CVE-2022-49824

In atatlinkadd(), the return value of transportadddevice() is not checked. As a result, it causes null-ptr-deref while removing the module, because transportremovedevice() is called to remove the device that was not added.

Unable to handle kernel NULL pointer dereference at virtual address 00000000000000d0 CPU: 33 PID: 13850 Comm: rmmod Kdump: loaded Tainted: G W 6.1.0-rc3+ #12 pstate: 60400009 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--) pc : devicedel+0x48/0x39c lr : devicedel+0x44/0x39c Call trace: devicedel+0x48/0x39c attributecontainerclassdevicedel+0x28/0x40 transportremoveclassdev+0x60/0x7c attributecontainerdevicetrigger+0x118/0x120 transportremovedevice+0x20/0x30 atatlinkdelete+0x88/0xb0 [libata] atatportdelete+0x2c/0x60 [libata] ataportdetach+0x148/0x1b0 [libata] atapciremoveone+0x50/0x80 [libata] ahciremove_one+0x4c/0x8c [ahci]

Fix this by checking and handling return value of transportadddevice() in atatlinkadd().

Database specific

{
    "cna_assigner": "Linux",
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2022/49xxx/CVE-2022-49824.json"
}

References

Affected packages

Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git

Affected ranges

Type: GIT
Repo: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events: Introduced

d9027470b88631d0956ac37cdadfdeb9cdcf2c99

Fixed

7377a14598f6b04446c54bc4a50cd249470d6c6f

Fixed

67b219314628b90b3a314528e177335b0cd5c70b

Fixed

d5234480ca822bdcf03fe4d6a590ddcb854558f7

Fixed

cf0816f6322c5c37ee52655f928e91ecf32da103

Database specific

source

"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2022-49824.json"

Linux / Kernel

Package

Name: Kernel

Affected ranges

Type: ECOSYSTEM
Events: Introduced

2.6.37

Fixed

5.10.156

Type: ECOSYSTEM
Events: Introduced

5.11.0

Fixed

5.15.80

Type: ECOSYSTEM
Events: Introduced

5.16.0

Fixed

6.0.10

Database specific

source

"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2022-49824.json"