cve/published/2022/CVE-2022-49826.mbox - pub/scm/linux/security/vulns - Git at Google

 From bippy-1.1.0 Mon Sep 17 00:00:00 2001
 From: Greg Kroah-Hartman <gregkh@kernel.org>
 To: <linux-cve-announce@vger.kernel.org>
 Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
 Subject: CVE-2022-49826: ata: libata-transport: fix double ata_host_put() in ata_tport_add()

 Description
 ===========

 In the Linux kernel, the following vulnerability has been resolved:

 ata: libata-transport: fix double ata_host_put() in ata_tport_add()

 In the error path in ata_tport_add(), when calling put_device(),
 ata_tport_release() is called, it will put the refcount of 'ap->host'.

 And then ata_host_put() is called again, the refcount is decreased
 to 0, ata_host_release() is called, all ports are freed and set to
 null.

 When unbinding the device after failure, ata_host_stop() is called
 to release the resources, it leads a null-ptr-deref(), because all
 the ports all freed and null.

 Unable to handle kernel NULL pointer dereference at virtual address 0000000000000008
 CPU: 7 PID: 18671 Comm: modprobe Kdump: loaded Tainted: G            E      6.1.0-rc3+ #8
 pstate: 80400009 (Nzcv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)
 pc : ata_host_stop+0x3c/0x84 [libata]
 lr : release_nodes+0x64/0xd0
 Call trace:
  ata_host_stop+0x3c/0x84 [libata]
  release_nodes+0x64/0xd0
  devres_release_all+0xbc/0x1b0
  device_unbind_cleanup+0x20/0x70
  really_probe+0x158/0x320
  __driver_probe_device+0x84/0x120
  driver_probe_device+0x44/0x120
  __driver_attach+0xb4/0x220
  bus_for_each_dev+0x78/0xdc
  driver_attach+0x2c/0x40
  bus_add_driver+0x184/0x240
  driver_register+0x80/0x13c
  __pci_register_driver+0x4c/0x60
  ahci_pci_driver_init+0x30/0x1000 [ahci]

 Fix this by removing redundant ata_host_put() in the error path.

 The Linux kernel CVE team has assigned CVE-2022-49826 to this issue.


 Affected and fixed versions
 ===========================

 	Issue introduced in 4.17 with commit 2623c7a5f2799569d8bb05eb211da524a8144cb3 and fixed in 4.19.267 with commit 30e12e2be27ac6c4be2af4163c70db381364706f
 	Issue introduced in 4.17 with commit 2623c7a5f2799569d8bb05eb211da524a8144cb3 and fixed in 5.4.225 with commit bec9ded5404cb14e5f5470103d0973a2ff83d6a5
 	Issue introduced in 4.17 with commit 2623c7a5f2799569d8bb05eb211da524a8144cb3 and fixed in 5.10.156 with commit ac471468f7c16cda2525909946ca13ddbcd14000
 	Issue introduced in 4.17 with commit 2623c7a5f2799569d8bb05eb211da524a8144cb3 and fixed in 5.15.80 with commit 377ff82c33c0cb74562a353361b64b33c09562cf
 	Issue introduced in 4.17 with commit 2623c7a5f2799569d8bb05eb211da524a8144cb3 and fixed in 6.0.10 with commit 865a6da40ba092c18292ae5f6194756131293745
 	Issue introduced in 4.17 with commit 2623c7a5f2799569d8bb05eb211da524a8144cb3 and fixed in 6.1 with commit 8c76310740807ade5ecdab5888f70ecb6d35732e

 Please see https://www.kernel.org for a full list of currently supported
 kernel versions by the kernel community.

 Unaffected versions might change over time as fixes are backported to
 older supported kernel versions.  The official CVE entry at
 	https://cve.org/CVERecord/?id=CVE-2022-49826
 will be updated if fixes are backported, please check that for the most
 up to date information about this issue.


 Affected files
 ==============

 The file(s) affected by this issue are:
 	drivers/ata/libata-transport.c


 Mitigation
 ==========

 The Linux kernel CVE team recommends that you update to the latest
 stable kernel version for this, and many other bugfixes.  Individual
 changes are never tested alone, but rather are part of a larger kernel
 release.  Cherry-picking individual commits is not recommended or
 supported by the Linux kernel community at all.  If however, updating to
 the latest release is impossible, the individual changes to resolve this
 issue can be found at these commits:
 	https://git.kernel.org/stable/c/30e12e2be27ac6c4be2af4163c70db381364706f
 	https://git.kernel.org/stable/c/bec9ded5404cb14e5f5470103d0973a2ff83d6a5
 	https://git.kernel.org/stable/c/ac471468f7c16cda2525909946ca13ddbcd14000
 	https://git.kernel.org/stable/c/377ff82c33c0cb74562a353361b64b33c09562cf
 	https://git.kernel.org/stable/c/865a6da40ba092c18292ae5f6194756131293745
 	https://git.kernel.org/stable/c/8c76310740807ade5ecdab5888f70ecb6d35732e
	From bippy-1.1.0 Mon Sep 17 00:00:00 2001
	From: Greg Kroah-Hartman <gregkh@kernel.org>
	To: <linux-cve-announce@vger.kernel.org>
	Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
	Subject: CVE-2022-49826: ata: libata-transport: fix double ata_host_put() in ata_tport_add()

	Description
	===========

	In the Linux kernel, the following vulnerability has been resolved:

	ata: libata-transport: fix double ata_host_put() in ata_tport_add()

	In the error path in ata_tport_add(), when calling put_device(),
	ata_tport_release() is called, it will put the refcount of 'ap->host'.

