CVE-2022-49945

In the Linux kernel, the following vulnerability has been resolved:

hwmon: (gpio-fan) Fix array out of bounds access

The driver does not check if the cooling state passed to gpiofansetcurstate() exceeds the maximum cooling state as stored in fandata->numspeeds. Since the cooling state is later used as an array index in setfanspeed(), an array out of bounds access can occur. This can be exploited by setting the state of the thermal cooling device to arbitrary values, causing for example a kernel oops when unavailable memory is accessed this way.

Example kernel oops: [ 807.987276] Unable to handle kernel paging request at virtual address ffffff80d0588064 [ 807.987369] Mem abort info: [ 807.987398] ESR = 0x96000005 [ 807.987428] EC = 0x25: DABT (current EL), IL = 32 bits [ 807.987477] SET = 0, FnV = 0 [ 807.987507] EA = 0, S1PTW = 0 [ 807.987536] FSC = 0x05: level 1 translation fault [ 807.987570] Data abort info: [ 807.987763] ISV = 0, ISS = 0x00000005 [ 807.987801] CM = 0, WnR = 0 [ 807.987832] swapper pgtable: 4k pages, 39-bit VAs, pgdp=0000000001165000 [ 807.987872] [ffffff80d0588064] pgd=0000000000000000, p4d=0000000000000000, pud=0000000000000000 [ 807.987961] Internal error: Oops: 96000005 [#1] PREEMPT SMP [ 807.987992] Modules linked in: cmac algifhash aesarm64 algifskcipher afalg bnep hciuart btbcm bluetooth ecdhgeneric ecc 8021q garp stp llc sndsochdmicodec brcmfmac vc4 brcmutil cec drmkmshelper sndsoccore cfg80211 sndcompress bcm2835codec(C) sndpcmdmaengine syscopyarea bcm2835isp(C) bcm2835v4l2(C) sysfillrect v4l2mem2mem bcm2835mmalvchiq(C) raspberrypihwmon sysimgblt videobuf2dmacontig videobuf2vmalloc fbsysfops videobuf2memops rfkill videobuf2v4l2 videobuf2common i2cbcm2835 sndbcm2835(C) videodev sndpcm sndtimer snd mc vcsmcma(C) gpiofan uiopdrvgenirq uio drm fuse drmpanelorientationquirks backlight iptables xtables ipv6 [ 807.988508] CPU: 0 PID: 1321 Comm: bash Tainted: G C 5.15.56-v8+ #1575 [ 807.988548] Hardware name: Raspberry Pi 3 Model B Rev 1.2 (DT) [ 807.988574] pstate: 20000005 (nzCv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--) [ 807.988608] pc : setfanspeed.part.5+0x34/0x80 [gpiofan] [ 807.988654] lr : gpiofansetcurstate+0x34/0x50 [gpiofan] [ 807.988691] sp : ffffffc008cf3bd0 [ 807.988710] x29: ffffffc008cf3bd0 x28: ffffff80019edac0 x27: 0000000000000000 [ 807.988762] x26: 0000000000000000 x25: 0000000000000000 x24: ffffff800747c920 [ 807.988787] x23: 000000000000000a x22: ffffff800369f000 x21: 000000001999997c [ 807.988854] x20: ffffff800369f2e8 x19: ffffff8002ae8080 x18: 0000000000000000 [ 807.988877] x17: 0000000000000000 x16: 0000000000000000 x15: 000000559e271b70 [ 807.988938] x14: 0000000000000000 x13: 0000000000000000 x12: 0000000000000000 [ 807.988960] x11: 0000000000000000 x10: ffffffc008cf3c20 x9 : ffffffcfb60c741c [ 807.989018] x8 : 000000000000000a x7 : 00000000ffffffc9 x6 : 0000000000000009 [ 807.989040] x5 : 000000000000002a x4 : 0000000000000000 x3 : ffffff800369f2e8 [ 807.989062] x2 : 000000000000e780 x1 : 0000000000000001 x0 : ffffff80d0588060 [ 807.989084] Call trace: [ 807.989091] setfanspeed.part.5+0x34/0x80 [gpiofan] [ 807.989113] gpiofansetcurstate+0x34/0x50 [gpiofan] [ 807.989199] curstatestore+0x84/0xd0 [ 807.989221] devattrstore+0x20/0x38 [ 807.989262] sysfskfwrite+0x4c/0x60 [ 807.989282] kernfsfopwriteiter+0x130/0x1c0 [ 807.989298] newsyncwrite+0x10c/0x190 [ 807.989315] vfswrite+0x254/0x378 [ 807.989362] ksyswrite+0x70/0xf8 [ 807.989379] _arm64syswrite+0x24/0x30 [ 807.989424] invokesyscall+0x4c/0x110 [ 807.989442] el0svccommon.constprop.3+0xfc/0x120 [ 807.989458] doel0svc+0x2c/0x90 [ 807.989473] el0svc+0x24/0x60 [ 807.989544] el0t64synchandler+0x90/0xb8 [ 807.989558] el0t64sync+0x1a0/0x1a4 [ 807.989579] Code: b9403801 f9402800 7100003f 8b35cc00 (b9400416) [ 807.989627] ---[ end t ---truncated---