In the Linux kernel, the following vulnerability has been resolved:
tty: fix possible null-ptr-defer in spk_ttyio_release
Run the following tests on the qemu platform:
syzkaller:~# modprobe speakup_audptr
input: Speakup as /devices/virtual/input/input4
initialized device: /dev/synth, node (MAJOR 10, MINOR 125)
speakup 3.1.6: initialized
synth name on entry is: (null)
synth probe
spk_ttyio_initialise_ldisc failed because tty_kopen_exclusive returned
failed (errno -16), then remove the module, we will get a null-ptr-defer
problem, as follow:
syzkaller:~# modprobe -r speakup_audptr
releasing synth audptr
BUG: kernel NULL pointer dereference, address: 0000000000000080
#PF: supervisor write access in kernel mode
#PF: error_code(0x0002) - not-present page
PGD 0 P4D 0
Oops: 0002 [#1] PREEMPT SMP PTI
CPU: 2 PID: 204 Comm: modprobe Not tainted 6.1.0-rc6-dirty #1
RIP: 0010:mutex_lock+0x14/0x30
Call Trace:
<TASK>
spk_ttyio_release+0x19/0x70 [speakup]
synth_release.part.6+0xac/0xc0 [speakup]
synth_remove+0x56/0x60 [speakup]
__x64_sys_delete_module+0x156/0x250
? fpregs_assert_state_consistent+0x1d/0x50
do_syscall_64+0x37/0x90
entry_SYSCALL_64_after_hwframe+0x63/0xcd
</TASK>
Modules linked in: speakup_audptr(-) speakup
Dumping ftrace buffer:
in_synth->dev was not initialized during modprobe, so we add check
for in_synth->dev to fix this bug.
OS | Version | Architecture | Package | Version | Filename |
---|---|---|---|---|---|
ubuntu | 22.04 | noarch | linux | < 5.15.0-70.77 | UNKNOWN |
ubuntu | 22.04 | noarch | linux-aws | < 5.15.0-1034.38 | UNKNOWN |
ubuntu | 20.04 | noarch | linux-aws-5.15 | < 5.15.0-1034.38~20.04.1 | UNKNOWN |
ubuntu | 22.04 | noarch | linux-azure | < 5.15.0-1036.43 | UNKNOWN |
ubuntu | 20.04 | noarch | linux-azure-5.15 | < 5.15.0-1036.43~20.04.1 | UNKNOWN |
ubuntu | 22.04 | noarch | linux-azure-fde | < 5.15.0-1036.43.1 | UNKNOWN |
ubuntu | 20.04 | noarch | linux-azure-fde-5.15 | < 5.15.0-1036.43~20.04.1.1 | UNKNOWN |
ubuntu | 22.04 | noarch | linux-gcp | < 5.15.0-1032.40 | UNKNOWN |
ubuntu | 20.04 | noarch | linux-gcp-5.15 | < 5.15.0-1032.40~20.04.1 | UNKNOWN |
ubuntu | 22.04 | noarch | linux-gke | < 5.15.0-1031.36 | UNKNOWN |
git.kernel.org/linus/5abbeebd8296c2301023b8dc4b5a6c0d5229b4f5 (6.2-rc5)
git.kernel.org/stable/c/2da67bff29ab49caafb0766e8b8383b735ff796f
git.kernel.org/stable/c/5abbeebd8296c2301023b8dc4b5a6c0d5229b4f5
git.kernel.org/stable/c/64152e05a4de3ebf59f1740a0985a6d5fba0c77b
launchpad.net/bugs/cve/CVE-2022-48870
nvd.nist.gov/vuln/detail/CVE-2022-48870
security-tracker.debian.org/tracker/CVE-2022-48870
www.cve.org/CVERecord?id=CVE-2022-48870