| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Sun, 28 Apr 2024 15:05:24 +0200 From: Greg Kroah-Hartman <gregkh@...uxfoundation.org> To: linux-cve-announce@...r.kernel.org Cc: Greg Kroah-Hartman <gregkh@...uxfoundation.org> Subject: CVE-2022-48663: gpio: mockup: fix NULL pointer dereference when removing debugfs Description =========== In the Linux kernel, the following vulnerability has been resolved: gpio: mockup: fix NULL pointer dereference when removing debugfs We now remove the device's debugfs entries when unbinding the driver. This now causes a NULL-pointer dereference on module exit because the platform devices are unregistered *after* the global debugfs directory has been recursively removed. Fix it by unregistering the devices first. The Linux kernel CVE team has assigned CVE-2022-48663 to this issue. Affected and fixed versions =========================== Issue introduced in 5.10.144 with commit 3815e66c2183 and fixed in 5.10.146 with commit bdea98b98f84 Issue introduced in 5.15.69 with commit 3a10e8edee2b and fixed in 5.15.71 with commit 18352095a0d5 Issue introduced in 5.19.10 with commit bc55c1677edb and fixed in 5.19.12 with commit af0bfabf06c7 Please see https://www.kernel.org for a full list of currently supported kernel versions by the kernel community. Unaffected versions might change over time as fixes are backported to older supported kernel versions. The official CVE entry at https://cve.org/CVERecord/?id=CVE-2022-48663 will be updated if fixes are backported, please check that for the most up to date information about this issue. Affected files ============== The file(s) affected by this issue are: drivers/gpio/gpio-mockup.c Mitigation ========== The Linux kernel CVE team recommends that you update to the latest stable kernel version for this, and many other bugfixes. Individual changes are never tested alone, but rather are part of a larger kernel release. Cherry-picking individual commits is not recommended or supported by the Linux kernel community at all. If however, updating to the latest release is impossible, the individual changes to resolve this issue can be found at these commits: https://git.kernel.org/stable/c/bdea98b98f844bd8a983ca880893e509a8b4162f https://git.kernel.org/stable/c/18352095a0d581f6aeb1e9fc9d68cc0152cd64b4 https://git.kernel.org/stable/c/af0bfabf06c74c260265c30ba81a34e7dec0e881 https://git.kernel.org/stable/c/b7df41a6f79dfb18ba2203f8c5f0e9c0b9b57f68
Powered by blists - more mailing lists