| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <2024102145-CVE-2022-48972-4ccd@gregkh> Date: Mon, 21 Oct 2024 22:06:04 +0200 From: Greg Kroah-Hartman <gregkh@...uxfoundation.org> To: linux-cve-announce@...r.kernel.org Cc: Greg Kroah-Hartman <gregkh@...uxfoundation.org> Subject: CVE-2022-48972: mac802154: fix missing INIT_LIST_HEAD in ieee802154_if_add() Description =========== In the Linux kernel, the following vulnerability has been resolved: mac802154: fix missing INIT_LIST_HEAD in ieee802154_if_add() Kernel fault injection test reports null-ptr-deref as follows: BUG: kernel NULL pointer dereference, address: 0000000000000008 RIP: 0010:cfg802154_netdev_notifier_call+0x120/0x310 include/linux/list.h:114 Call Trace: <TASK> raw_notifier_call_chain+0x6d/0xa0 kernel/notifier.c:87 call_netdevice_notifiers_info+0x6e/0xc0 net/core/dev.c:1944 unregister_netdevice_many_notify+0x60d/0xcb0 net/core/dev.c:1982 unregister_netdevice_queue+0x154/0x1a0 net/core/dev.c:10879 register_netdevice+0x9a8/0xb90 net/core/dev.c:10083 ieee802154_if_add+0x6ed/0x7e0 net/mac802154/iface.c:659 ieee802154_register_hw+0x29c/0x330 net/mac802154/main.c:229 mcr20a_probe+0xaaa/0xcb1 drivers/net/ieee802154/mcr20a.c:1316 ieee802154_if_add() allocates wpan_dev as netdev's private data, but not init the list in struct wpan_dev. cfg802154_netdev_notifier_call() manage the list when device register/unregister, and may lead to null-ptr-deref. Use INIT_LIST_HEAD() on it to initialize it correctly. The Linux kernel CVE team has assigned CVE-2022-48972 to this issue. Affected and fixed versions =========================== Issue introduced in 3.19 with commit fcf39e6e88e9 and fixed in 4.9.336 with commit 7410f4d1221b Issue introduced in 3.19 with commit fcf39e6e88e9 and fixed in 4.14.302 with commit 9980a3ea20de Issue introduced in 3.19 with commit fcf39e6e88e9 and fixed in 4.19.269 with commit f00c84fb1635 Issue introduced in 3.19 with commit fcf39e6e88e9 and fixed in 5.4.227 with commit 1831d4540406 Issue introduced in 3.19 with commit fcf39e6e88e9 and fixed in 5.10.159 with commit 42c319635c0c Issue introduced in 3.19 with commit fcf39e6e88e9 and fixed in 5.15.83 with commit a110287ef4a4 Issue introduced in 3.19 with commit fcf39e6e88e9 and fixed in 6.0.13 with commit 623918f40fa6 Issue introduced in 3.19 with commit fcf39e6e88e9 and fixed in 6.1 with commit b3d72d3135d2 Please see https://www.kernel.org for a full list of currently supported kernel versions by the kernel community. Unaffected versions might change over time as fixes are backported to older supported kernel versions. The official CVE entry at https://cve.org/CVERecord/?id=CVE-2022-48972 will be updated if fixes are backported, please check that for the most up to date information about this issue. Affected files ============== The file(s) affected by this issue are: net/mac802154/iface.c Mitigation ========== The Linux kernel CVE team recommends that you update to the latest stable kernel version for this, and many other bugfixes. Individual changes are never tested alone, but rather are part of a larger kernel release. Cherry-picking individual commits is not recommended or supported by the Linux kernel community at all. If however, updating to the latest release is impossible, the individual changes to resolve this issue can be found at these commits: https://git.kernel.org/stable/c/7410f4d1221bb182510b7778ab6eefa8b9b7102d https://git.kernel.org/stable/c/9980a3ea20de40c83817877106c909cb032692d2 https://git.kernel.org/stable/c/f00c84fb1635c27ba24ec5df65d5bd7d7dc00008 https://git.kernel.org/stable/c/1831d4540406708e48239cf38fd9c3b7ea98e08f https://git.kernel.org/stable/c/42c319635c0cf7eb36eccac6cda76532f47b61a3 https://git.kernel.org/stable/c/a110287ef4a423980309490df632e1c1e73b3dc9 https://git.kernel.org/stable/c/623918f40fa68e3bb21312a3fafb90f491bf5358 https://git.kernel.org/stable/c/b3d72d3135d2ef68296c1ee174436efd65386f04
Powered by blists - more mailing lists