CVE-2022-48707 cxl/region: Fix null pointer dereference for resetting decoder

2024-05-2115:22:48

Linux

github.com

linux kernel

vulnerability

cxl specification

host bridge

root port

null pointer

decoder

6.9 Medium

AI Score

Confidence

Low

0.0004 Low

EPSS

Percentile

9.1%

JSON

In the Linux kernel, the following vulnerability has been resolved:

cxl/region: Fix null pointer dereference for resetting decoder

Not all decoders have a reset callback.

The CXL specification allows a host bridge with a single root port to
have no explicit HDM decoders. Currently the region driver assumes there
are none. As such the CXL core creates a special pass through decoder
instance without a commit/reset callback.

Prior to this patch, the ->reset() callback was called unconditionally when
calling cxl_region_decode_reset. Thus a configuration with 1 Host Bridge,
1 Root Port, and one directly attached CXL type 3 device or multiple CXL
type 3 devices attached to downstream ports of a switch can cause a null
pointer dereference.

Before the fix, a kernel crash was observed when we destroy the region, and
a pass through decoder is reset.

The issue can be reproduced as below,
1) create a region with a CXL setup which includes a HB with a
single root port under which a memdev is attached directly.
2) destroy the region with cxl destroy-region regionX -f.

CNA Affected

[
  {
    "product": "Linux",
    "vendor": "Linux",
    "defaultStatus": "unaffected",
    "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
    "programFiles": [
      "drivers/cxl/core/region.c"
    ],
    "versions": [
      {
        "version": "176baefb2eb5",
        "lessThan": "a04c7d062b53",
        "status": "affected",
        "versionType": "git"
      },
      {
        "version": "176baefb2eb5",
        "lessThan": "4fa4302d6dc7",
        "status": "affected",
        "versionType": "git"
      }
    ]
  },
  {
    "product": "Linux",
    "vendor": "Linux",
    "defaultStatus": "affected",
    "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
    "programFiles": [
      "drivers/cxl/core/region.c"
    ],
    "versions": [
      {
        "version": "6.0",
        "status": "affected"
      },
      {
        "version": "0",
        "lessThan": "6.0",
        "status": "unaffected",
        "versionType": "custom"
      },
      {
        "version": "6.1.12",
        "lessThanOrEqual": "6.1.*",
        "status": "unaffected",
        "versionType": "custom"
      },
      {
        "version": "6.2",
        "lessThanOrEqual": "*",
        "status": "unaffected",
        "versionType": "original_commit_for_fix"
      }
    ]
  }
]