CVE-2022-48870

Source
https://nvd.nist.gov/vuln/detail/CVE-2022-48870
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2022-48870.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2022-48870
Related
Published
2024-08-21T07:15:04Z
Modified
2024-09-11T02:00:04Z
Severity
  • 5.5 (Medium) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVSS Calculator
Summary
[none]
Details

In the Linux kernel, the following vulnerability has been resolved:

tty: fix possible null-ptr-defer in spkttyiorelease

Run the following tests on the qemu platform:

syzkaller:~# modprobe speakup_audptr input: Speakup as /devices/virtual/input/input4 initialized device: /dev/synth, node (MAJOR 10, MINOR 125) speakup 3.1.6: initialized synth name on entry is: (null) synth probe

spkttyioinitialiseldisc failed because ttykopen_exclusive returned failed (errno -16), then remove the module, we will get a null-ptr-defer problem, as follow:

syzkaller:~# modprobe -r speakupaudptr releasing synth audptr BUG: kernel NULL pointer dereference, address: 0000000000000080 #PF: supervisor write access in kernel mode #PF: errorcode(0x0002) - not-present page PGD 0 P4D 0 Oops: 0002 [#1] PREEMPT SMP PTI CPU: 2 PID: 204 Comm: modprobe Not tainted 6.1.0-rc6-dirty #1 RIP: 0010:mutexlock+0x14/0x30 Call Trace: <TASK> spkttyiorelease+0x19/0x70 [speakup] synthrelease.part.6+0xac/0xc0 [speakup] synthremove+0x56/0x60 [speakup] _x64sysdeletemodule+0x156/0x250 ? fpregsassertstateconsistent+0x1d/0x50 dosyscall64+0x37/0x90 entrySYSCALL64afterhwframe+0x63/0xcd </TASK> Modules linked in: speakup_audptr(-) speakup Dumping ftrace buffer:

insynth->dev was not initialized during modprobe, so we add check for insynth->dev to fix this bug.

References

Affected packages

Debian:12 / linux

Package

Name
linux
Purl
pkg:deb/debian/linux?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
6.1.8-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:13 / linux

Package

Name
linux
Purl
pkg:deb/debian/linux?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
6.1.8-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}