| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <2025022615-CVE-2022-49187-e8b4@gregkh> Date: Wed, 26 Feb 2025 02:56:32 +0100 From: Greg Kroah-Hartman <gregkh@...uxfoundation.org> To: linux-cve-announce@...r.kernel.org Cc: Greg Kroah-Hartman <gregkh@...uxfoundation.org> Subject: CVE-2022-49187: clk: Fix clk_hw_get_clk() when dev is NULL Description =========== In the Linux kernel, the following vulnerability has been resolved: clk: Fix clk_hw_get_clk() when dev is NULL Any registered clk_core structure can have a NULL pointer in its dev field. While never actually documented, this is evidenced by the wide usage of clk_register and clk_hw_register with a NULL device pointer, and the fact that the core of_clk_hw_register() function also passes a NULL device pointer. A call to clk_hw_get_clk() on a clk_hw struct whose clk_core is in that case will result in a NULL pointer derefence when it calls dev_name() on that NULL device pointer. Add a test for this case and use NULL as the dev_id if the device pointer is NULL. The Linux kernel CVE team has assigned CVE-2022-49187 to this issue. Affected and fixed versions =========================== Issue introduced in 5.11 with commit 30d6f8c15d2cd877c1f3d47d8a1064649ebe58e2 and fixed in 5.15.33 with commit 4be3e4c05d8dd1b83b75652cad88c9e752ec7054 Issue introduced in 5.11 with commit 30d6f8c15d2cd877c1f3d47d8a1064649ebe58e2 and fixed in 5.16.19 with commit d183f20cf5a7b546d4108e796b98210ceb317579 Issue introduced in 5.11 with commit 30d6f8c15d2cd877c1f3d47d8a1064649ebe58e2 and fixed in 5.17.2 with commit 23f89fe005b105f0dcc55034c13eb89f9b570fac Issue introduced in 5.11 with commit 30d6f8c15d2cd877c1f3d47d8a1064649ebe58e2 and fixed in 5.18 with commit 0c1b56df451716ba207bbf59f303473643eee4fd Please see https://www.kernel.org for a full list of currently supported kernel versions by the kernel community. Unaffected versions might change over time as fixes are backported to older supported kernel versions. The official CVE entry at https://cve.org/CVERecord/?id=CVE-2022-49187 will be updated if fixes are backported, please check that for the most up to date information about this issue. Affected files ============== The file(s) affected by this issue are: drivers/clk/clk.c Mitigation ========== The Linux kernel CVE team recommends that you update to the latest stable kernel version for this, and many other bugfixes. Individual changes are never tested alone, but rather are part of a larger kernel release. Cherry-picking individual commits is not recommended or supported by the Linux kernel community at all. If however, updating to the latest release is impossible, the individual changes to resolve this issue can be found at these commits: https://git.kernel.org/stable/c/4be3e4c05d8dd1b83b75652cad88c9e752ec7054 https://git.kernel.org/stable/c/d183f20cf5a7b546d4108e796b98210ceb317579 https://git.kernel.org/stable/c/23f89fe005b105f0dcc55034c13eb89f9b570fac https://git.kernel.org/stable/c/0c1b56df451716ba207bbf59f303473643eee4fd
Powered by blists - more mailing lists