CVE-2022-49605

Source
https://nvd.nist.gov/vuln/detail/CVE-2022-49605
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2022-49605.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2022-49605
Related
Published
2025-02-26T07:01:36Z
Modified
2025-02-26T19:01:33.972416Z
Summary
[none]
Details

In the Linux kernel, the following vulnerability has been resolved:

igc: Reinstate IGC_REMOVED logic and implement it properly

The initially merged version of the igc driver code (via commit 146740f9abc4, "igc: Add support for PF") contained the following IGCREMOVED checks in the igcrd32/wr32() MMIO accessors:

u32 igc_rd32(struct igc_hw *hw, u32 reg)
{
    u8 __iomem *hw_addr = READ_ONCE(hw->hw_addr);
    u32 value = 0;

    if (IGC_REMOVED(hw_addr))
        return ~value;

    value = readl(&hw_addr[reg]);

    /* reads should not return all F's */
    if (!(~value) && (!reg || !(~readl(hw_addr))))
        hw->hw_addr = NULL;

    return value;
}

And:

#define wr32(reg, val) \
do { \
    u8 __iomem *hw_addr = READ_ONCE((hw)->hw_addr); \
    if (!IGC_REMOVED(hw_addr)) \
        writel((val), &hw_addr[(reg)]); \
} while (0)

E.g. igb has similar checks in its MMIO accessors, and has a similar macro E1000_REMOVED, which is implemented as follows:

#define E1000_REMOVED(h) unlikely(!(h))

These checks serve to detect and take note of an 0xffffffff MMIO read return from the device, which can be caused by a PCIe link flap or some other kind of PCI bus error, and to avoid performing MMIO reads and writes from that point onwards.

However, the IGC_REMOVED macro was not originally implemented:

#ifndef IGC_REMOVED
#define IGC_REMOVED(a) (0)
#endif /* IGC_REMOVED */

This led to the IGCREMOVED logic to be removed entirely in a subsequent commit (commit 3c215fb18e70, "igc: remove IGCREMOVED function"), with the rationale that such checks matter only for virtualization and that igc does not support virtualization -- but a PCIe device can become detached even without virtualization being in use, and without proper checks, a PCIe bus error affecting an igc adapter will lead to various NULL pointer dereferences, as the first access after the error will set hw->hw_addr to NULL, and subsequent accesses will blindly dereference this now-NULL pointer.

This patch reinstates the IGCREMOVED checks in igcrd32/wr32(), and implements IGCREMOVED the way it is done for igb, by checking for the unlikely() case of hwaddr being NULL. This change prevents the oopses seen when a PCIe link flap occurs on an igc adapter.

References

Affected packages

Debian:11 / linux

Package

Name
linux
Purl
pkg:deb/debian/linux?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
5.10.136-1

Affected versions

5.*

5.10.46-4
5.10.46-5
5.10.70-1~bpo10+1
5.10.70-1
5.10.84-1
5.10.92-1~bpo10+1
5.10.92-1
5.10.92-2
5.10.103-1~bpo10+1
5.10.103-1
5.10.106-1
5.10.113-1
5.10.120-1~bpo10+1
5.10.120-1
5.10.127-1
5.10.127-2~bpo10+1
5.10.127-2

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:12 / linux

Package

Name
linux
Purl
pkg:deb/debian/linux?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
5.18.16-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:13 / linux

Package

Name
linux
Purl
pkg:deb/debian/linux?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
5.18.16-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}