CVE-2022-48750 hwmon: (nct6775) Fix crash in clear_caseopen

2024-06-2011:13:31

Linux

github.com

vulnerability

linux kernel

clear_caseopen

null pointer dereference

chassis intrusion alarm

hardware

fix

crash

hwmon device

platform device

platform data

sio_data

nct6775_data

fix

cve-2022-48750

6.3 Medium

AI Score

Confidence

Low

0.0004 Low

EPSS

Percentile

9.1%

JSON

In the Linux kernel, the following vulnerability has been resolved:

hwmon: (nct6775) Fix crash in clear_caseopen

Paweł Marciniak reports the following crash, observed when clearing
the chassis intrusion alarm.

BUG: kernel NULL pointer dereference, address: 0000000000000028
PGD 0 P4D 0
Oops: 0000 [#1] PREEMPT SMP PTI
CPU: 3 PID: 4815 Comm: bash Tainted: G S 5.16.2-200.fc35.x86_64 #1
Hardware name: To Be Filled By O.E.M. To Be Filled By O.E.M./Z97 Extreme4, BIOS P2.60A 05/03/2018
RIP: 0010:clear_caseopen+0x5a/0x120 [nct6775]
Code: 68 70 e8 e9 32 b1 e3 85 c0 0f 85 d2 00 00 00 48 83 7c 24 …
RSP: 0018:ffffabcb02803dd8 EFLAGS: 00010246
RAX: 0000000000000000 RBX: 0000000000000002 RCX: 0000000000000000
RDX: ffff8e8808192880 RSI: 0000000000000000 RDI: ffff8e87c7509a68
RBP: 0000000000000000 R08: 0000000000000001 R09: 000000000000000a
R10: 000000000000000a R11: f000000000000000 R12: 000000000000001f
R13: ffff8e87c7509828 R14: ffff8e87c7509a68 R15: ffff8e88494527a0
FS: 00007f4db9151740(0000) GS:ffff8e8ebfec0000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000000000028 CR3: 0000000166b66001 CR4: 00000000001706e0
Call Trace:
<TASK>
kernfs_fop_write_iter+0x11c/0x1b0
new_sync_write+0x10b/0x180
vfs_write+0x209/0x2a0
ksys_write+0x4f/0xc0
do_syscall_64+0x3b/0x90
entry_SYSCALL_64_after_hwframe+0x44/0xae

The problem is that the device passed to clear_caseopen() is the hwmon
device, not the platform device, and the platform data is not set in the
hwmon device. Store the pointer to sio_data in struct nct6775_data and
get if from there if needed.

CNA Affected

[
  {
    "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
    "vendor": "Linux",
    "product": "Linux",
    "versions": [
      {
        "status": "affected",
        "version": "2e7b9886968b",
        "lessThan": "cfb7d12f2e4a",
        "versionType": "git"
      },
      {
        "status": "affected",
        "version": "2e7b9886968b",
        "lessThan": "79da533d3cc7",
        "versionType": "git"
      }
    ],
    "programFiles": [
      "drivers/hwmon/nct6775.c"
    ],
    "defaultStatus": "unaffected"
  },
  {
    "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
    "vendor": "Linux",
    "product": "Linux",
    "versions": [
      {
        "status": "affected",
        "version": "5.16"
      },
      {
        "status": "unaffected",
        "version": "0",
        "lessThan": "5.16",
        "versionType": "custom"
      },
      {
        "status": "unaffected",
        "version": "5.16.5",
        "versionType": "custom",
        "lessThanOrEqual": "5.16.*"
      },
      {
        "status": "unaffected",
        "version": "5.17",
        "versionType": "original_commit_for_fix",
        "lessThanOrEqual": "*"
      }
    ],
    "programFiles": [
      "drivers/hwmon/nct6775.c"
    ],
    "defaultStatus": "affected"
  }
]