commit 1ba745fce13d19775100eece30b0bfb8b8b10ea6
	Issue introduced in 2.6.28 with commit a474aaedac99ba86e28ef6c912a7647c482db6dd and fixed in 6.1 with commit 4919d3eb2ec0ee364f7e3cf2d99646c1b224fae8

	Please see https://www.kernel.org for a full list of currently supported
	kernel versions by the kernel community.

	Unaffected versions might change over time as fixes are backported to
	older supported kernel versions. The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2022-48953
	will be updated if fixes are backported, please check that for the most
	up to date information about this issue.


	Affected files
	==============

	The file(s) affected by this issue are:
	drivers/rtc/rtc-cmos.c


	Mitigation
	==========

	The Linux kernel CVE team recommends that you update to the latest
	stable kernel version for this, and many other bugfixes. Individual
	changes are never tested alone, but rather are part of a larger kernel
	release. Cherry-picking individual commits is not recommended or
	supported by the Linux kernel community at all. If however, updating to
	the latest release is impossible, the individual changes to resolve this
	issue can be found at these commits:
	https://git.kernel.org/stable/c/0bcfccb48696aba475f046c2021f0733659ce0ef
	https://git.kernel.org/stable/c/60c6e563a843032cf6ff84b2fb732cd8754fc10d
	https://git.kernel.org/stable/c/1ba745fce13d19775100eece30b0bfb8b8b10ea6
	https://git.kernel.org/stable/c/4919d3eb2ec0ee364f7e3cf2d99646c1b224fae8