cve/published/2022/CVE-2022-48972.mbox - pub/scm/linux/security/vulns - Git at Google

 From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
 From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 To: <linux-cve-announce@vger.kernel.org>
 Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
 Subject: CVE-2022-48972: mac802154: fix missing INIT_LIST_HEAD in ieee802154_if_add()

 Description
 ===========

 In the Linux kernel, the following vulnerability has been resolved:

 mac802154: fix missing INIT_LIST_HEAD in ieee802154_if_add()

 Kernel fault injection test reports null-ptr-deref as follows:

 BUG: kernel NULL pointer dereference, address: 0000000000000008
 RIP: 0010:cfg802154_netdev_notifier_call+0x120/0x310 include/linux/list.h:114
 Call Trace:
  <TASK>
  raw_notifier_call_chain+0x6d/0xa0 kernel/notifier.c:87
  call_netdevice_notifiers_info+0x6e/0xc0 net/core/dev.c:1944
  unregister_netdevice_many_notify+0x60d/0xcb0 net/core/dev.c:1982
  unregister_netdevice_queue+0x154/0x1a0 net/core/dev.c:10879
  register_netdevice+0x9a8/0xb90 net/core/dev.c:10083
  ieee802154_if_add+0x6ed/0x7e0 net/mac802154/iface.c:659
  ieee802154_register_hw+0x29c/0x330 net/mac802154/main.c:229
  mcr20a_probe+0xaaa/0xcb1 drivers/net/ieee802154/mcr20a.c:1316

 ieee802154_if_add() allocates wpan_dev as netdev's private data, but not
 init the list in struct wpan_dev. cfg802154_netdev_notifier_call() manage
 the list when device register/unregister, and may lead to null-ptr-deref.

 Use INIT_LIST_HEAD() on it to initialize it correctly.

 The Linux kernel CVE team has assigned CVE-2022-48972 to this issue.


 Affected and fixed versions
 ===========================

 	Issue introduced in 3.19 with commit fcf39e6e88e9492f6688ec8ba4e1be622b904232 and fixed in 4.9.336 with commit 7410f4d1221bb182510b7778ab6eefa8b9b7102d
 	Issue introduced in 3.19 with commit fcf39e6e88e9492f6688ec8ba4e1be622b904232 and fixed in 4.14.302 with commit 9980a3ea20de40c83817877106c909cb032692d2
 	Issue introduced in 3.19 with commit fcf39e6e88e9492f6688ec8ba4e1be622b904232 and fixed in 4.19.269 with commit f00c84fb1635c27ba24ec5df65d5bd7d7dc00008
 	Issue introduced in 3.19 with commit fcf39e6e88e9492f6688ec8ba4e1be622b904232 and fixed in 5.4.227 with commit 1831d4540406708e48239cf38fd9c3b7ea98e08f
 	Issue introduced in 3.19 with commit fcf39e6e88e9492f6688ec8ba4e1be622b904232 and fixed in 5.10.159 with commit 42c319635c0cf7eb36eccac6cda76532f47b61a3
 	Issue introduced in 3.19 with commit fcf39e6e88e9492f6688ec8ba4e1be622b904232 and fixed in 5.15.83 with commit a110287ef4a423980309490df632e1c1e73b3dc9
 	Issue introduced in 3.19 with commit fcf39e6e88e9492f6688ec8ba4e1be622b904232 and fixed in 6.0.13 with commit 623918f40fa68e3bb21312a3fafb90f491bf5358
 	Issue introduced in 3.19 with commit fcf39e6e88e9492f6688ec8ba4e1be622b904232 and fixed in 6.1 with commit b3d72d3135d2ef68296c1ee174436efd65386f04

 Please see https://www.kernel.org for a full list of currently supported
 kernel versions by the kernel community.

 Unaffected versions might change over time as fixes are backported to
 older supported kernel versions.  The official CVE entry at
 	https://cve.org/CVERecord/?id=CVE-2022-48972
 will be updated if fixes are backported, please check that for the most
 up to date information about this issue.


 Affected files
 ==============

 The file(s) affected by this issue are:
 	net/mac802154/iface.c


 Mitigation
 ==========

 The Linux kernel CVE team recommends that you update to the latest
 stable kernel version for this, and many other bugfixes.  Individual
 changes are never tested alone, but rather are part of a larger kernel
 release.  Cherry-picking individual commits is not recommended or
 supported by the Linux kernel community at all.  If however, updating to
 the latest release is impossible, the individual changes to resolve this
 issue can be found at these commits:
 	https://git.kernel.org/stable/c/7410f4d1221bb182510b7778ab6eefa8b9b7102d
 	https://git.kernel.org/stable/c/9980a3ea20de40c83817877106c909cb032692d2
 	https://git.kernel.org/stable/c/f00c84fb1635c27ba24ec5df65d5bd7d7dc00008
 	https://git.kernel.org/stable/c/1831d4540406708e48239cf38fd9c3b7ea98e08f
 	https://git.kernel.org/stable/c/42c319635c0cf7eb36eccac6cda76532f47b61a3
 	https://git.kernel.org/stable/c/a110287ef4a423980309490df632e1c1e73b3dc9
 	https://git.kernel.org/stable/c/623918f40fa68e3bb21312a3fafb90f491bf5358
 	https://git.kernel.org/stable/c/b3d72d3135d2ef68296c1ee174436efd65386f04
	From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
	From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	To: <linux-cve-announce@vger.kernel.org>
	Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
	Subject: CVE-2022-48972: mac802154: fix missing INIT_LIST_HEAD in ieee802154_if_add()

