| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <2025050135-CVE-2022-49826-a060@gregkh> Date: Thu, 1 May 2025 16:10:16 +0200 From: Greg Kroah-Hartman <gregkh@...uxfoundation.org> To: linux-cve-announce@...r.kernel.org Cc: Greg Kroah-Hartman <gregkh@...nel.org> Subject: CVE-2022-49826: ata: libata-transport: fix double ata_host_put() in ata_tport_add() From: Greg Kroah-Hartman <gregkh@...nel.org> Description =========== In the Linux kernel, the following vulnerability has been resolved: ata: libata-transport: fix double ata_host_put() in ata_tport_add() In the error path in ata_tport_add(), when calling put_device(), ata_tport_release() is called, it will put the refcount of 'ap->host'. And then ata_host_put() is called again, the refcount is decreased to 0, ata_host_release() is called, all ports are freed and set to null. When unbinding the device after failure, ata_host_stop() is called to release the resources, it leads a null-ptr-deref(), because all the ports all freed and null. Unable to handle kernel NULL pointer dereference at virtual address 0000000000000008 CPU: 7 PID: 18671 Comm: modprobe Kdump: loaded Tainted: G E 6.1.0-rc3+ #8 pstate: 80400009 (Nzcv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--) pc : ata_host_stop+0x3c/0x84 [libata] lr : release_nodes+0x64/0xd0 Call trace: ata_host_stop+0x3c/0x84 [libata] release_nodes+0x64/0xd0 devres_release_all+0xbc/0x1b0 device_unbind_cleanup+0x20/0x70 really_probe+0x158/0x320 __driver_probe_device+0x84/0x120 driver_probe_device+0x44/0x120 __driver_attach+0xb4/0x220 bus_for_each_dev+0x78/0xdc driver_attach+0x2c/0x40 bus_add_driver+0x184/0x240 driver_register+0x80/0x13c __pci_register_driver+0x4c/0x60 ahci_pci_driver_init+0x30/0x1000 [ahci] Fix this by removing redundant ata_host_put() in the error path. The Linux kernel CVE team has assigned CVE-2022-49826 to this issue. Affected and fixed versions =========================== Issue introduced in 4.17 with commit 2623c7a5f2799569d8bb05eb211da524a8144cb3 and fixed in 4.19.267 with commit 30e12e2be27ac6c4be2af4163c70db381364706f Issue introduced in 4.17 with commit 2623c7a5f2799569d8bb05eb211da524a8144cb3 and fixed in 5.4.225 with commit bec9ded5404cb14e5f5470103d0973a2ff83d6a5 Issue introduced in 4.17 with commit 2623c7a5f2799569d8bb05eb211da524a8144cb3 and fixed in 5.10.156 with commit ac471468f7c16cda2525909946ca13ddbcd14000 Issue introduced in 4.17 with commit 2623c7a5f2799569d8bb05eb211da524a8144cb3 and fixed in 5.15.80 with commit 377ff82c33c0cb74562a353361b64b33c09562cf Issue introduced in 4.17 with commit 2623c7a5f2799569d8bb05eb211da524a8144cb3 and fixed in 6.0.10 with commit 865a6da40ba092c18292ae5f6194756131293745 Issue introduced in 4.17 with commit 2623c7a5f2799569d8bb05eb211da524a8144cb3 and fixed in 6.1 with commit 8c76310740807ade5ecdab5888f70ecb6d35732e Please see https://www.kernel.org for a full list of currently supported kernel versions by the kernel community. Unaffected versions might change over time as fixes are backported to older supported kernel versions. The official CVE entry at https://cve.org/CVERecord/?id=CVE-2022-49826 will be updated if fixes are backported, please check that for the most up to date information about this issue. Affected files ============== The file(s) affected by this issue are: drivers/ata/libata-transport.c Mitigation ========== The Linux kernel CVE team recommends that you update to the latest stable kernel version for this, and many other bugfixes. Individual changes are never tested alone, but rather are part of a larger kernel release. Cherry-picking individual commits is not recommended or supported by the Linux kernel community at all. If however, updating to the latest release is impossible, the individual changes to resolve this issue can be found at these commits: https://git.kernel.org/stable/c/30e12e2be27ac6c4be2af4163c70db381364706f https://git.kernel.org/stable/c/bec9ded5404cb14e5f5470103d0973a2ff83d6a5 https://git.kernel.org/stable/c/ac471468f7c16cda2525909946ca13ddbcd14000 https://git.kernel.org/stable/c/377ff82c33c0cb74562a353361b64b33c09562cf https://git.kernel.org/stable/c/865a6da40ba092c18292ae5f6194756131293745 https://git.kernel.org/stable/c/8c76310740807ade5ecdab5888f70ecb6d35732e
Powered by blists - more mailing lists