CVE-2022-48870

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> tty: fix possible null-ptr-defer in spk_ttyio_release<br /> <br /> Run the following tests on the qemu platform:<br /> <br /> syzkaller:~# modprobe speakup_audptr<br /> input: Speakup as /devices/virtual/input/input4<br /> initialized device: /dev/synth, node (MAJOR 10, MINOR 125)<br /> speakup 3.1.6: initialized<br /> synth name on entry is: (null)<br /> synth probe<br /> <br /> spk_ttyio_initialise_ldisc failed because tty_kopen_exclusive returned<br /> failed (errno -16), then remove the module, we will get a null-ptr-defer<br /> problem, as follow:<br /> <br /> syzkaller:~# modprobe -r speakup_audptr<br /> releasing synth audptr<br /> BUG: kernel NULL pointer dereference, address: 0000000000000080<br /> #PF: supervisor write access in kernel mode<br /> #PF: error_code(0x0002) - not-present page<br /> PGD 0 P4D 0<br /> Oops: 0002 [#1] PREEMPT SMP PTI<br /> CPU: 2 PID: 204 Comm: modprobe Not tainted 6.1.0-rc6-dirty #1<br /> RIP: 0010:mutex_lock+0x14/0x30<br /> Call Trace:<br /> <br /> spk_ttyio_release+0x19/0x70 [speakup]<br /> synth_release.part.6+0xac/0xc0 [speakup]<br /> synth_remove+0x56/0x60 [speakup]<br /> __x64_sys_delete_module+0x156/0x250<br /> ? fpregs_assert_state_consistent+0x1d/0x50<br /> do_syscall_64+0x37/0x90<br /> entry_SYSCALL_64_after_hwframe+0x63/0xcd<br /> <br /> Modules linked in: speakup_audptr(-) speakup<br /> Dumping ftrace buffer:<br /> <br /> in_synth-&gt;dev was not initialized during modprobe, so we add check<br /> for in_synth-&gt;dev to fix this bug.