	And then ata_host_put() is called again, the refcount is decreased
	to 0, ata_host_release() is called, all ports are freed and set to
	null.

	When unbinding the device after failure, ata_host_stop() is called
	to release the resources, it leads a null-ptr-deref(), because all
	the ports all freed and null.

	Unable to handle kernel NULL pointer dereference at virtual address 0000000000000008
	CPU: 7 PID: 18671 Comm: modprobe Kdump: loaded Tainted: G E 6.1.0-rc3+ #8
	pstate: 80400009 (Nzcv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)
	pc : ata_host_stop+0x3c/0x84 [libata]
	lr : release_nodes+0x64/0xd0
	Call trace:
	ata_host_stop+0x3c/0x84 [libata]
	release_nodes+0x64/0xd0
	devres_release_all+0xbc/0x1b0
	device_unbind_cleanup+0x20/0x70
	really_probe+0x158/0x320
	__driver_probe_device+0x84/0x120
	driver_probe_device+0x44/0x120
	__driver_attach+0xb4/0x220
	bus_for_each_dev+0x78/0xdc
	driver_attach+0x2c/0x40
	bus_add_driver+0x184/0x240
	driver_register+0x80/0x13c
	__pci_register_driver+0x4c/0x60
	ahci_pci_driver_init+0x30/0x1000 [ahci]

	Fix this by removing redundant ata_host_put() in the error path.

	The Linux kernel CVE team has assigned CVE-2022-49826 to this issue.


	Affected and fixed versions
	===========================

	Issue introduced in 4.17 with commit 2623c7a5f2799569d8bb05eb211da524a8144cb3 and fixed in 4.19.267 with commit 30e12e2be27ac6c4be2af4163c70db381364706f
	Issue introduced in 4.17 with commit 2623c7a5f2799569d8bb05eb211da524a8144cb3 and fixed in 5.4.225 with commit bec9ded5404cb14e5f5470103d0973a2ff83d6a5
	Issue introduced in 4.17 with commit 2623c7a5f2799569d8bb05eb211da524a8144cb3 and fixed in 5.10.156 with commit ac471468f7c16cda2525909946ca13ddbcd14000
	Issue introduced in 4.17 with commit 2623c7a5f2799569d8bb05eb211da524a8144cb3 and fixed in 5.15.80 with commit 377ff82c33c0cb74562a353361b64b33c09562cf
	Issue introduced in 4.17 with commit 2623c7a5f2799569d8bb05eb211da524a8144cb3 and fixed in 6.0.10 with commit 865a6da40ba092c18292ae5f6194756131293745
	Issue introduced in 4.17 with commit 2623c7a5f2799569d8bb05eb211da524a8144cb3 and fixed in 6.1 with commit 8c76310740807ade5ecdab5888f70ecb6d35732e

	Please see https://www.kernel.org for a full list of currently supported
	kernel versions by the kernel community.

	Unaffected versions might change over time as fixes are backported to
	older supported kernel versions. The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2022-49826
	will be updated if fixes are backported, please check that for the most
	up to date information about this issue.


	Affected files
	==============

	The file(s) affected by this issue are:
	drivers/ata/libata-transport.c


	Mitigation
	==========

	The Linux kernel CVE team recommends that you update to the latest
	stable kernel version for this, and many other bugfixes. Individual
	changes are never tested alone, but rather are part of a larger kernel
	release. Cherry-picking individual commits is not recommended or
	supported by the Linux kernel community at all. If however, updating to
	the latest release is impossible, the individual changes to resolve this
	issue can be found at these commits:
	https://git.kernel.org/stable/c/30e12e2be27ac6c4be2af4163c70db381364706f
	https://git.kernel.org/stable/c/bec9ded5404cb14e5f5470103d0973a2ff83d6a5
	https://git.kernel.org/stable/c/ac471468f7c16cda2525909946ca13ddbcd14000
	https://git.kernel.org/stable/c/377ff82c33c0cb74562a353361b64b33c09562cf
	https://git.kernel.org/stable/c/865a6da40ba092c18292ae5f6194756131293745
	https://git.kernel.org/stable/c/8c76310740807ade5ecdab5888f70ecb6d35732e