cve/published/2022/CVE-2022-49083.mbox - pub/scm/linux/security/vulns - Git at Google

 From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
 From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 To: <linux-cve-announce@vger.kernel.org>
 Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
 Subject: CVE-2022-49083: iommu/omap: Fix regression in probe for NULL pointer dereference

 Description
 ===========

 In the Linux kernel, the following vulnerability has been resolved:

 iommu/omap: Fix regression in probe for NULL pointer dereference

 Commit 3f6634d997db ("iommu: Use right way to retrieve iommu_ops") started
 triggering a NULL pointer dereference for some omap variants:

 __iommu_probe_device from probe_iommu_group+0x2c/0x38
 probe_iommu_group from bus_for_each_dev+0x74/0xbc
 bus_for_each_dev from bus_iommu_probe+0x34/0x2e8
 bus_iommu_probe from bus_set_iommu+0x80/0xc8
 bus_set_iommu from omap_iommu_init+0x88/0xcc
 omap_iommu_init from do_one_initcall+0x44/0x24

 This is caused by omap iommu probe returning 0 instead of ERR_PTR(-ENODEV)
 as noted by Jason Gunthorpe <jgg@ziepe.ca>.

 Looks like the regression already happened with an earlier commit
 6785eb9105e3 ("iommu/omap: Convert to probe/release_device() call-backs")
 that changed the function return type and missed converting one place.

 The Linux kernel CVE team has assigned CVE-2022-49083 to this issue.


 Affected and fixed versions
 ===========================

 	Issue introduced in 5.8 with commit 6785eb9105e3363aa51408c700a55e8b5f88fcf6 and fixed in 5.10.111 with commit bd905fed87ce01ac010011bb8f44ed0140116ceb
 	Issue introduced in 5.8 with commit 6785eb9105e3363aa51408c700a55e8b5f88fcf6 and fixed in 5.15.34 with commit 47e239117bd97c8556f9187af7a9a7938db4e021
 	Issue introduced in 5.8 with commit 6785eb9105e3363aa51408c700a55e8b5f88fcf6 and fixed in 5.16.20 with commit ea518578aa8a9a0280605b53cc33f707e10c8178
 	Issue introduced in 5.8 with commit 6785eb9105e3363aa51408c700a55e8b5f88fcf6 and fixed in 5.17.3 with commit 1d89f2b9eadbcf3ce93c6d7238f68299a1f84968
 	Issue introduced in 5.8 with commit 6785eb9105e3363aa51408c700a55e8b5f88fcf6 and fixed in 5.18 with commit 71ff461c3f41f6465434b9e980c01782763e7ad8

 Please see https://www.kernel.org for a full list of currently supported
 kernel versions by the kernel community.

 Unaffected versions might change over time as fixes are backported to
 older supported kernel versions.  The official CVE entry at
 	https://cve.org/CVERecord/?id=CVE-2022-49083
 will be updated if fixes are backported, please check that for the most
 up to date information about this issue.


 Affected files
 ==============

 The file(s) affected by this issue are:
 	drivers/iommu/omap-iommu.c


 Mitigation
 ==========

 The Linux kernel CVE team recommends that you update to the latest
 stable kernel version for this, and many other bugfixes.  Individual
 changes are never tested alone, but rather are part of a larger kernel
 release.  Cherry-picking individual commits is not recommended or
 supported by the Linux kernel community at all.  If however, updating to
 the latest release is impossible, the individual changes to resolve this
 issue can be found at these commits:
 	https://git.kernel.org/stable/c/bd905fed87ce01ac010011bb8f44ed0140116ceb
 	https://git.kernel.org/stable/c/47e239117bd97c8556f9187af7a9a7938db4e021
 	https://git.kernel.org/stable/c/ea518578aa8a9a0280605b53cc33f707e10c8178
 	https://git.kernel.org/stable/c/1d89f2b9eadbcf3ce93c6d7238f68299a1f84968
 	https://git.kernel.org/stable/c/71ff461c3f41f6465434b9e980c01782763e7ad8
	From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
	From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	To: <linux-cve-announce@vger.kernel.org>
	Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
	Subject: CVE-2022-49083: iommu/omap: Fix regression in probe for NULL pointer dereference

