Google Git
Sign in
kernel / pub / scm / linux / security / vulns / refs/heads/sasha-vulnerable / . / cve / published / 2022 / CVE-2022-49248.mbox
blob: 5addd8e857ea11f5eff7634d520768eb2cbfcd23 [file] [log] [blame]
From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: <linux-cve-announce@vger.kernel.org>
Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
Subject: CVE-2022-49248: ALSA: firewire-lib: fix uninitialized flag for AV/C deferred transaction
Description
===========
In the Linux kernel, the following vulnerability has been resolved:
ALSA: firewire-lib: fix uninitialized flag for AV/C deferred transaction
AV/C deferred transaction was supported at a commit 00a7bb81c20f ("ALSA:
firewire-lib: Add support for deferred transaction") while 'deferrable'
flag can be uninitialized for non-control/notify AV/C transactions.
UBSAN reports it:
kernel: ================================================================================
kernel: UBSAN: invalid-load in /build/linux-aa0B4d/linux-5.15.0/sound/firewire/fcp.c:363:9
kernel: load of value 158 is not a valid value for type '_Bool'
kernel: CPU: 3 PID: 182227 Comm: irq/35-firewire Tainted: P OE 5.15.0-18-generic #18-Ubuntu
kernel: Hardware name: Gigabyte Technology Co., Ltd. AX370-Gaming 5/AX370-Gaming 5, BIOS F42b 08/01/2019
kernel: Call Trace:
kernel: <IRQ>
kernel: show_stack+0x52/0x58
kernel: dump_stack_lvl+0x4a/0x5f
kernel: dump_stack+0x10/0x12
kernel: ubsan_epilogue+0x9/0x45
kernel: __ubsan_handle_load_invalid_value.cold+0x44/0x49
kernel: fcp_response.part.0.cold+0x1a/0x2b [snd_firewire_lib]
kernel: fcp_response+0x28/0x30 [snd_firewire_lib]
kernel: fw_core_handle_request+0x230/0x3d0 [firewire_core]
kernel: handle_ar_packet+0x1d9/0x200 [firewire_ohci]
kernel: ? handle_ar_packet+0x1d9/0x200 [firewire_ohci]
kernel: ? transmit_complete_callback+0x9f/0x120 [firewire_core]
kernel: ar_context_tasklet+0xa8/0x2e0 [firewire_ohci]
kernel: tasklet_action_common.constprop.0+0xea/0xf0
kernel: tasklet_action+0x22/0x30
kernel: __do_softirq+0xd9/0x2e3
kernel: ? irq_finalize_oneshot.part.0+0xf0/0xf0
kernel: do_softirq+0x75/0xa0
kernel: </IRQ>
kernel: <TASK>
kernel: __local_bh_enable_ip+0x50/0x60
kernel: irq_forced_thread_fn+0x7e/0x90
kernel: irq_thread+0xba/0x190
kernel: ? irq_thread_fn+0x60/0x60
kernel: kthread+0x11e/0x140
kernel: ? irq_thread_check_affinity+0xf0/0xf0
kernel: ? set_kthread_struct+0x50/0x50
kernel: ret_from_fork+0x22/0x30
kernel: </TASK>
kernel: ================================================================================
This commit fixes the bug. The bug has no disadvantage for the non-
control/notify AV/C transactions since the flag has an effect for AV/C
response with INTERIM (0x0f) status which is not used for the transactions
in AV/C general specification.
The Linux kernel CVE team has assigned CVE-2022-49248 to this issue.
Affected and fixed versions
===========================
Issue introduced in 3.16 with commit 00a7bb81c20f3e81711e28e0f6c08cee8fd18514 and fixed in 4.9.311 with commit 99582e4b19f367fa95bdd150b3034d7ce8113342
Issue introduced in 3.16 with commit 00a7bb81c20f3e81711e28e0f6c08cee8fd18514 and fixed in 4.14.276 with commit b2b65c9013dc28836d82e25d0f0c94d794a14aba
Issue introduced in 3.16 with commit 00a7bb81c20f3e81711e28e0f6c08cee8fd18514 and fixed in 4.19.238 with commit 60e5d391805d70458a01998de00d0c28cba40bf3
Issue introduced in 3.16 with commit 00a7bb81c20f3e81711e28e0f6c08cee8fd18514 and fixed in 5.4.189 with commit 7025f40690a235a118c87674cfb93072694aa66d
Issue introduced in 3.16 with commit 00a7bb81c20f3e81711e28e0f6c08cee8fd18514 and fixed in 5.10.110 with commit 7e6f5786621df060f8296f074efd275eaf20361a
Issue introduced in 3.16 with commit 00a7bb81c20f3e81711e28e0f6c08cee8fd18514 and fixed in 5.15.33 with commit eab74c41612083bd627b60da650e19234e4f1051
Issue introduced in 3.16 with commit 00a7bb81c20f3e81711e28e0f6c08cee8fd18514 and fixed in 5.16.19 with commit d07e4bbaff6fbba6f70c04b092ea7d9afcdf392e
Issue introduced in 3.16 with commit 00a7bb81c20f3e81711e28e0f6c08cee8fd18514 and fixed in 5.17.2 with commit 39d2c4a33dc1b4402cec68a3c8f82c6588b6edce
Issue introduced in 3.16 with commit 00a7bb81c20f3e81711e28e0f6c08cee8fd18514 and fixed in 5.18 with commit bf0cd60b7e33cf221fbe1114e4acb2c828b0af0d
Please see https://www.kernel.org for a full list of currently supported
kernel versions by the kernel community.
Unaffected versions might change over time as fixes are backported to
older supported kernel versions. The official CVE entry at
https://cve.org/CVERecord/?id=CVE-2022-49248
will be updated if fixes are backported, please check that for the most
up to date information about this issue.
Affected files
==============
The file(s) affected by this issue are:
sound/firewire/fcp.c
Mitigation
==========
The Linux kernel CVE team recommends that you update to the latest
stable kernel version for this, and many other bugfixes. Individual
changes are never tested alone, but rather are part of a larger kernel
release. Cherry-picking individual commits is not recommended or
supported by the Linux kernel community at all. If however, updating to
the latest release is impossible, the individual changes to resolve this
issue can be found at these commits:
https://git.kernel.org/stable/c/99582e4b19f367fa95bdd150b3034d7ce8113342
https://git.kernel.org/stable/c/b2b65c9013dc28836d82e25d0f0c94d794a14aba
https://git.kernel.org/stable/c/60e5d391805d70458a01998de00d0c28cba40bf3
https://git.kernel.org/stable/c/7025f40690a235a118c87674cfb93072694aa66d
https://git.kernel.org/stable/c/7e6f5786621df060f8296f074efd275eaf20361a
https://git.kernel.org/stable/c/eab74c41612083bd627b60da650e19234e4f1051
https://git.kernel.org/stable/c/d07e4bbaff6fbba6f70c04b092ea7d9afcdf392e
https://git.kernel.org/stable/c/39d2c4a33dc1b4402cec68a3c8f82c6588b6edce
https://git.kernel.org/stable/c/bf0cd60b7e33cf221fbe1114e4acb2c828b0af0d