CVE-2022-48728

Source
https://nvd.nist.gov/vuln/detail/CVE-2022-48728
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2022-48728.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2022-48728
Related
Published
2024-06-20T12:15:11Z
Modified
2024-09-18T17:49:03.357420Z
Severity
  • 5.5 (Medium) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVSS Calculator
Summary
[none]
Details

In the Linux kernel, the following vulnerability has been resolved:

IB/hfi1: Fix AIP early init panic

An early failure in hfi1ipoibsetup_rn() can lead to the following panic:

BUG: unable to handle kernel NULL pointer dereference at 00000000000001b0 PGD 0 P4D 0 Oops: 0002 [#1] SMP NOPTI Workqueue: events workforcpufn RIP: 0010:trytograbpending+0x2b/0x140 Code: 1f 44 00 00 41 55 41 54 55 48 89 d5 53 48 89 fb 9c 58 0f 1f 44 00 00 48 89 c2 fa 66 0f 1f 44 00 00 48 89 55 00 40 84 f6 75 77 <f0> 48 0f ba 2b 00 72 09 31 c0 5b 5d 41 5c 41 5d c3 48 89 df e8 6c RSP: 0018:ffffb6b3cf7cfa48 EFLAGS: 00010046 RAX: 0000000000000246 RBX: 00000000000001b0 RCX: 0000000000000000 RDX: 0000000000000246 RSI: 0000000000000000 RDI: 00000000000001b0 RBP: ffffb6b3cf7cfa70 R08: 0000000000000f09 R09: 0000000000000001 R10: 0000000000000000 R11: 0000000000000001 R12: 0000000000000000 R13: ffffb6b3cf7cfa90 R14: ffffffff9b2fbfc0 R15: ffff8a4fdf244690 FS: 0000000000000000(0000) GS:ffff8a527f400000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00000000000001b0 CR3: 00000017e2410003 CR4: 00000000007706f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 PKRU: 55555554 Call Trace: _cancelworktimer+0x42/0x190 ? devprintkemit+0x4e/0x70 iowaitcancelwork+0x15/0x30 [hfi1] hfi1ipoibtxreqdeinit+0x5a/0x220 [hfi1] ? deverr+0x6c/0x90 hfi1ipoibnetdevdtor+0x15/0x30 [hfi1] hfi1ipoibsetuprn+0x10e/0x150 [hfi1] rdmainitnetdev+0x5a/0x80 [ibcore] ? hfi1ipoibfreerdmanetdev+0x20/0x20 [hfi1] ipoibintfinit+0x6c/0x350 [ibipoib] ipoibintfalloc+0x5c/0xc0 [ibipoib] ipoibaddone+0xbe/0x300 [ibipoib] addclientcontext+0x12c/0x1a0 [ibcore] enabledeviceandget+0xdc/0x1d0 [ibcore] ibregisterdevice+0x572/0x6b0 [ibcore] rvtregisterdevice+0x11b/0x220 [rdmavt] hfi1registeribdevice+0x6b4/0x770 [hfi1] doinitone.isra.20+0x3e3/0x680 [hfi1] localpciprobe+0x41/0x90 workforcpufn+0x16/0x20 processonework+0x1a7/0x360 ? createworker+0x1a0/0x1a0 workerthread+0x1cf/0x390 ? createworker+0x1a0/0x1a0 kthread+0x116/0x130 ? kthreadflushworkfn+0x10/0x10 retfrom_fork+0x1f/0x40

The panic happens in hfi1ipoibtxreqdeinit() because there is a NULL deref when hfi1ipoibnetdevdtor() is called in this error case.

hfi1ipoibtxreqinit() and hfi1ipoibrxqinit() are self unwinding so fix by adjusting the error paths accordingly.

Other changes: - hfi1ipoibfreerdmanetdev() is deleted including the freenetdev() since the netdev core code deletes calls freenetdev() - The switch to the accelerated entrances is moved to the success path.

References

Affected packages

Debian:11 / linux

Package

Name
linux
Purl
pkg:deb/debian/linux?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
5.10.103-1

Affected versions

5.*

5.10.46-4
5.10.46-5
5.10.70-1~bpo10+1
5.10.70-1
5.10.84-1
5.10.92-1~bpo10+1
5.10.92-1
5.10.92-2
5.10.103-1~bpo10+1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:12 / linux

Package

Name
linux
Purl
pkg:deb/debian/linux?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
5.16.10-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:13 / linux

Package

Name
linux
Purl
pkg:deb/debian/linux?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
5.16.10-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}