CVE-2022-48918

Source
https://nvd.nist.gov/vuln/detail/CVE-2022-48918
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2022-48918.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2022-48918
Related
Published
2024-08-22T02:15:05Z
Modified
2024-09-11T02:00:05Z
Severity
  • 5.5 (Medium) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVSS Calculator
Summary
[none]
Details

In the Linux kernel, the following vulnerability has been resolved:

iwlwifi: mvm: check debugfs_dir ptr before use

When "debugfs=off" is used on the kernel command line, iwiwifi's mvm module uses an invalid/unchecked debugfs_dir pointer and causes a BUG:

BUG: kernel NULL pointer dereference, address: 000000000000004f #PF: supervisor read access in kernel mode #PF: errorcode(0x0000) - not-present page PGD 0 P4D 0 Oops: 0000 [#1] PREEMPT SMP CPU: 1 PID: 503 Comm: modprobe Tainted: G W 5.17.0-rc5 #7 Hardware name: Dell Inc. Inspiron 15 5510/076F7Y, BIOS 2.4.1 11/05/2021 RIP: 0010:iwlmvmdbgfsregister+0x692/0x700 [iwlmvm] Code: 69 a0 be 80 01 00 00 48 c7 c7 50 73 6a a0 e8 95 cf ee e0 48 8b 83 b0 1e 00 00 48 c7 c2 54 73 6a a0 be 64 00 00 00 48 8d 7d 8c <48> 8b 48 50 e8 15 22 07 e1 48 8b 43 28 48 8d 55 8c 48 c7 c7 5f 73 RSP: 0018:ffffc90000a0ba68 EFLAGS: 00010246 RAX: ffffffffffffffff RBX: ffff88817d6e3328 RCX: ffff88817d6e3328 RDX: ffffffffa06a7354 RSI: 0000000000000064 RDI: ffffc90000a0ba6c RBP: ffffc90000a0bae0 R08: ffffffff824e4880 R09: ffffffffa069d620 R10: ffffc90000a0ba00 R11: ffffffffffffffff R12: 0000000000000000 R13: ffffc90000a0bb28 R14: ffff88817d6e3328 R15: ffff88817d6e3320 FS: 00007f64dd92d740(0000) GS:ffff88847f640000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 000000000000004f CR3: 000000016fc79001 CR4: 0000000000770ee0 PKRU: 55555554 Call Trace: <TASK> ? iwlmvmmacsetupregister+0xbdc/0xda0 [iwlmvm] iwlmvmstartpostnvm+0x71/0x100 [iwlmvm] iwlopmodemvmstart+0xab8/0xb30 [iwlmvm] iwlopmodestart+0x6f/0xd0 [iwlwifi] iwlopmoderegister+0x6a/0xe0 [iwlwifi] ? 0xffffffffa0231000 iwlmvminit+0x35/0x1000 [iwlmvm] ? 0xffffffffa0231000 dooneinitcall+0x5a/0x1b0 ? kmemcachealloc+0x1e5/0x2f0 ? doinitmodule+0x1e/0x220 doinitmodule+0x48/0x220 loadmodule+0x2602/0x2bc0 ? _kernelread+0x145/0x2e0 ? kernelreadfile+0x229/0x290 _dosysfinitmodule+0xc5/0x130 ? _dosysfinitmodule+0xc5/0x130 _x64sysfinitmodule+0x13/0x20 dosyscall64+0x38/0x90 entrySYSCALL64afterhwframe+0x44/0xae RIP: 0033:0x7f64dda564dd Code: 5b 41 5c c3 66 0f 1f 84 00 00 00 00 00 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 1b 29 0f 00 f7 d8 64 89 01 48 RSP: 002b:00007ffdba393f88 EFLAGS: 00000246 ORIGRAX: 0000000000000139 RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f64dda564dd RDX: 0000000000000000 RSI: 00005575399e2ab2 RDI: 0000000000000001 RBP: 000055753a91c5e0 R08: 0000000000000000 R09: 0000000000000002 R10: 0000000000000001 R11: 0000000000000246 R12: 00005575399e2ab2 R13: 000055753a91ceb0 R14: 0000000000000000 R15: 000055753a923018 </TASK> Modules linked in: btintel(+) btmtk bluetooth vfat sndhdacodechdmi fat sndhdacodecrealtek sndhdacodecgeneric iwlmvm(+) sndsofpciinteltgl mac80211 sndsofintelhdacommon soundwireintel soundwiregenericallocation soundwirecadence soundwirebus sndsofintelhda sndsofpci sndsof sndsofxtensadsp sndsochdachda sndhdaextcore sndsocacpiintelmatch sndsocacpi sndsoccore btrfs sndcompress sndhdaintel sndinteldspcfg sndintelsdwacpi sndhdacodec raid6pq iwlwifi sndhdacore sndpcm sndtimer snd soundcore cfg80211 intelishipc(+) thunderbolt rfkill intelishtp ucsiacpi wmi i2chidacpi i2c_hid evdev CR2: 000000000000004f ---[ end trace 0000000000000000 ]---

Check the debugfs_dir pointer for an error before using it.

[change to make both conditional]

References

Affected packages

Debian:12 / linux

Package

Name
linux
Purl
pkg:deb/debian/linux?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
5.16.14-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:13 / linux

Package

Name
linux
Purl
pkg:deb/debian/linux?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
5.16.14-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}