| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <2025091854-CVE-2022-50412-0f2e@gregkh>
Date: Thu, 18 Sep 2025 18:04:02 +0200
From: Greg Kroah-Hartman <gregkh@...uxfoundation.org>
To: linux-cve-announce@...r.kernel.org
Cc: Greg Kroah-Hartman <gregkh@...nel.org>
Subject: CVE-2022-50412: drm: bridge: adv7511: unregister cec i2c device after cec adapter
From: Greg Kroah-Hartman <gregkh@...nel.org>
Description
===========
In the Linux kernel, the following vulnerability has been resolved:
drm: bridge: adv7511: unregister cec i2c device after cec adapter
cec_unregister_adapter() assumes that the underlying adapter ops are
callable. For example, if the CEC adapter currently has a valid physical
address, then the unregistration procedure will invalidate the physical
address by setting it to f.f.f.f. Whence the following kernel oops
observed after removing the adv7511 module:
Unable to handle kernel execution of user memory at virtual address 0000000000000000
Internal error: Oops: 86000004 [#1] PREEMPT_RT SMP
Call trace:
0x0
adv7511_cec_adap_log_addr+0x1ac/0x1c8 [adv7511]
cec_adap_unconfigure+0x44/0x90 [cec]
__cec_s_phys_addr.part.0+0x68/0x230 [cec]
__cec_s_phys_addr+0x40/0x50 [cec]
cec_unregister_adapter+0xb4/0x118 [cec]
adv7511_remove+0x60/0x90 [adv7511]
i2c_device_remove+0x34/0xe0
device_release_driver_internal+0x114/0x1f0
driver_detach+0x54/0xe0
bus_remove_driver+0x60/0xd8
driver_unregister+0x34/0x60
i2c_del_driver+0x2c/0x68
adv7511_exit+0x1c/0x67c [adv7511]
__arm64_sys_delete_module+0x154/0x288
invoke_syscall+0x48/0x100
el0_svc_common.constprop.0+0x48/0xe8
do_el0_svc+0x28/0x88
el0_svc+0x1c/0x50
el0t_64_sync_handler+0xa8/0xb0
el0t_64_sync+0x15c/0x160
Code: bad PC value
---[ end trace 0000000000000000 ]---
Protect against this scenario by unregistering i2c_cec after
unregistering the CEC adapter. Duly disable the CEC clock afterwards
too.
The Linux kernel CVE team has assigned CVE-2022-50412 to this issue.
Affected and fixed versions
===========================
Issue introduced in 4.15 with commit 3b1b975003e4a3da4b93ab032487a3ae4afca7b5 and fixed in 5.10.234 with commit 3747465c5da7a11957a34bbb9485d9fc253b91cc
Issue introduced in 4.15 with commit 3b1b975003e4a3da4b93ab032487a3ae4afca7b5 and fixed in 5.15.75 with commit f369fb4deed7ab997cfa703dc85ec08b3adc1af8
Issue introduced in 4.15 with commit 3b1b975003e4a3da4b93ab032487a3ae4afca7b5 and fixed in 5.19.17 with commit 4d4d5bc659206b187263190ad9a03513f625659d
Issue introduced in 4.15 with commit 3b1b975003e4a3da4b93ab032487a3ae4afca7b5 and fixed in 6.0.3 with commit 86ae5170786aea3e1751123ca55700fb9b37b623
Issue introduced in 4.15 with commit 3b1b975003e4a3da4b93ab032487a3ae4afca7b5 and fixed in 6.1 with commit 40cdb02cb9f965732eb543d47f15bef8d10f0f5f
Please see https://www.kernel.org for a full list of currently supported
kernel versions by the kernel community.
Unaffected versions might change over time as fixes are backported to
older supported kernel versions. The official CVE entry at
https://cve.org/CVERecord/?id=CVE-2022-50412
will be updated if fixes are backported, please check that for the most
up to date information about this issue.
Affected files
==============
The file(s) affected by this issue are:
drivers/gpu/drm/bridge/adv7511/adv7511_drv.c
Mitigation
==========
The Linux kernel CVE team recommends that you update to the latest
stable kernel version for this, and many other bugfixes. Individual
changes are never tested alone, but rather are part of a larger kernel
release. Cherry-picking individual commits is not recommended or
supported by the Linux kernel community at all. If however, updating to
the latest release is impossible, the individual changes to resolve this
issue can be found at these commits:
https://git.kernel.org/stable/c/3747465c5da7a11957a34bbb9485d9fc253b91cc
https://git.kernel.org/stable/c/f369fb4deed7ab997cfa703dc85ec08b3adc1af8
https://git.kernel.org/stable/c/4d4d5bc659206b187263190ad9a03513f625659d
https://git.kernel.org/stable/c/86ae5170786aea3e1751123ca55700fb9b37b623
https://git.kernel.org/stable/c/40cdb02cb9f965732eb543d47f15bef8d10f0f5f
Powered by blists - more mailing lists