In the Linux kernel, the following vulnerability has been resolved:
net: phy: fix null-ptr-deref while probe() failed
I got a null-ptr-deref report as following when doing fault injection test:
BUG: kernel NULL pointer dereference, address: 0000000000000058 Oops: 0000 [#1] PREEMPT SMP KASAN PTI CPU: 1 PID: 253 Comm: 507-spi-dm9051 Tainted: G B N 6.1.0-rc3+ Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.13.0-1ubuntu1.1 04/01/2014 RIP: 0010:klistput+0x2d/0xd0 Call Trace: <TASK> klistremove+0xf1/0x1c0 devicereleasedriverinternal+0x23e/0x2d0 busremovedevice+0x1bd/0x240 devicedel+0x357/0x770 phydeviceremove+0x11/0x30 mdiobusunregister+0xa5/0x140 releasenodes+0x6a/0xa0 devresreleaseall+0xf8/0x150 deviceunbindcleanup+0x19/0xd0
//probe path: phydeviceregister() device_add()
phyconnect phyattachdirect() //set device driver probe() //it's failed, driver is not bound devicebind_driver() // probe failed, it's not called
//remove path: phydeviceremove() devicedel() devicereleasedriverinternal() _devicereleasedriver() //dev->drv is not NULL klistremove() <- knode_driver is not added yet, cause null-ptr-deref
In phyattachdirect(), after setting the 'dev->driver', probe() fails, devicebinddriver() is not called, so the knodedriver->nklist is not set, then it causes null-ptr-deref in _devicereleasedriver() while deleting device. Fix this by setting dev->driver to NULL in the error path in phyattach_direct().
{ "vanir_signatures": [ { "signature_version": "v1", "digest": { "length": 1942.0, "function_hash": "283230007218421404528222506560112020867" }, "id": "CVE-2022-49021-0bff9e96", "deprecated": false, "target": { "file": "drivers/net/phy/phy_device.c", "function": "phy_attach_direct" }, "signature_type": "Function", "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@51d7f6b20fae8bae64ad1136f1e30d1fd5ba78f7" }, { "signature_version": "v1", "digest": { "threshold": 0.9, "line_hashes": [ "296375789489429895739047990859407902500", "326570619980962531813355269439533892310", "73822747932989711139218102820551717087", "235766714302798947761384352120502198621" ] }, "id": "CVE-2022-49021-31768722", "deprecated": false, "target": { "file": "drivers/net/phy/phy_device.c" }, "signature_type": "Line", "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@fe6bc99c27c21348f548966118867ed26a9a372c" }, { "signature_version": "v1", "digest": { "length": 2047.0, "function_hash": "264911796575097264823597152579010339363" }, "id": "CVE-2022-49021-40cd9d99", "deprecated": false, "target": { "file": "drivers/net/phy/phy_device.c", "function": "phy_attach_direct" }, "signature_type": "Function", "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@eaa5722549ac2604ffa56c2e946acc83226f130c" }, { "signature_version": "v1", "digest": { "length": 1987.0, "function_hash": "83636361165181458979165491220633519885" }, "id": "CVE-2022-49021-4a24bdd9", "deprecated": false, "target": { "file": "drivers/net/phy/phy_device.c", "function": "phy_attach_direct" }, "signature_type": "Function", "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@fe6bc99c27c21348f548966118867ed26a9a372c" }, { "signature_version": "v1", "digest": { "length": 2051.0, "function_hash": "298601606928806482270573936031112971985" }, "id": "CVE-2022-49021-5af50dff", "deprecated": false, "target": { "file": "drivers/net/phy/phy_device.c", "function": "phy_attach_direct" }, "signature_type": "Function", "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@7730904f50c7187dd16c76949efb56b5fb55cd57" }, { "signature_version": "v1", "digest": { "threshold": 0.9, "line_hashes": [ "296375789489429895739047990859407902500", "326570619980962531813355269439533892310", "73822747932989711139218102820551717087", "235766714302798947761384352120502198621" ] }, "id": "CVE-2022-49021-6f5c5268", "deprecated": false, "target": { "file": "drivers/net/phy/phy_device.c" }, "signature_type": "Line", "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@51d7f6b20fae8bae64ad1136f1e30d1fd5ba78f7" }, { "signature_version": "v1", "digest": { "threshold": 0.9, "line_hashes": [ "296375789489429895739047990859407902500", "326570619980962531813355269439533892310", "73822747932989711139218102820551717087", "235766714302798947761384352120502198621" ] }, "id": "CVE-2022-49021-7a975db8", "deprecated": false, "target": { "file": "drivers/net/phy/phy_device.c" }, "signature_type": "Line", "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@7730904f50c7187dd16c76949efb56b5fb55cd57" }, { "signature_version": "v1", "digest": { "length": 1942.0, "function_hash": "283230007218421404528222506560112020867" }, "id": "CVE-2022-49021-806d677e", "deprecated": false, "target": { "file": "drivers/net/phy/phy_device.c", "function": "phy_attach_direct" }, "signature_type": "Function", "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@0744c7be4de564db03e24527b2e096b7e0e20972" }, { "signature_version": "v1", "digest": { "length": 1516.0, "function_hash": "153730625687701183139438854565931983185" }, "id": "CVE-2022-49021-9027a9cd", "deprecated": false, "target": { "file": "drivers/net/phy/phy_device.c", "function": "phy_attach_direct" }, "signature_type": "Function", "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@8aaafe0f71314f46a066382a047ba8bb3840d273" }, { "signature_version": "v1", "digest": { "threshold": 0.9, "line_hashes": [ "296375789489429895739047990859407902500", "326570619980962531813355269439533892310", "73822747932989711139218102820551717087", "235766714302798947761384352120502198621" ] }, "id": "CVE-2022-49021-90c88768", "deprecated": false, "target": { "file": "drivers/net/phy/phy_device.c" }, "signature_type": "Line", "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@8aaafe0f71314f46a066382a047ba8bb3840d273" }, { "signature_version": "v1", "digest": { "threshold": 0.9, "line_hashes": [ "296375789489429895739047990859407902500", "326570619980962531813355269439533892310", "73822747932989711139218102820551717087", "235766714302798947761384352120502198621" ] }, "id": "CVE-2022-49021-997581ef", "deprecated": false, "target": { "file": "drivers/net/phy/phy_device.c" }, "signature_type": "Line", "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@3e21f85d87c836462bb52ef2078ea561260935c1" }, { "signature_version": "v1", "digest": { "threshold": 0.9, "line_hashes": [ "296375789489429895739047990859407902500", "326570619980962531813355269439533892310", "73822747932989711139218102820551717087", "235766714302798947761384352120502198621" ] }, "id": "CVE-2022-49021-bb52fae3", "deprecated": false, "target": { "file": "drivers/net/phy/phy_device.c" }, "signature_type": "Line", "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@eaa5722549ac2604ffa56c2e946acc83226f130c" }, { "signature_version": "v1", "digest": { "length": 1826.0, "function_hash": "282705269630739992788255089038825413218" }, "id": "CVE-2022-49021-bee8b4b1", "deprecated": false, "target": { "file": "drivers/net/phy/phy_device.c", "function": "phy_attach_direct" }, "signature_type": "Function", "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@3e21f85d87c836462bb52ef2078ea561260935c1" }, { "signature_version": "v1", "digest": { "threshold": 0.9, "line_hashes": [ "296375789489429895739047990859407902500", "326570619980962531813355269439533892310", "73822747932989711139218102820551717087", "235766714302798947761384352120502198621" ] }, "id": "CVE-2022-49021-c28d3b43", "deprecated": false, "target": { "file": "drivers/net/phy/phy_device.c" }, "signature_type": "Line", "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@369eb2c9f1f72adbe91e0ea8efb130f0a2ba11a6" }, { "signature_version": "v1", "digest": { "threshold": 0.9, "line_hashes": [ "296375789489429895739047990859407902500", "326570619980962531813355269439533892310", "73822747932989711139218102820551717087", "235766714302798947761384352120502198621" ] }, "id": "CVE-2022-49021-decc458d", "deprecated": false, "target": { "file": "drivers/net/phy/phy_device.c" }, "signature_type": "Line", "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@0744c7be4de564db03e24527b2e096b7e0e20972" }, { "signature_version": "v1", "digest": { "length": 2047.0, "function_hash": "264911796575097264823597152579010339363" }, "id": "CVE-2022-49021-ef38e2ae", "deprecated": false, "target": { "file": "drivers/net/phy/phy_device.c", "function": "phy_attach_direct" }, "signature_type": "Function", "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@369eb2c9f1f72adbe91e0ea8efb130f0a2ba11a6" } ] }