CVE-2022-48984

The LTP test pty03 is causing a crash in slcan: BUG: kernel NULL pointer dereference, address: 0000000000000008 #PF: supervisor read access in kernel mode #PF: errorcode(0x0000) - not-present page PGD 0 P4D 0 Oops: 0000 [#1] PREEMPT SMP NOPTI CPU: 0 PID: 348 Comm: kworker/0:3 Not tainted 6.0.8-1-default #1 openSUSE Tumbleweed 9d20364b934f5aab0a9bdf84e8f45cfdfae39dab Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.15.0-0-g2dd4b9b-rebuilt.opensuse.org 04/01/2014 Workqueue: 0x0 (events) RIP: 0010:processonework (/home/rich/kernel/linux/kernel/workqueue.c:706 /home/rich/kernel/linux/kernel/workqueue.c:2185) Code: 49 89 ff 41 56 41 55 41 54 55 53 48 89 f3 48 83 ec 10 48 8b 06 48 8b 6f 48 49 89 c4 45 30 e4 a8 04 b8 00 00 00 00 4c 0f 44 e0 <49> 8b 44 24 08 44 8b a8 00 01 00 00 41 83 e5 20 f6 45 10 04 75 0e RSP: 0018:ffffaf7b40f47e98 EFLAGS: 00010046 RAX: 0000000000000000 RBX: ffff9d644e1b8b48 RCX: ffff9d649e439968 RDX: 00000000ffff8455 RSI: ffff9d644e1b8b48 RDI: ffff9d64764aa6c0 RBP: ffff9d649e4335c0 R08: 0000000000000c00 R09: ffff9d64764aa734 R10: 0000000000000007 R11: 0000000000000001 R12: 0000000000000000 R13: ffff9d649e4335e8 R14: ffff9d64490da780 R15: ffff9d64764aa6c0 FS: 0000000000000000(0000) GS:ffff9d649e400000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000000000008 CR3: 0000000036424000 CR4: 00000000000006f0 Call Trace: <TASK> workerthread (/home/rich/kernel/linux/kernel/workqueue.c:2436) kthread (/home/rich/kernel/linux/kernel/kthread.c:376) retfromfork (/home/rich/kernel/linux/arch/x86/entry/entry_64.S:312)

Apparently, the slcan's txwork is freed while being scheduled. While slcannetdevclose() (netdev side) calls flushwork(&sl->txwork), slcanclose() (tty side) does not. So when the netdev is never set UP, but the tty is stuffed with bytes and forced to wakeup write, the work is scheduled, but never flushed.

So add an additional flushwork() to slcanclose() to be sure the work is flushed under all circumstances.

The Fixes commit below moved flushwork() from slcanclose() to slcannetdevclose(). What was the rationale behind it? Maybe we can drop the one in slcannetdevclose()?

I see the same pattern in can327. So it perhaps needs the very same fix.

Database specific

{
    "cna_assigner": "Linux",
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2022/48xxx/CVE-2022-48984.json"
}

References

Affected packages

Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git

Affected ranges

Type: GIT
Repo: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events: Introduced

cfcb4465e9923bb9ac168abcea84e880633f9cef

Fixed

9e2709d58a14a10eb00d919acd7dec071c33f8c8

Fixed

fb855e9f3b6b42c72af3f1eb0b288998fe0d5ebb

Affected versions

v5.*

v5.19

v5.19-rc8

v6.*

v6.0

v6.0-rc1

v6.0-rc2

v6.0-rc3

v6.0-rc4

v6.0-rc5

v6.0-rc6

v6.0-rc7

v6.0.1

v6.0.10

v6.0.11

v6.0.12

v6.0.2

v6.0.3

v6.0.4

v6.0.5

v6.0.6

v6.0.7

v6.0.8

v6.0.9

v6.1-rc1

v6.1-rc2

v6.1-rc3

v6.1-rc4

v6.1-rc5

v6.1-rc6

v6.1-rc7

Database specific

vanir_signatures

[
    {
        "digest": {
            "threshold": 0.9,
            "line_hashes": [
                "242241067190059044721884252894003150163",
                "292239252600918004325976544758072343128",
                "9271969967322622103282864969682786117",
                "164150688211372206684660127108310175582"
            ]
        },
        "target": {
            "file": "drivers/net/can/slcan/slcan-core.c"
        },
        "id": "CVE-2022-48984-4d42fda4",
        "deprecated": false,
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@fb855e9f3b6b42c72af3f1eb0b288998fe0d5ebb",
        "signature_type": "Line",
        "signature_version": "v1"
    },
    {
        "digest": {
            "function_hash": "120334309670058865041709752768749497554",
            "length": 312.0
        },
        "target": {
            "function": "slcan_close",
            "file": "drivers/net/can/slcan/slcan-core.c"
        },
        "id": "CVE-2022-48984-5603e1cc",
        "deprecated": false,
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@9e2709d58a14a10eb00d919acd7dec071c33f8c8",
        "signature_type": "Function",
        "signature_version": "v1"
    },
    {
        "digest": {
            "function_hash": "120334309670058865041709752768749497554",
            "length": 312.0
        },
        "target": {
            "function": "slcan_close",
            "file": "drivers/net/can/slcan/slcan-core.c"
        },
        "id": "CVE-2022-48984-5cf04466",
        "deprecated": false,
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@fb855e9f3b6b42c72af3f1eb0b288998fe0d5ebb",
        "signature_type": "Function",
        "signature_version": "v1"
    },
    {
        "digest": {
            "threshold": 0.9,
            "line_hashes": [
                "242241067190059044721884252894003150163",
                "292239252600918004325976544758072343128",
                "9271969967322622103282864969682786117",
                "164150688211372206684660127108310175582"
            ]
        },
        "target": {
            "file": "drivers/net/can/slcan/slcan-core.c"
        },
        "id": "CVE-2022-48984-902f8fb8",
        "deprecated": false,
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@9e2709d58a14a10eb00d919acd7dec071c33f8c8",
        "signature_type": "Line",
        "signature_version": "v1"
    }
]

CVE-2022-48984

Affected packages

Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git

Affected ranges

Affected versions

v5.*

v6.*

Database specific

vanir_signatures

Linux / Kernel

Package

Affected ranges