cve/published/2022/CVE-2022-49070.mbox - pub/scm/linux/security/vulns - Git at Google

 From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
 From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 To: <linux-cve-announce@vger.kernel.org>
 Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
 Subject: CVE-2022-49070: fbdev: Fix unregistering of framebuffers without device

 Description
 ===========

 In the Linux kernel, the following vulnerability has been resolved:

 fbdev: Fix unregistering of framebuffers without device

 OF framebuffers do not have an underlying device in the Linux
 device hierarchy. Do a regular unregister call instead of hot
 unplugging such a non-existing device. Fixes a NULL dereference.
 An example error message on ppc64le is shown below.

   BUG: Kernel NULL pointer dereference on read at 0x00000060
   Faulting instruction address: 0xc00000000080dfa4
   Oops: Kernel access of bad area, sig: 11 [#1]
   LE PAGE_SIZE=64K MMU=Hash SMP NR_CPUS=2048 NUMA pSeries
   [...]
   CPU: 2 PID: 139 Comm: systemd-udevd Not tainted 5.17.0-ae085d7f9365 #1
   NIP:  c00000000080dfa4 LR: c00000000080df9c CTR: c000000000797430
   REGS: c000000004132fe0 TRAP: 0300   Not tainted  (5.17.0-ae085d7f9365)
   MSR:  8000000002009033 <SF,VEC,EE,ME,IR,DR,RI,LE>  CR: 28228282  XER: 20000000
   CFAR: c00000000000c80c DAR: 0000000000000060 DSISR: 40000000 IRQMASK: 0
   GPR00: c00000000080df9c c000000004133280 c00000000169d200 0000000000000029
   GPR04: 00000000ffffefff c000000004132f90 c000000004132f88 0000000000000000
   GPR08: c0000000015658f8 c0000000015cd200 c0000000014f57d0 0000000048228283
   GPR12: 0000000000000000 c00000003fffe300 0000000020000000 0000000000000000
   GPR16: 0000000000000000 0000000113fc4a40 0000000000000005 0000000113fcfb80
   GPR20: 000001000f7283b0 0000000000000000 c000000000e4a588 c000000000e4a5b0
   GPR24: 0000000000000001 00000000000a0000 c008000000db0168 c0000000021f6ec0
   GPR28: c0000000016d65a8 c000000004b36460 0000000000000000 c0000000016d64b0
   NIP [c00000000080dfa4] do_remove_conflicting_framebuffers+0x184/0x1d0
   [c000000004133280] [c00000000080df9c] do_remove_conflicting_framebuffers+0x17c/0x1d0 (unreliable)
   [c000000004133350] [c00000000080e4d0] remove_conflicting_framebuffers+0x60/0x150
   [c0000000041333a0] [c00000000080e6f4] remove_conflicting_pci_framebuffers+0x134/0x1b0
   [c000000004133450] [c008000000e70438] drm_aperture_remove_conflicting_pci_framebuffers+0x90/0x100 [drm]
   [c000000004133490] [c008000000da0ce4] bochs_pci_probe+0x6c/0xa64 [bochs]
   [...]
   [c000000004133db0] [c00000000002aaa0] system_call_exception+0x170/0x2d0
   [c000000004133e10] [c00000000000c3cc] system_call_common+0xec/0x250

 The bug [1] was introduced by commit 27599aacbaef ("fbdev: Hot-unplug
 firmware fb devices on forced removal"). Most firmware framebuffers
 have an underlying platform device, which can be hot-unplugged
 before loading the native graphics driver. OF framebuffers do not
 (yet) have that device. Fix the code by unregistering the framebuffer
 as before without a hot unplug.

 Tested with 5.17 on qemu ppc64le emulation.

 The Linux kernel CVE team has assigned CVE-2022-49070 to this issue.


 Affected and fixed versions
 ===========================

 	Issue introduced in 5.15.33 with commit c894ac44786cfed383a6c6b20c1bfb12eb96018a and fixed in 5.15.34 with commit 2388f826cdc9af2651991adc0feb79de9bdf2232
 	Issue introduced in 5.16.19 with commit 9565a3b5203a4d57acbc1d0e981c6df71864b4ab and fixed in 5.16.20 with commit de33df481545974ba47c46f05194e769e4307843
 	Issue introduced in 5.17.2 with commit 4d695d7c276f15adb1d2b64c584c3cf8f4f9e9ce and fixed in 5.17.3 with commit feed87ff122b1640c221d4dd559442ab2cd50bb1

 Please see https://www.kernel.org for a full list of currently supported
 kernel versions by the kernel community.

 Unaffected versions might change over time as fixes are backported to
 older supported kernel versions.  The official CVE entry at
 	https://cve.org/CVERecord/?id=CVE-2022-49070
 will be updated if fixes are backported, please check that for the most
 up to date information about this issue.


 Affected files
 ==============

 The file(s) affected by this issue are:
 	drivers/video/fbdev/core/fbmem.c


 Mitigation
 ==========

 The Linux kernel CVE team recommends that you update to the latest
 stable kernel version for this, and many other bugfixes.  Individual
 changes are never tested alone, but rather are part of a larger kernel
 release.  Cherry-picking individual commits is not recommended or
 supported by the Linux kernel community at all.  If however, updating to
 the latest release is impossible, the individual changes to resolve this
 issue can be found at these commits:
 	https://git.kernel.org/stable/c/2388f826cdc9af2651991adc0feb79de9bdf2232
 	https://git.kernel.org/stable/c/de33df481545974ba47c46f05194e769e4307843
 	https://git.kernel.org/stable/c/feed87ff122b1640c221d4dd559442ab2cd50bb1
 	https://git.kernel.org/stable/c/0f525289ff0ddeb380813bd81e0f9bdaaa1c9078
	From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
	From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	To: <linux-cve-announce@vger.kernel.org>
	Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
	Subject: CVE-2022-49070: fbdev: Fix unregistering of framebuffers without device

	Description
	===========

	In the Linux kernel, the following vulnerability has been resolved:

	fbdev: Fix unregistering of framebuffers without device

	OF framebuffers do not have an underlying device in the Linux
	device hierarchy. Do a regular unregister call instead of hot
	unplugging such a non-existing device. Fixes a NULL dereference.
	An example error message on ppc64le is shown below.

