cve/published/2022/CVE-2022-49010.mbox - pub/scm/linux/security/vulns - Git at Google

 From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
 From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 To: <linux-cve-announce@vger.kernel.org>
 Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
 Subject: CVE-2022-49010: hwmon: (coretemp) Check for null before removing sysfs attrs

 Description
 ===========

 In the Linux kernel, the following vulnerability has been resolved:

 hwmon: (coretemp) Check for null before removing sysfs attrs

 If coretemp_add_core() gets an error then pdata->core_data[indx]
 is already NULL and has been kfreed. Don't pass that to
 sysfs_remove_group() as that will crash in sysfs_remove_group().

 [Shortened for readability]
 [91854.020159] sysfs: cannot create duplicate filename '/devices/platform/coretemp.0/hwmon/hwmon2/temp20_label'
 <cpu offline>
 [91855.126115] BUG: kernel NULL pointer dereference, address: 0000000000000188
 [91855.165103] #PF: supervisor read access in kernel mode
 [91855.194506] #PF: error_code(0x0000) - not-present page
 [91855.224445] PGD 0 P4D 0
 [91855.238508] Oops: 0000 [#1] PREEMPT SMP PTI
 ...
 [91855.342716] RIP: 0010:sysfs_remove_group+0xc/0x80
 ...
 [91855.796571] Call Trace:
 [91855.810524]  coretemp_cpu_offline+0x12b/0x1dd [coretemp]
 [91855.841738]  ? coretemp_cpu_online+0x180/0x180 [coretemp]
 [91855.871107]  cpuhp_invoke_callback+0x105/0x4b0
 [91855.893432]  cpuhp_thread_fun+0x8e/0x150
 ...

 Fix this by checking for NULL first.

 The Linux kernel CVE team has assigned CVE-2022-49010 to this issue.


 Affected and fixed versions
 ===========================

 	Issue introduced in 3.0 with commit 199e0de7f5df31a4fc485d4aaaf8a07718252ace and fixed in 4.9.335 with commit fb503d077ff7b43913503eaf72995d1239028b99
 	Issue introduced in 3.0 with commit 199e0de7f5df31a4fc485d4aaaf8a07718252ace and fixed in 4.14.301 with commit 070d5ea4a0592a37ad96ce7f7b6b024f90bb009f
 	Issue introduced in 3.0 with commit 199e0de7f5df31a4fc485d4aaaf8a07718252ace and fixed in 4.19.268 with commit 280110db1a7d62ad635b103bafc3ae96e8bef75c
 	Issue introduced in 3.0 with commit 199e0de7f5df31a4fc485d4aaaf8a07718252ace and fixed in 5.4.226 with commit 89eecabe6a47403237f45aafd7d24f93cb973653
 	Issue introduced in 3.0 with commit 199e0de7f5df31a4fc485d4aaaf8a07718252ace and fixed in 5.10.158 with commit f06e0cd01eab954bd5f2190c9faa79bb5357e05b
 	Issue introduced in 3.0 with commit 199e0de7f5df31a4fc485d4aaaf8a07718252ace and fixed in 5.15.82 with commit 7692700ac818866d138a8de555130a6e70e6ac16
 	Issue introduced in 3.0 with commit 199e0de7f5df31a4fc485d4aaaf8a07718252ace and fixed in 6.0.12 with commit ae6c8b6e5d5628df1c475c0a8fca1465e205c95b
 	Issue introduced in 3.0 with commit 199e0de7f5df31a4fc485d4aaaf8a07718252ace and fixed in 6.1 with commit a89ff5f5cc64b9fe7a992cf56988fd36f56ca82a

 Please see https://www.kernel.org for a full list of currently supported
 kernel versions by the kernel community.

 Unaffected versions might change over time as fixes are backported to
 older supported kernel versions.  The official CVE entry at
 	https://cve.org/CVERecord/?id=CVE-2022-49010
 will be updated if fixes are backported, please check that for the most
 up to date information about this issue.


 Affected files
 ==============

 The file(s) affected by this issue are:
 	drivers/hwmon/coretemp.c


 Mitigation
 ==========

 The Linux kernel CVE team recommends that you update to the latest
 stable kernel version for this, and many other bugfixes.  Individual
 changes are never tested alone, but rather are part of a larger kernel
 release.  Cherry-picking individual commits is not recommended or
 supported by the Linux kernel community at all.  If however, updating to
 the latest release is impossible, the individual changes to resolve this
 issue can be found at these commits:
 	https://git.kernel.org/stable/c/fb503d077ff7b43913503eaf72995d1239028b99
 	https://git.kernel.org/stable/c/070d5ea4a0592a37ad96ce7f7b6b024f90bb009f
 	https://git.kernel.org/stable/c/280110db1a7d62ad635b103bafc3ae96e8bef75c
 	https://git.kernel.org/stable/c/89eecabe6a47403237f45aafd7d24f93cb973653
 	https://git.kernel.org/stable/c/f06e0cd01eab954bd5f2190c9faa79bb5357e05b
 	https://git.kernel.org/stable/c/7692700ac818866d138a8de555130a6e70e6ac16
 	https://git.kernel.org/stable/c/ae6c8b6e5d5628df1c475c0a8fca1465e205c95b
 	https://git.kernel.org/stable/c/a89ff5f5cc64b9fe7a992cf56988fd36f56ca82a
	From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
	From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	To: <linux-cve-announce@vger.kernel.org>
	Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
	Subject: CVE-2022-49010: hwmon: (coretemp) Check for null before removing sysfs attrs

	Description
	===========

	In the Linux kernel, the following vulnerability has been resolved:

	hwmon: (coretemp) Check for null before removing sysfs attrs

	If coretemp_add_core() gets an error then pdata->core_data[indx]
	is already NULL and has been kfreed. Don't pass that to
	sysfs_remove_group() as that will crash in sysfs_remove_group().

