In the Linux kernel, the following vulnerability has been resolved: hwmon:
(nct6775) Fix crash in clear_caseopen Paweł Marciniak reports the following
crash, observed when clearing the chassis intrusion alarm. BUG: kernel NULL
pointer dereference, address: 0000000000000028 PGD 0 P4D 0 Oops: 0000 [#1]
PREEMPT SMP PTI CPU: 3 PID: 4815 Comm: bash Tainted: G S
5.16.2-200.fc35.x86_64 #1 Hardware name: To Be Filled By O.E.M. To Be
Filled By O.E.M./Z97 Extreme4, BIOS P2.60A 05/03/2018 RIP:
0010:clear_caseopen+0x5a/0x120 [nct6775] Code: 68 70 e8 e9 32 b1 e3 85 c0
0f 85 d2 00 00 00 48 83 7c 24 … RSP: 0018:ffffabcb02803dd8 EFLAGS:
00010246 RAX: 0000000000000000 RBX: 0000000000000002 RCX: 0000000000000000
RDX: ffff8e8808192880 RSI: 0000000000000000 RDI: ffff8e87c7509a68 RBP:
0000000000000000 R08: 0000000000000001 R09: 000000000000000a R10:
000000000000000a R11: f000000000000000 R12: 000000000000001f R13:
ffff8e87c7509828 R14: ffff8e87c7509a68 R15: ffff8e88494527a0 FS:
00007f4db9151740(0000) GS:ffff8e8ebfec0000(0000) knlGS:0000000000000000 CS:
0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000000000028 CR3:
0000000166b66001 CR4: 00000000001706e0 Call Trace: <TASK>
kernfs_fop_write_iter+0x11c/0x1b0 new_sync_write+0x10b/0x180
vfs_write+0x209/0x2a0 ksys_write+0x4f/0xc0 do_syscall_64+0x3b/0x90
entry_SYSCALL_64_after_hwframe+0x44/0xae The problem is that the device
passed to clear_caseopen() is the hwmon device, not the platform device,
and the platform data is not set in the hwmon device. Store the pointer to
sio_data in struct nct6775_data and get if from there if needed.
git.kernel.org/linus/79da533d3cc717ccc05ddbd3190da8a72bc2408b (5.17-rc2)
git.kernel.org/stable/c/79da533d3cc717ccc05ddbd3190da8a72bc2408b
git.kernel.org/stable/c/cfb7d12f2e4a4d694f49e9b4ebb352f7b67cdfbb
launchpad.net/bugs/cve/CVE-2022-48750
nvd.nist.gov/vuln/detail/CVE-2022-48750
security-tracker.debian.org/tracker/CVE-2022-48750
www.cve.org/CVERecord?id=CVE-2022-48750