CVE-2022-50135

Summary

In the Linux kernel, the following vulnerability has been resolved:

RDMA/rxe: Fix BUG: KASAN: null-ptr-deref in rxe_qp_do_cleanup

The function rxe_create_qp calls rxe_qp_from_init. If some error occurs, the error handler of function rxe_qp_from_init will set both scq and rcq to NULL.

Then rxe_create_qp calls rxe_put to handle qp. In the end, rxe_qp_do_cleanup is called by rxe_put. rxe_qp_do_cleanup directly accesses scq and rcq before checking them. This will cause null-ptr-deref error.

The call graph is as below:

rxe_create_qp { … rxe_qp_from_init { … err1: … qp->rcq = NULL; <—rcq is set to NULL qp->scq = NULL; <—scq is set to NULL … }

qp_init: rxe_put{ … rxe_qp_do_cleanup { … atomic_dec(&qp->scq->num_wq); <— scq is accessed … atomic_dec(&qp->rcq->num_wq); <— rcq is accessed } }

Affected Software

VendorProductVersion RangeStatus
LinuxLinux4703b4f0d94a5f887297713a2f6c2916a1ef08fd < 8598b9d0a364c1663c96fc0fab9df0d36c809aeaaffected
LinuxLinux4703b4f0d94a5f887297713a2f6c2916a1ef08fd < 37da51efe6eaa0560f46803c8c436a48a2084da7affected
LinuxLinux5.19affected
LinuxLinux0 < 5.19unaffected
LinuxLinux5.19.2 <= 5.19.*unaffected
LinuxLinux6.0 <= *unaffected

Weaknesses

References