	Description
	===========

	In the Linux kernel, the following vulnerability has been resolved:

	iommu/omap: Fix regression in probe for NULL pointer dereference

	Commit 3f6634d997db ("iommu: Use right way to retrieve iommu_ops") started
	triggering a NULL pointer dereference for some omap variants:

	__iommu_probe_device from probe_iommu_group+0x2c/0x38
	probe_iommu_group from bus_for_each_dev+0x74/0xbc
	bus_for_each_dev from bus_iommu_probe+0x34/0x2e8
	bus_iommu_probe from bus_set_iommu+0x80/0xc8
	bus_set_iommu from omap_iommu_init+0x88/0xcc
	omap_iommu_init from do_one_initcall+0x44/0x24

	This is caused by omap iommu probe returning 0 instead of ERR_PTR(-ENODEV)
	as noted by Jason Gunthorpe <jgg@ziepe.ca>.

	Looks like the regression already happened with an earlier commit
	6785eb9105e3 ("iommu/omap: Convert to probe/release_device() call-backs")
	that changed the function return type and missed converting one place.

	The Linux kernel CVE team has assigned CVE-2022-49083 to this issue.


	Affected and fixed versions
	===========================

	Issue introduced in 5.8 with commit 6785eb9105e3363aa51408c700a55e8b5f88fcf6 and fixed in 5.10.111 with commit bd905fed87ce01ac010011bb8f44ed0140116ceb
	Issue introduced in 5.8 with commit 6785eb9105e3363aa51408c700a55e8b5f88fcf6 and fixed in 5.15.34 with commit 47e239117bd97c8556f9187af7a9a7938db4e021
	Issue introduced in 5.8 with commit 6785eb9105e3363aa51408c700a55e8b5f88fcf6 and fixed in 5.16.20 with commit ea518578aa8a9a0280605b53cc33f707e10c8178
	Issue introduced in 5.8 with commit 6785eb9105e3363aa51408c700a55e8b5f88fcf6 and fixed in 5.17.3 with commit 1d89f2b9eadbcf3ce93c6d7238f68299a1f84968
	Issue introduced in 5.8 with commit 6785eb9105e3363aa51408c700a55e8b5f88fcf6 and fixed in 5.18 with commit 71ff461c3f41f6465434b9e980c01782763e7ad8

	Please see https://www.kernel.org for a full list of currently supported
	kernel versions by the kernel community.

	Unaffected versions might change over time as fixes are backported to
	older supported kernel versions. The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2022-49083
	will be updated if fixes are backported, please check that for the most
	up to date information about this issue.


	Affected files
	==============

	The file(s) affected by this issue are:
	drivers/iommu/omap-iommu.c


	Mitigation
	==========

	The Linux kernel CVE team recommends that you update to the latest
	stable kernel version for this, and many other bugfixes. Individual
	changes are never tested alone, but rather are part of a larger kernel
	release. Cherry-picking individual commits is not recommended or
	supported by the Linux kernel community at all. If however, updating to
	the latest release is impossible, the individual changes to resolve this
	issue can be found at these commits:
	https://git.kernel.org/stable/c/bd905fed87ce01ac010011bb8f44ed0140116ceb
	https://git.kernel.org/stable/c/47e239117bd97c8556f9187af7a9a7938db4e021
	https://git.kernel.org/stable/c/ea518578aa8a9a0280605b53cc33f707e10c8178
	https://git.kernel.org/stable/c/1d89f2b9eadbcf3ce93c6d7238f68299a1f84968
	https://git.kernel.org/stable/c/71ff461c3f41f6465434b9e980c01782763e7ad8