CVE-2022-48918

BUG: kernel NULL pointer dereference, address: 000000000000004f #PF: supervisor read access in kernel mode #PF: errorcode(0x0000) - not-present page PGD 0 P4D 0 Oops: 0000 [#1] PREEMPT SMP CPU: 1 PID: 503 Comm: modprobe Tainted: G W 5.17.0-rc5 #7 Hardware name: Dell Inc. Inspiron 15 5510/076F7Y, BIOS 2.4.1 11/05/2021 RIP: 0010:iwlmvmdbgfsregister+0x692/0x700 [iwlmvm] Code: 69 a0 be 80 01 00 00 48 c7 c7 50 73 6a a0 e8 95 cf ee e0 48 8b 83 b0 1e 00 00 48 c7 c2 54 73 6a a0 be 64 00 00 00 48 8d 7d 8c <48> 8b 48 50 e8 15 22 07 e1 48 8b 43 28 48 8d 55 8c 48 c7 c7 5f 73 RSP: 0018:ffffc90000a0ba68 EFLAGS: 00010246 RAX: ffffffffffffffff RBX: ffff88817d6e3328 RCX: ffff88817d6e3328 RDX: ffffffffa06a7354 RSI: 0000000000000064 RDI: ffffc90000a0ba6c RBP: ffffc90000a0bae0 R08: ffffffff824e4880 R09: ffffffffa069d620 R10: ffffc90000a0ba00 R11: ffffffffffffffff R12: 0000000000000000 R13: ffffc90000a0bb28 R14: ffff88817d6e3328 R15: ffff88817d6e3320 FS: 00007f64dd92d740(0000) GS:ffff88847f640000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 000000000000004f CR3: 000000016fc79001 CR4: 0000000000770ee0 PKRU: 55555554 Call Trace: <TASK> ? iwlmvmmacsetupregister+0xbdc/0xda0 [iwlmvm] iwlmvmstartpostnvm+0x71/0x100 [iwlmvm] iwlopmodemvmstart+0xab8/0xb30 [iwlmvm] iwlopmodestart+0x6f/0xd0 [iwlwifi] iwlopmoderegister+0x6a/0xe0 [iwlwifi] ? 0xffffffffa0231000 iwlmvminit+0x35/0x1000 [iwlmvm] ? 0xffffffffa0231000 dooneinitcall+0x5a/0x1b0 ? kmemcachealloc+0x1e5/0x2f0 ? doinitmodule+0x1e/0x220 doinitmodule+0x48/0x220 loadmodule+0x2602/0x2bc0 ? _kernelread+0x145/0x2e0 ? kernelreadfile+0x229/0x290 _dosysfinitmodule+0xc5/0x130 ? _dosysfinitmodule+0xc5/0x130 _x64sysfinitmodule+0x13/0x20 dosyscall64+0x38/0x90 entrySYSCALL64afterhwframe+0x44/0xae RIP: 0033:0x7f64dda564dd Code: 5b 41 5c c3 66 0f 1f 84 00 00 00 00 00 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 1b 29 0f 00 f7 d8 64 89 01 48 RSP: 002b:00007ffdba393f88 EFLAGS: 00000246 ORIGRAX: 0000000000000139 RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f64dda564dd RDX: 0000000000000000 RSI: 00005575399e2ab2 RDI: 0000000000000001 RBP: 000055753a91c5e0 R08: 0000000000000000 R09: 0000000000000002 R10: 0000000000000001 R11: 0000000000000246 R12: 00005575399e2ab2 R13: 000055753a91ceb0 R14: 0000000000000000 R15: 000055753a923018 </TASK> Modules linked in: btintel(+) btmtk bluetooth vfat sndhdacodechdmi fat sndhdacodecrealtek sndhdacodecgeneric iwlmvm(+) sndsofpciinteltgl mac80211 sndsofintelhdacommon soundwireintel soundwiregenericallocation soundwirecadence soundwirebus sndsofintelhda sndsofpci sndsof sndsofxtensadsp sndsochdachda sndhdaextcore sndsocacpiintelmatch sndsocacpi sndsoccore btrfs sndcompress sndhdaintel sndinteldspcfg sndintelsdwacpi sndhdacodec raid6pq iwlwifi sndhdacore sndpcm sndtimer snd soundcore cfg80211 intelishipc(+) thunderbolt rfkill intelishtp ucsiacpi wmi i2chidacpi i2c_hid evdev CR2: 000000000000004f ---[ end trace 0000000000000000 ]---

Check the debugfs_dir pointer for an error before using it.

[change to make both conditional]

References

Affected packages

Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git

Affected ranges

Type: GIT
Repo: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events: Introduced

8c082a99edb997d7999eb7cdb648e47a2bf4a638

Fixed

7de1ed755e1ace30d97a724bad32452ed86b653b

Type: GIT
Repo: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events: Introduced

8c082a99edb997d7999eb7cdb648e47a2bf4a638

Fixed

fe51975ff13831e794e1bcd0039b305dcad3d7ba

Type: GIT
Repo: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events: Introduced

