CVE-2022-49823

Summary

In the Linux kernel, the following vulnerability has been resolved:

ata: libata-transport: fix error handling in ata_tdev_add()

In ata_tdev_add(), the return value of transport_add_device() is not checked. As a result, it causes null-ptr-deref while removing the module, because transport_remove_device() is called to remove the device that was not added.

Unable to handle kernel NULL pointer dereference at virtual address 00000000000000d0 CPU: 13 PID: 13603 Comm: rmmod Kdump: loaded Tainted: G W 6.1.0-rc3+ #36 pstate: 60400009 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=–) pc : device_del+0x48/0x3a0 lr : device_del+0x44/0x3a0 Call trace: device_del+0x48/0x3a0 attribute_container_class_device_del+0x28/0x40 transport_remove_classdev+0x60/0x7c attribute_container_device_trigger+0x118/0x120 transport_remove_device+0x20/0x30 ata_tdev_delete+0x24/0x50 [libata] ata_tlink_delete+0x40/0xa0 [libata] ata_tport_delete+0x2c/0x60 [libata] ata_port_detach+0x148/0x1b0 [libata] ata_pci_remove_one+0x50/0x80 [libata] ahci_remove_one+0x4c/0x8c [ahci]

Fix this by checking and handling return value of transport_add_device() in ata_tdev_add(). In the error path, device_del() is called to delete the device which was added earlier in this function, and ata_tdev_free() is called to free ata_dev.

Affected Software

VendorProductVersion RangeStatus
LinuxLinuxd9027470b88631d0956ac37cdadfdeb9cdcf2c99 < ef2ac07ab83163b9a53f45da20e14302591ad9ccaffected
LinuxLinuxd9027470b88631d0956ac37cdadfdeb9cdcf2c99 < f23058dc2398db1d8faca9a2b1ce30b85cdd8b22affected
LinuxLinuxd9027470b88631d0956ac37cdadfdeb9cdcf2c99 < f54331962883f4fc4bf5e487e6e7cf07c4567fefaffected
LinuxLinuxd9027470b88631d0956ac37cdadfdeb9cdcf2c99 < 1ff36351309e3eadcff297480baf4785e726de9baffected
LinuxLinux2.6.37affected
LinuxLinux0 < 2.6.37unaffected
LinuxLinux5.10.156 <= 5.10.*unaffected
LinuxLinux5.15.80 <= 5.15.*unaffected
LinuxLinux6.0.10 <= 6.0.*unaffected
LinuxLinux6.1 <= *unaffected

Weaknesses

References