CVE-2022-49825

In atatportadd(), the return value of transportadddevice() is not checked. As a result, it causes null-ptr-deref while removing the module, because transportremovedevice() is called to remove the device that was not added.

Unable to handle kernel NULL pointer dereference at virtual address 00000000000000d0 CPU: 12 PID: 13605 Comm: rmmod Kdump: loaded Tainted: G W 6.1.0-rc3+ #8 pstate: 60400009 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--) pc : devicedel+0x48/0x39c lr : devicedel+0x44/0x39c Call trace: devicedel+0x48/0x39c attributecontainerclassdevicedel+0x28/0x40 transportremoveclassdev+0x60/0x7c attributecontainerdevicetrigger+0x118/0x120 transportremovedevice+0x20/0x30 atatportdelete+0x34/0x60 [libata] ataportdetach+0x148/0x1b0 [libata] atapciremoveone+0x50/0x80 [libata] ahciremove_one+0x4c/0x8c [ahci]

Fix this by checking and handling return value of transportadddevice() in atatportadd().

Database specific

{
    "cna_assigner": "Linux",
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2022/49xxx/CVE-2022-49825.json"
}

References

Affected packages

Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git

Affected ranges

Type: GIT
Repo: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events: Introduced

d9027470b88631d0956ac37cdadfdeb9cdcf2c99

Fixed

b5362dc1634d8b8d5f30920f33ac11a3276b7ed9

Fixed

e7bb1b7a7bf26f6b7372b7b683daece4a42fda02

Fixed

52d9bb0adae9359711a0c5271430afd3754069e7

Fixed

3613dbe3909dcc637fe6be00e4dc43b4aa0470ee

Database specific

source

"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2022-49825.json"

Linux / Kernel

Package

Name: Kernel

Affected ranges

Type: ECOSYSTEM
Events: Introduced

2.6.37

Fixed

5.10.156

Type: ECOSYSTEM
Events: Introduced

5.11.0

Fixed

5.15.80

Type: ECOSYSTEM
Events: Introduced

5.16.0

Fixed

6.0.10

Database specific

source

"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2022-49825.json"