8c082a99edb997d7999eb7cdb648e47a2bf4a638

Fixed

5a6248c0a22352f09ea041665d3bd3e18f6f872c

Affected versions

v5.*

v5.11

v5.11-rc7

v5.12

v5.12-rc1

v5.12-rc1-dontuse

v5.12-rc2

v5.12-rc3

v5.12-rc4

v5.12-rc5

v5.12-rc6

v5.12-rc7

v5.12-rc8

v5.13

v5.13-rc1

v5.13-rc2

v5.13-rc3

v5.13-rc4

v5.13-rc5

v5.13-rc6

v5.13-rc7

v5.14

v5.14-rc1

v5.14-rc2

v5.14-rc3

v5.14-rc4

v5.14-rc5

v5.14-rc6

v5.14-rc7

v5.15

v5.15-rc1

v5.15-rc2

v5.15-rc3

v5.15-rc4

v5.15-rc5

v5.15-rc6

v5.15-rc7

v5.15.1

v5.15.10

v5.15.11

v5.15.12

v5.15.13

v5.15.14

v5.15.15

v5.15.16

v5.15.17

v5.15.18

v5.15.19

v5.15.2

v5.15.20

v5.15.21

v5.15.22

v5.15.23

v5.15.24

v5.15.25

v5.15.26

v5.15.3

v5.15.4

v5.15.5

v5.15.6

v5.15.7

v5.15.8

v5.15.9

v5.16

v5.16-rc1

v5.16-rc2

v5.16-rc3

v5.16-rc4

v5.16-rc5

v5.16-rc6

v5.16-rc7

v5.16-rc8

v5.16.1

v5.16.10

v5.16.11

v5.16.12

v5.16.2

v5.16.3

v5.16.4

v5.16.5

v5.16.6

v5.16.7

v5.16.8

v5.16.9

v5.17-rc1

v5.17-rc2

v5.17-rc3

Database specific

{
    "vanir_signatures": [
        {
            "signature_type": "Function",
            "deprecated": false,
            "signature_version": "v1",
            "target": {
                "file": "drivers/net/wireless/intel/iwlwifi/mvm/debugfs.c",
                "function": "iwl_mvm_dbgfs_register"
            },
            "id": "CVE-2022-48918-48691ac5",
            "digest": {
                "length": 3944.0,
                "function_hash": "176695125367251866373431225390555469896"
            },
            "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@7de1ed755e1ace30d97a724bad32452ed86b653b"
        },
        {
            "signature_type": "Line",
            "deprecated": false,
            "signature_version": "v1",
            "target": {
                "file": "drivers/net/wireless/intel/iwlwifi/mvm/debugfs.c"
            },
            "id": "CVE-2022-48918-4a9c4cee",
            "digest": {
                "threshold": 0.9,
                "line_hashes": [
                    "56279636741582412233530530147651157562",
                    "14054843315226765945224702759413228365",
                    "269637114556145626772742852896199574904",
                    "164541880738553814074115507649600201102",
                    "71353617887488479219795591130996776570",
                    "74398874682866830488165784596967478230",
                    "236818153636669489796275812647170592159",
                    "45293877215267386387225970010000036251"
                ]
            },
            "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@fe51975ff13831e794e1bcd0039b305dcad3d7ba"
        },
        {
            "signature_type": "Function",
            "deprecated": false,
            "signature_version": "v1",
            "target": {
                "file": "drivers/net/wireless/intel/iwlwifi/mvm/debugfs.c",
                "function": "iwl_mvm_dbgfs_register"
            },
            "id": "CVE-2022-48918-53099cd4",
            "digest": {
                "length": 3549.0,
                "function_hash": "164653121987975122513926069306821196220"
            },
            "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@fe51975ff13831e794e1bcd0039b305dcad3d7ba"
        },
        {
            "signature_type": "Line",
            "deprecated": false,
            "signature_version": "v1",
            "target": {
                "file": "drivers/net/wireless/intel/iwlwifi/mvm/debugfs.c"
            },
            "id": "CVE-2022-48918-7f7c45f8",
            "digest": {
                "threshold": 0.9,
                "line_hashes": [
                    "56279636741582412233530530147651157562",
                    "14054843315226765945224702759413228365",
                    "269637114556145626772742852896199574904",
                    "164541880738553814074115507649600201102",
                    "71353617887488479219795591130996776570",
                    "74398874682866830488165784596967478230",
                    "236818153636669489796275812647170592159",
                    "45293877215267386387225970010000036251"
                ]
            },
            "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@7de1ed755e1ace30d97a724bad32452ed86b653b"
        },
        {
            "signature_type": "Line",
            "deprecated": false,
            "signature_version": "v1",
            "target": {
                "file": "drivers/net/wireless/intel/iwlwifi/mvm/debugfs.c"
            },
            "id": "CVE-2022-48918-af8bdc41",
            "digest": {
                "threshold": 0.9,
                "line_hashes": [
                    "56279636741582412233530530147651157562",
                    "14054843315226765945224702759413228365",
                    "269637114556145626772742852896199574904",
                    "164541880738553814074115507649600201102",
                    "71353617887488479219795591130996776570",
                    "74398874682866830488165784596967478230",
                    "236818153636669489796275812647170592159",
                    "45293877215267386387225970010000036251"
                ]
            },
            "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@5a6248c0a22352f09ea041665d3bd3e18f6f872c"
        },
        {
            "signature_type": "Function",
            "deprecated": false,
            "signature_version": "v1",
            "target": {
                "file": "drivers/net/wireless/intel/iwlwifi/mvm/debugfs.c",
                "function": "iwl_mvm_dbgfs_register"
            },
            "id": "CVE-2022-48918-fdf5fdc7",
            "digest": {
                "length": 3609.0,
                "function_hash": "311470744947025547595744691212332845083"
            },
            "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@5a6248c0a22352f09ea041665d3bd3e18f6f872c"
        }
    ]
}

Linux / Kernel

Package

Name: Kernel

Affected ranges

Type: ECOSYSTEM
Events: Introduced

5.12.0

Fixed

5.15.27

Type: ECOSYSTEM
Events: Introduced

5.16.0

Fixed

5.16.13