	BUG: Kernel NULL pointer dereference on read at 0x00000060
	Faulting instruction address: 0xc00000000080dfa4
	Oops: Kernel access of bad area, sig: 11 [#1]
	LE PAGE_SIZE=64K MMU=Hash SMP NR_CPUS=2048 NUMA pSeries
	[...]
	CPU: 2 PID: 139 Comm: systemd-udevd Not tainted 5.17.0-ae085d7f9365 #1
	NIP: c00000000080dfa4 LR: c00000000080df9c CTR: c000000000797430
	REGS: c000000004132fe0 TRAP: 0300 Not tainted (5.17.0-ae085d7f9365)
	MSR: 8000000002009033 <SF,VEC,EE,ME,IR,DR,RI,LE> CR: 28228282 XER: 20000000
	CFAR: c00000000000c80c DAR: 0000000000000060 DSISR: 40000000 IRQMASK: 0
	GPR00: c00000000080df9c c000000004133280 c00000000169d200 0000000000000029
	GPR04: 00000000ffffefff c000000004132f90 c000000004132f88 0000000000000000
	GPR08: c0000000015658f8 c0000000015cd200 c0000000014f57d0 0000000048228283
	GPR12: 0000000000000000 c00000003fffe300 0000000020000000 0000000000000000
	GPR16: 0000000000000000 0000000113fc4a40 0000000000000005 0000000113fcfb80
	GPR20: 000001000f7283b0 0000000000000000 c000000000e4a588 c000000000e4a5b0
	GPR24: 0000000000000001 00000000000a0000 c008000000db0168 c0000000021f6ec0
	GPR28: c0000000016d65a8 c000000004b36460 0000000000000000 c0000000016d64b0
	NIP [c00000000080dfa4] do_remove_conflicting_framebuffers+0x184/0x1d0
	[c000000004133280] [c00000000080df9c] do_remove_conflicting_framebuffers+0x17c/0x1d0 (unreliable)
	[c000000004133350] [c00000000080e4d0] remove_conflicting_framebuffers+0x60/0x150
	[c0000000041333a0] [c00000000080e6f4] remove_conflicting_pci_framebuffers+0x134/0x1b0
	[c000000004133450] [c008000000e70438] drm_aperture_remove_conflicting_pci_framebuffers+0x90/0x100 [drm]
	[c000000004133490] [c008000000da0ce4] bochs_pci_probe+0x6c/0xa64 [bochs]
	[...]
	[c000000004133db0] [c00000000002aaa0] system_call_exception+0x170/0x2d0
	[c000000004133e10] [c00000000000c3cc] system_call_common+0xec/0x250

	The bug [1] was introduced by commit 27599aacbaef ("fbdev: Hot-unplug
	firmware fb devices on forced removal"). Most firmware framebuffers
	have an underlying platform device, which can be hot-unplugged
	before loading the native graphics driver. OF framebuffers do not
	(yet) have that device. Fix the code by unregistering the framebuffer
	as before without a hot unplug.

	Tested with 5.17 on qemu ppc64le emulation.

	The Linux kernel CVE team has assigned CVE-2022-49070 to this issue.


	Affected and fixed versions
	===========================

	Issue introduced in 5.15.33 with commit c894ac44786cfed383a6c6b20c1bfb12eb96018a and fixed in 5.15.34 with commit 2388f826cdc9af2651991adc0feb79de9bdf2232
	Issue introduced in 5.16.19 with commit 9565a3b5203a4d57acbc1d0e981c6df71864b4ab and fixed in 5.16.20 with commit de33df481545974ba47c46f05194e769e4307843
	Issue introduced in 5.17.2 with commit 4d695d7c276f15adb1d2b64c584c3cf8f4f9e9ce and fixed in 5.17.3 with commit feed87ff122b1640c221d4dd559442ab2cd50bb1

	Please see https://www.kernel.org for a full list of currently supported
	kernel versions by the kernel community.

	Unaffected versions might change over time as fixes are backported to
	older supported kernel versions. The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2022-49070
	will be updated if fixes are backported, please check that for the most
	up to date information about this issue.


	Affected files
	==============

	The file(s) affected by this issue are:
	drivers/video/fbdev/core/fbmem.c


	Mitigation
	==========

	The Linux kernel CVE team recommends that you update to the latest
	stable kernel version for this, and many other bugfixes. Individual
	changes are never tested alone, but rather are part of a larger kernel
	release. Cherry-picking individual commits is not recommended or
	supported by the Linux kernel community at all. If however, updating to
	the latest release is impossible, the individual changes to resolve this
	issue can be found at these commits:
	https://git.kernel.org/stable/c/2388f826cdc9af2651991adc0feb79de9bdf2232
	https://git.kernel.org/stable/c/de33df481545974ba47c46f05194e769e4307843
	https://git.kernel.org/stable/c/feed87ff122b1640c221d4dd559442ab2cd50bb1
	https://git.kernel.org/stable/c/0f525289ff0ddeb380813bd81e0f9bdaaa1c9078