cve-2022-48707
Vulnerability from cvelistv5
Published
2024-05-21 15:22
Modified
2024-12-19 08:05
Severity ?
Summary
In the Linux kernel, the following vulnerability has been resolved: cxl/region: Fix null pointer dereference for resetting decoder Not all decoders have a reset callback. The CXL specification allows a host bridge with a single root port to have no explicit HDM decoders. Currently the region driver assumes there are none. As such the CXL core creates a special pass through decoder instance without a commit/reset callback. Prior to this patch, the ->reset() callback was called unconditionally when calling cxl_region_decode_reset. Thus a configuration with 1 Host Bridge, 1 Root Port, and one directly attached CXL type 3 device or multiple CXL type 3 devices attached to downstream ports of a switch can cause a null pointer dereference. Before the fix, a kernel crash was observed when we destroy the region, and a pass through decoder is reset. The issue can be reproduced as below, 1) create a region with a CXL setup which includes a HB with a single root port under which a memdev is attached directly. 2) destroy the region with cxl destroy-region regionX -f.
Impacted products
Vendor Product Version
Linux Linux Version: 6.0
Show details on NVD website


{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2022-48707",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-05-23T17:51:43.390258Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-06-04T17:16:39.940Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      },
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-03T15:17:55.855Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/a04c7d062b537ff787d00da95bdfe343260d4beb"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/4fa4302d6dc7de7e8e74dc7405611a2efb4bf54b"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/cxl/core/region.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "a04c7d062b537ff787d00da95bdfe343260d4beb",
              "status": "affected",
              "version": "176baefb2eb5d7a3ddebe3ff803db1fce44574b5",
              "versionType": "git"
            },
            {
              "lessThan": "4fa4302d6dc7de7e8e74dc7405611a2efb4bf54b",
              "status": "affected",
              "version": "176baefb2eb5d7a3ddebe3ff803db1fce44574b5",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/cxl/core/region.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.0"
            },
            {
              "lessThan": "6.0",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.12",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.2",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ncxl/region: Fix null pointer dereference for resetting decoder\n\nNot all decoders have a reset callback.\n\nThe CXL specification allows a host bridge with a single root port to\nhave no explicit HDM decoders. Currently the region driver assumes there\nare none.  As such the CXL core creates a special pass through decoder\ninstance without a commit/reset callback.\n\nPrior to this patch, the -\u003ereset() callback was called unconditionally when\ncalling cxl_region_decode_reset. Thus a configuration with 1 Host Bridge,\n1 Root Port, and one directly attached CXL type 3 device or multiple CXL\ntype 3 devices attached to downstream ports of a switch can cause a null\npointer dereference.\n\nBefore the fix, a kernel crash was observed when we destroy the region, and\na pass through decoder is reset.\n\nThe issue can be reproduced as below,\n    1) create a region with a CXL setup which includes a HB with a\n    single root port under which a memdev is attached directly.\n    2) destroy the region with cxl destroy-region regionX -f."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2024-12-19T08:05:58.344Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/a04c7d062b537ff787d00da95bdfe343260d4beb"
        },
        {
          "url": "https://git.kernel.org/stable/c/4fa4302d6dc7de7e8e74dc7405611a2efb4bf54b"
        }
      ],
      "title": "cxl/region: Fix null pointer dereference for resetting decoder",
      "x_generator": {
        "engine": "bippy-5f407fcff5a0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2022-48707",
    "datePublished": "2024-05-21T15:22:48.735Z",
    "dateReserved": "2024-05-03T14:55:07.147Z",
    "dateUpdated": "2024-12-19T08:05:58.344Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2022-48707\",\"sourceIdentifier\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"published\":\"2024-05-21T16:15:12.173\",\"lastModified\":\"2024-11-21T07:33:49.840\",\"vulnStatus\":\"Awaiting Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"In the Linux kernel, the following vulnerability has been resolved:\\n\\ncxl/region: Fix null pointer dereference for resetting decoder\\n\\nNot all decoders have a reset callback.\\n\\nThe CXL specification allows a host bridge with a single root port to\\nhave no explicit HDM decoders. Currently the region driver assumes there\\nare none.  As such the CXL core creates a special pass through decoder\\ninstance without a commit/reset callback.\\n\\nPrior to this patch, the -\u003ereset() callback was called unconditionally when\\ncalling cxl_region_decode_reset. Thus a configuration with 1 Host Bridge,\\n1 Root Port, and one directly attached CXL type 3 device or multiple CXL\\ntype 3 devices attached to downstream ports of a switch can cause a null\\npointer dereference.\\n\\nBefore the fix, a kernel crash was observed when we destroy the region, and\\na pass through decoder is reset.\\n\\nThe issue can be reproduced as below,\\n    1) create a region with a CXL setup which includes a HB with a\\n    single root port under which a memdev is attached directly.\\n    2) destroy the region with cxl destroy-region regionX -f.\"},{\"lang\":\"es\",\"value\":\"En el kernel de Linux, se resolvi\u00f3 la siguiente vulnerabilidad: cxl/region: corrige la desreferencia del puntero null para restablecer el decodificador. No todos los decodificadores tienen una devoluci\u00f3n de llamada de reinicio. La especificaci\u00f3n CXL permite que un puente de host con un \u00fanico puerto ra\u00edz no tenga decodificadores HDM expl\u00edcitos. Actualmente, el controlador de regi\u00f3n supone que no hay ninguno. Como tal, el n\u00facleo CXL crea una instancia de decodificador de paso especial sin una devoluci\u00f3n de llamada de confirmaci\u00f3n/restablecimiento. Antes de este parche, la devoluci\u00f3n de llamada -\u0026gt;reset() se llamaba incondicionalmente al llamar a cxl_region_decode_reset. Por lo tanto, una configuraci\u00f3n con 1 puente de host, 1 puerto ra\u00edz y un dispositivo CXL tipo 3 conectado directamente o varios dispositivos CXL tipo 3 conectados a puertos descendentes de un conmutador puede provocar una desreferencia de puntero null. Antes de la soluci\u00f3n, se observaba un fallo del kernel cuando destru\u00edamos la regi\u00f3n y se restablec\u00eda un decodificador de paso. El problema se puede reproducir como se muestra a continuaci\u00f3n: 1) cree una regi\u00f3n con una configuraci\u00f3n CXL que incluya un HB con un \u00fanico puerto ra\u00edz bajo el cual se conecta directamente un memdev. 2) destruir la regi\u00f3n con cxl destroy-region regionX -f.\"}],\"metrics\":{},\"references\":[{\"url\":\"https://git.kernel.org/stable/c/4fa4302d6dc7de7e8e74dc7405611a2efb4bf54b\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/a04c7d062b537ff787d00da95bdfe343260d4beb\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/4fa4302d6dc7de7e8e74dc7405611a2efb4bf54b\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://git.kernel.org/stable/c/a04c7d062b537ff787d00da95bdfe343260d4beb\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"}]}}"
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.


Loading…

Loading…

Loading…

Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.