| From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001 |
| From: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
| To: <linux-cve-announce@vger.kernel.org> |
| Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org> |
| Subject: CVE-2022-49509: media: i2c: max9286: fix kernel oops when removing module |
| |
| Description |
| =========== |
| |
| In the Linux kernel, the following vulnerability has been resolved: |
| |
| media: i2c: max9286: fix kernel oops when removing module |
| |
| When removing the max9286 module we get a kernel oops: |
| |
| Unable to handle kernel paging request at virtual address 000000aa00000094 |
| Mem abort info: |
| ESR = 0x96000004 |
| EC = 0x25: DABT (current EL), IL = 32 bits |
| SET = 0, FnV = 0 |
| EA = 0, S1PTW = 0 |
| FSC = 0x04: level 0 translation fault |
| Data abort info: |
| ISV = 0, ISS = 0x00000004 |
| CM = 0, WnR = 0 |
| user pgtable: 4k pages, 48-bit VAs, pgdp=0000000880d85000 |
| [000000aa00000094] pgd=0000000000000000, p4d=0000000000000000 |
| Internal error: Oops: 96000004 [#1] PREEMPT SMP |
| Modules linked in: fsl_jr_uio caam_jr rng_core libdes caamkeyblob_desc caamhash_desc caamalg_desc crypto_engine max9271 authenc crct10dif_ce mxc_jpeg_encdec |
| CPU: 2 PID: 713 Comm: rmmod Tainted: G C 5.15.5-00057-gaebcd29c8ed7-dirty #5 |
| Hardware name: Freescale i.MX8QXP MEK (DT) |
| pstate: 80000005 (Nzcv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--) |
| pc : i2c_mux_del_adapters+0x24/0xf0 |
| lr : max9286_remove+0x28/0xd0 [max9286] |
| sp : ffff800013a9bbf0 |
| x29: ffff800013a9bbf0 x28: ffff00080b6da940 x27: 0000000000000000 |
| x26: 0000000000000000 x25: 0000000000000000 x24: 0000000000000000 |
| x23: ffff000801a5b970 x22: ffff0008048b0890 x21: ffff800009297000 |
| x20: ffff0008048b0f70 x19: 000000aa00000064 x18: 0000000000000000 |
| x17: 0000000000000000 x16: 0000000000000000 x15: 0000000000000000 |
| x14: 0000000000000014 x13: 0000000000000000 x12: ffff000802da49e8 |
| x11: ffff000802051918 x10: ffff000802da4920 x9 : ffff000800030098 |
| x8 : 0101010101010101 x7 : 7f7f7f7f7f7f7f7f x6 : fefefeff6364626d |
| x5 : 8080808000000000 x4 : 0000000000000000 x3 : 0000000000000000 |
| x2 : ffffffffffffffff x1 : ffff00080b6da940 x0 : 0000000000000000 |
| Call trace: |
| i2c_mux_del_adapters+0x24/0xf0 |
| max9286_remove+0x28/0xd0 [max9286] |
| i2c_device_remove+0x40/0x110 |
| __device_release_driver+0x188/0x234 |
| driver_detach+0xc4/0x150 |
| bus_remove_driver+0x60/0xe0 |
| driver_unregister+0x34/0x64 |
| i2c_del_driver+0x58/0xa0 |
| max9286_i2c_driver_exit+0x1c/0x490 [max9286] |
| __arm64_sys_delete_module+0x194/0x260 |
| invoke_syscall+0x48/0x114 |
| el0_svc_common.constprop.0+0xd4/0xfc |
| do_el0_svc+0x2c/0x94 |
| el0_svc+0x28/0x80 |
| el0t_64_sync_handler+0xa8/0x130 |
| el0t_64_sync+0x1a0/0x1a4 |
| |
| The Oops happens because the I2C client data does not point to |
| max9286_priv anymore but to v4l2_subdev. The change happened in |
| max9286_init() which calls v4l2_i2c_subdev_init() later on... |
| |
| Besides fixing the max9286_remove() function, remove the call to |
| i2c_set_clientdata() in max9286_probe(), to avoid confusion, and make |
| the necessary changes to max9286_init() so that it doesn't have to use |
| i2c_get_clientdata() in order to fetch the pointer to priv. |
| |
| The Linux kernel CVE team has assigned CVE-2022-49509 to this issue. |
| |
| |
| Affected and fixed versions |
| =========================== |
| |
| Issue introduced in 5.9 with commit 66d8c9d2422da21ed41f75c03ba0685987b65fe0 and fixed in 5.15.46 with commit a4ec75df70575cdf33d9638c7844e729bfe6ce24 |
| Issue introduced in 5.9 with commit 66d8c9d2422da21ed41f75c03ba0685987b65fe0 and fixed in 5.17.14 with commit 579c77595dbbdfe4f2edf335899f86ac51eca4e9 |
| Issue introduced in 5.9 with commit 66d8c9d2422da21ed41f75c03ba0685987b65fe0 and fixed in 5.18.3 with commit 9dd783274c89c21a038d967b52a858a297e767f8 |
| Issue introduced in 5.9 with commit 66d8c9d2422da21ed41f75c03ba0685987b65fe0 and fixed in 5.19 with commit 365ab7ebc24eebb42b9e020aeb440d51af8960cd |
| |
| Please see https://www.kernel.org for a full list of currently supported |
| kernel versions by the kernel community. |
| |
| Unaffected versions might change over time as fixes are backported to |
| older supported kernel versions. The official CVE entry at |
| https://cve.org/CVERecord/?id=CVE-2022-49509 |
| will be updated if fixes are backported, please check that for the most |
| up to date information about this issue. |
| |
| |
| Affected files |
| ============== |
| |
| The file(s) affected by this issue are: |
| drivers/media/i2c/max9286.c |
| |
| |
| Mitigation |
| ========== |
| |
| The Linux kernel CVE team recommends that you update to the latest |
| stable kernel version for this, and many other bugfixes. Individual |
| changes are never tested alone, but rather are part of a larger kernel |
| release. Cherry-picking individual commits is not recommended or |
| supported by the Linux kernel community at all. If however, updating to |
| the latest release is impossible, the individual changes to resolve this |
| issue can be found at these commits: |
| https://git.kernel.org/stable/c/a4ec75df70575cdf33d9638c7844e729bfe6ce24 |
| https://git.kernel.org/stable/c/579c77595dbbdfe4f2edf335899f86ac51eca4e9 |
| https://git.kernel.org/stable/c/9dd783274c89c21a038d967b52a858a297e767f8 |
| https://git.kernel.org/stable/c/365ab7ebc24eebb42b9e020aeb440d51af8960cd |
