In the Linux kernel, the following vulnerability has been resolved:
drm/vkms: Fix null-ptr-deref in vkms_release()
A null-ptr-deref is triggered when it tries to destroy the workqueue in vkms->output.composerworkq in vkmsrelease().
KASAN: null-ptr-deref in range [0x0000000000000118-0x000000000000011f] CPU: 5 PID: 17193 Comm: modprobe Not tainted 6.0.0-11331-gd465bff130bf #24 RIP: 0010:destroyworkqueue+0x2f/0x710 ... Call Trace: <TASK> ? vkmsconfigdebugfsinit+0x50/0x50 [vkms] _devmdrmdevalloc+0x15a/0x1c0 [drm] vkmsinit+0x245/0x1000 [vkms] dooneinitcall+0xd0/0x4f0 doinitmodule+0x1a4/0x680 loadmodule+0x6249/0x7110 _dosysfinitmodule+0x140/0x200 dosyscall64+0x35/0x80 entrySYSCALL64afterhwframe+0x46/0xb0
The reason is that an OOM happened which triggers the destroy of the workqueue, however, the workqueue is alloced in the later process, thus a null-ptr-deref happened. A simple call graph is shown as below:
vkmsinit() vkmscreate() devmdrmdevalloc() _devmdrmdevalloc() devmdrmdevinit() devmaddactionorreset() devmaddaction() # an error happened devmdrmdevinitrelease() drmdevput() krefput() drmdevrelease() vkmsrelease() destroyworkqueue() # null-ptr-deref happened vkmsmodesetinit() vkmsoutputinit() vkmscrtc_init() # where the workqueue get allocated
Fix this by checking if composerworkq is NULL before passing it to the destroyworkqueue() in vkms_release().
[
{
"id": "CVE-2022-50369-0989814c",
"target": {
"file": "drivers/gpu/drm/vkms/vkms_drv.c"
},
"digest": {
"line_hashes": [
"308671899827393097501305012981097196493",
"86148628865228316957877266291238159704",
"190402051590562577368617261703680987998",
"186460538012830658981819078967856963317"
],
"threshold": 0.9
},
"signature_version": "v1",
"deprecated": false,
"signature_type": "Line",
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@57031c474c3a920ea73afeb5dc352e537f5793ee"
},
{
"id": "CVE-2022-50369-4769ece4",
"target": {
"function": "vkms_release",
"file": "drivers/gpu/drm/vkms/vkms_drv.c"
},
"digest": {
"length": 124.0,
"function_hash": "15317348287372289658154853938444365711"
},
"signature_version": "v1",
"deprecated": false,
"signature_type": "Function",
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@596f1ba3987e601e31a5abf1f75ce1d2635aceac"
},
{
"id": "CVE-2022-50369-57064f55",
"target": {
"function": "vkms_release",
"file": "drivers/gpu/drm/vkms/vkms_drv.c"
},
"digest": {
"length": 124.0,
"function_hash": "15317348287372289658154853938444365711"
},
"signature_version": "v1",
"deprecated": false,
"signature_type": "Function",
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@57031c474c3a920ea73afeb5dc352e537f5793ee"
},
{
"id": "CVE-2022-50369-7e05377a",
"target": {
"file": "drivers/gpu/drm/vkms/vkms_drv.c"
},
"digest": {
"line_hashes": [
"308671899827393097501305012981097196493",
"86148628865228316957877266291238159704",
"190402051590562577368617261703680987998",
"186460538012830658981819078967856963317"
],
"threshold": 0.9
},
"signature_version": "v1",
"deprecated": false,
"signature_type": "Line",
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@596f1ba3987e601e31a5abf1f75ce1d2635aceac"
},
{
"id": "CVE-2022-50369-8e108a2e",
"target": {
"file": "drivers/gpu/drm/vkms/vkms_drv.c"
},
"digest": {
"line_hashes": [
"308671899827393097501305012981097196493",
"86148628865228316957877266291238159704",
"190402051590562577368617261703680987998",
"186460538012830658981819078967856963317"
],
"threshold": 0.9
},
"signature_version": "v1",
"deprecated": false,
"signature_type": "Line",
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@1f9836f95271e7acf016667eee0aeae3386f9645"
},
{
"id": "CVE-2022-50369-90ccc5c9",
"target": {
"file": "drivers/gpu/drm/vkms/vkms_drv.c"
},
"digest": {
"line_hashes": [
"229957304793879985392174689371112365303",
"295913194711489123787225856996710435539",
"330409260936988406184317934576316587057",
"186460538012830658981819078967856963317"
],
"threshold": 0.9
},
"signature_version": "v1",
"deprecated": false,
"signature_type": "Line",
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@0b8f390e2251191f1b179cc87f65d54c96565f0d"
},
{
"id": "CVE-2022-50369-b00e39cb",
"target": {
"function": "vkms_release",
"file": "drivers/gpu/drm/vkms/vkms_drv.c"
},
"digest": {
"length": 170.0,
"function_hash": "245321808402552058277033586639519380515"
},
"signature_version": "v1",
"deprecated": false,
"signature_type": "Function",
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@0b8f390e2251191f1b179cc87f65d54c96565f0d"
},
{
"id": "CVE-2022-50369-e4f56e7b",
"target": {
"function": "vkms_release",
"file": "drivers/gpu/drm/vkms/vkms_drv.c"
},
"digest": {
"length": 124.0,
"function_hash": "15317348287372289658154853938444365711"
},
"signature_version": "v1",
"deprecated": false,
"signature_type": "Function",
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@2fe2a8f40c21161ffe7653cc234e7934db5b7cc5"
},
{
"id": "CVE-2022-50369-e52a838e",
"target": {
"file": "drivers/gpu/drm/vkms/vkms_drv.c"
},
"digest": {
"line_hashes": [
"308671899827393097501305012981097196493",
"86148628865228316957877266291238159704",
"190402051590562577368617261703680987998",
"186460538012830658981819078967856963317"
],
"threshold": 0.9
},
"signature_version": "v1",
"deprecated": false,
"signature_type": "Line",
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@2fe2a8f40c21161ffe7653cc234e7934db5b7cc5"
},
{
"id": "CVE-2022-50369-f7d0aa42",
"target": {
"function": "vkms_release",
"file": "drivers/gpu/drm/vkms/vkms_drv.c"
},
"digest": {
"length": 124.0,
"function_hash": "15317348287372289658154853938444365711"
},
"signature_version": "v1",
"deprecated": false,
"signature_type": "Function",
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@1f9836f95271e7acf016667eee0aeae3386f9645"
}
]