	Description
	===========

	In the Linux kernel, the following vulnerability has been resolved:

	mac802154: fix missing INIT_LIST_HEAD in ieee802154_if_add()

	Kernel fault injection test reports null-ptr-deref as follows:

	BUG: kernel NULL pointer dereference, address: 0000000000000008
	RIP: 0010:cfg802154_netdev_notifier_call+0x120/0x310 include/linux/list.h:114
	Call Trace:
	<TASK>
	raw_notifier_call_chain+0x6d/0xa0 kernel/notifier.c:87
	call_netdevice_notifiers_info+0x6e/0xc0 net/core/dev.c:1944
	unregister_netdevice_many_notify+0x60d/0xcb0 net/core/dev.c:1982
	unregister_netdevice_queue+0x154/0x1a0 net/core/dev.c:10879
	register_netdevice+0x9a8/0xb90 net/core/dev.c:10083
	ieee802154_if_add+0x6ed/0x7e0 net/mac802154/iface.c:659
	ieee802154_register_hw+0x29c/0x330 net/mac802154/main.c:229
	mcr20a_probe+0xaaa/0xcb1 drivers/net/ieee802154/mcr20a.c:1316

	ieee802154_if_add() allocates wpan_dev as netdev's private data, but not
	init the list in struct wpan_dev. cfg802154_netdev_notifier_call() manage
	the list when device register/unregister, and may lead to null-ptr-deref.

	Use INIT_LIST_HEAD() on it to initialize it correctly.

	The Linux kernel CVE team has assigned CVE-2022-48972 to this issue.


	Affected and fixed versions
	===========================

	Issue introduced in 3.19 with commit fcf39e6e88e9492f6688ec8ba4e1be622b904232 and fixed in 4.9.336 with commit 7410f4d1221bb182510b7778ab6eefa8b9b7102d
	Issue introduced in 3.19 with commit fcf39e6e88e9492f6688ec8ba4e1be622b904232 and fixed in 4.14.302 with commit 9980a3ea20de40c83817877106c909cb032692d2
	Issue introduced in 3.19 with commit fcf39e6e88e9492f6688ec8ba4e1be622b904232 and fixed in 4.19.269 with commit f00c84fb1635c27ba24ec5df65d5bd7d7dc00008
	Issue introduced in 3.19 with commit fcf39e6e88e9492f6688ec8ba4e1be622b904232 and fixed in 5.4.227 with commit 1831d4540406708e48239cf38fd9c3b7ea98e08f
	Issue introduced in 3.19 with commit fcf39e6e88e9492f6688ec8ba4e1be622b904232 and fixed in 5.10.159 with commit 42c319635c0cf7eb36eccac6cda76532f47b61a3
	Issue introduced in 3.19 with commit fcf39e6e88e9492f6688ec8ba4e1be622b904232 and fixed in 5.15.83 with commit a110287ef4a423980309490df632e1c1e73b3dc9
	Issue introduced in 3.19 with commit fcf39e6e88e9492f6688ec8ba4e1be622b904232 and fixed in 6.0.13 with commit 623918f40fa68e3bb21312a3fafb90f491bf5358
	Issue introduced in 3.19 with commit fcf39e6e88e9492f6688ec8ba4e1be622b904232 and fixed in 6.1 with commit b3d72d3135d2ef68296c1ee174436efd65386f04

	Please see https://www.kernel.org for a full list of currently supported
	kernel versions by the kernel community.

	Unaffected versions might change over time as fixes are backported to
	older supported kernel versions. The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2022-48972
	will be updated if fixes are backported, please check that for the most
	up to date information about this issue.


	Affected files
	==============

	The file(s) affected by this issue are:
	net/mac802154/iface.c


	Mitigation
	==========

	The Linux kernel CVE team recommends that you update to the latest
	stable kernel version for this, and many other bugfixes. Individual
	changes are never tested alone, but rather are part of a larger kernel
	release. Cherry-picking individual commits is not recommended or
	supported by the Linux kernel community at all. If however, updating to
	the latest release is impossible, the individual changes to resolve this
	issue can be found at these commits:
	https://git.kernel.org/stable/c/7410f4d1221bb182510b7778ab6eefa8b9b7102d
	https://git.kernel.org/stable/c/9980a3ea20de40c83817877106c909cb032692d2
	https://git.kernel.org/stable/c/f00c84fb1635c27ba24ec5df65d5bd7d7dc00008
	https://git.kernel.org/stable/c/1831d4540406708e48239cf38fd9c3b7ea98e08f
	https://git.kernel.org/stable/c/42c319635c0cf7eb36eccac6cda76532f47b61a3
	https://git.kernel.org/stable/c/a110287ef4a423980309490df632e1c1e73b3dc9
	https://git.kernel.org/stable/c/623918f40fa68e3bb21312a3fafb90f491bf5358
	https://git.kernel.org/stable/c/b3d72d3135d2ef68296c1ee174436efd65386f04