	[Shortened for readability]
	[91854.020159] sysfs: cannot create duplicate filename '/devices/platform/coretemp.0/hwmon/hwmon2/temp20_label'
	<cpu offline>
	[91855.126115] BUG: kernel NULL pointer dereference, address: 0000000000000188
	[91855.165103] #PF: supervisor read access in kernel mode
	[91855.194506] #PF: error_code(0x0000) - not-present page
	[91855.224445] PGD 0 P4D 0
	[91855.238508] Oops: 0000 [#1] PREEMPT SMP PTI
	...
	[91855.342716] RIP: 0010:sysfs_remove_group+0xc/0x80
	...
	[91855.796571] Call Trace:
	[91855.810524] coretemp_cpu_offline+0x12b/0x1dd [coretemp]
	[91855.841738] ? coretemp_cpu_online+0x180/0x180 [coretemp]
	[91855.871107] cpuhp_invoke_callback+0x105/0x4b0
	[91855.893432] cpuhp_thread_fun+0x8e/0x150
	...

	Fix this by checking for NULL first.

	The Linux kernel CVE team has assigned CVE-2022-49010 to this issue.


	Affected and fixed versions
	===========================

	Issue introduced in 3.0 with commit 199e0de7f5df31a4fc485d4aaaf8a07718252ace and fixed in 4.9.335 with commit fb503d077ff7b43913503eaf72995d1239028b99
	Issue introduced in 3.0 with commit 199e0de7f5df31a4fc485d4aaaf8a07718252ace and fixed in 4.14.301 with commit 070d5ea4a0592a37ad96ce7f7b6b024f90bb009f
	Issue introduced in 3.0 with commit 199e0de7f5df31a4fc485d4aaaf8a07718252ace and fixed in 4.19.268 with commit 280110db1a7d62ad635b103bafc3ae96e8bef75c
	Issue introduced in 3.0 with commit 199e0de7f5df31a4fc485d4aaaf8a07718252ace and fixed in 5.4.226 with commit 89eecabe6a47403237f45aafd7d24f93cb973653
	Issue introduced in 3.0 with commit 199e0de7f5df31a4fc485d4aaaf8a07718252ace and fixed in 5.10.158 with commit f06e0cd01eab954bd5f2190c9faa79bb5357e05b
	Issue introduced in 3.0 with commit 199e0de7f5df31a4fc485d4aaaf8a07718252ace and fixed in 5.15.82 with commit 7692700ac818866d138a8de555130a6e70e6ac16
	Issue introduced in 3.0 with commit 199e0de7f5df31a4fc485d4aaaf8a07718252ace and fixed in 6.0.12 with commit ae6c8b6e5d5628df1c475c0a8fca1465e205c95b
	Issue introduced in 3.0 with commit 199e0de7f5df31a4fc485d4aaaf8a07718252ace and fixed in 6.1 with commit a89ff5f5cc64b9fe7a992cf56988fd36f56ca82a

	Please see https://www.kernel.org for a full list of currently supported
	kernel versions by the kernel community.

	Unaffected versions might change over time as fixes are backported to
	older supported kernel versions. The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2022-49010
	will be updated if fixes are backported, please check that for the most
	up to date information about this issue.


	Affected files
	==============

	The file(s) affected by this issue are:
	drivers/hwmon/coretemp.c


	Mitigation
	==========

	The Linux kernel CVE team recommends that you update to the latest
	stable kernel version for this, and many other bugfixes. Individual
	changes are never tested alone, but rather are part of a larger kernel
	release. Cherry-picking individual commits is not recommended or
	supported by the Linux kernel community at all. If however, updating to
	the latest release is impossible, the individual changes to resolve this
	issue can be found at these commits:
	https://git.kernel.org/stable/c/fb503d077ff7b43913503eaf72995d1239028b99
	https://git.kernel.org/stable/c/070d5ea4a0592a37ad96ce7f7b6b024f90bb009f
	https://git.kernel.org/stable/c/280110db1a7d62ad635b103bafc3ae96e8bef75c
	https://git.kernel.org/stable/c/89eecabe6a47403237f45aafd7d24f93cb973653
	https://git.kernel.org/stable/c/f06e0cd01eab954bd5f2190c9faa79bb5357e05b
	https://git.kernel.org/stable/c/7692700ac818866d138a8de555130a6e70e6ac16
	https://git.kernel.org/stable/c/ae6c8b6e5d5628df1c475c0a8fca1465e205c95b
	https://git.kernel.org/stable/c/a89ff5f5cc64b9fe7a992cf56988fd36f56ca82a