Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

CVE-2022-48895

Severity CVSS v4.0:
Pending analysis
Type:
CWE-476 NULL Pointer Dereference
Publication date:
21/08/2024
Last modified:
11/09/2024

Description

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> iommu/arm-smmu: Don&amp;#39;t unregister on shutdown<br /> <br /> Michael Walle says he noticed the following stack trace while performing<br /> a shutdown with "reboot -f". He suggests he got "lucky" and just hit the<br /> correct spot for the reboot while there was a packet transmission in<br /> flight.<br /> <br /> Unable to handle kernel NULL pointer dereference at virtual address 0000000000000098<br /> CPU: 0 PID: 23 Comm: kworker/0:1 Not tainted 6.1.0-rc5-00088-gf3600ff8e322 #1930<br /> Hardware name: Kontron KBox A-230-LS (DT)<br /> pc : iommu_get_dma_domain+0x14/0x20<br /> lr : iommu_dma_map_page+0x9c/0x254<br /> Call trace:<br /> iommu_get_dma_domain+0x14/0x20<br /> dma_map_page_attrs+0x1ec/0x250<br /> enetc_start_xmit+0x14c/0x10b0<br /> enetc_xmit+0x60/0xdc<br /> dev_hard_start_xmit+0xb8/0x210<br /> sch_direct_xmit+0x11c/0x420<br /> __dev_queue_xmit+0x354/0xb20<br /> ip6_finish_output2+0x280/0x5b0<br /> __ip6_finish_output+0x15c/0x270<br /> ip6_output+0x78/0x15c<br /> NF_HOOK.constprop.0+0x50/0xd0<br /> mld_sendpack+0x1bc/0x320<br /> mld_ifc_work+0x1d8/0x4dc<br /> process_one_work+0x1e8/0x460<br /> worker_thread+0x178/0x534<br /> kthread+0xe0/0xe4<br /> ret_from_fork+0x10/0x20<br /> Code: d503201f f9416800 d503233f d50323bf (f9404c00)<br /> ---[ end trace 0000000000000000 ]---<br /> Kernel panic - not syncing: Oops: Fatal exception in interrupt<br /> <br /> This appears to be reproducible when the board has a fixed IP address,<br /> is ping flooded from another host, and "reboot -f" is used.<br /> <br /> The following is one more manifestation of the issue:<br /> <br /> $ reboot -f<br /> kvm: exiting hardware virtualization<br /> cfg80211: failed to load regulatory.db<br /> arm-smmu 5000000.iommu: disabling translation<br /> sdhci-esdhc 2140000.mmc: Removing from iommu group 11<br /> sdhci-esdhc 2150000.mmc: Removing from iommu group 12<br /> fsl-edma 22c0000.dma-controller: Removing from iommu group 17<br /> dwc3 3100000.usb: Removing from iommu group 9<br /> dwc3 3110000.usb: Removing from iommu group 10<br /> ahci-qoriq 3200000.sata: Removing from iommu group 2<br /> fsl-qdma 8380000.dma-controller: Removing from iommu group 20<br /> platform f080000.display: Removing from iommu group 0<br /> etnaviv-gpu f0c0000.gpu: Removing from iommu group 1<br /> etnaviv etnaviv: Removing from iommu group 1<br /> caam_jr 8010000.jr: Removing from iommu group 13<br /> caam_jr 8020000.jr: Removing from iommu group 14<br /> caam_jr 8030000.jr: Removing from iommu group 15<br /> caam_jr 8040000.jr: Removing from iommu group 16<br /> fsl_enetc 0000:00:00.0: Removing from iommu group 4<br /> arm-smmu 5000000.iommu: Blocked unknown Stream ID 0x429; boot with "arm-smmu.disable_bypass=0" to allow, but this may have security implications<br /> arm-smmu 5000000.iommu: GFSR 0x80000002, GFSYNR0 0x00000002, GFSYNR1 0x00000429, GFSYNR2 0x00000000<br /> fsl_enetc 0000:00:00.1: Removing from iommu group 5<br /> arm-smmu 5000000.iommu: Blocked unknown Stream ID 0x429; boot with "arm-smmu.disable_bypass=0" to allow, but this may have security implications<br /> arm-smmu 5000000.iommu: GFSR 0x80000002, GFSYNR0 0x00000002, GFSYNR1 0x00000429, GFSYNR2 0x00000000<br /> arm-smmu 5000000.iommu: Blocked unknown Stream ID 0x429; boot with "arm-smmu.disable_bypass=0" to allow, but this may have security implications<br /> arm-smmu 5000000.iommu: GFSR 0x80000002, GFSYNR0 0x00000000, GFSYNR1 0x00000429, GFSYNR2 0x00000000<br /> fsl_enetc 0000:00:00.2: Removing from iommu group 6<br /> fsl_enetc_mdio 0000:00:00.3: Removing from iommu group 8<br /> mscc_felix 0000:00:00.5: Removing from iommu group 3<br /> fsl_enetc 0000:00:00.6: Removing from iommu group 7<br /> pcieport 0001:00:00.0: Removing from iommu group 18<br /> arm-smmu 5000000.iommu: Blocked unknown Stream ID 0x429; boot with "arm-smmu.disable_bypass=0" to allow, but this may have security implications<br /> arm-smmu 5000000.iommu: GFSR 0x00000002, GFSYNR0 0x00000000, GFSYNR1 0x00000429, GFSYNR2 0x00000000<br /> pcieport 0002:00:00.0: Removing from iommu group 19<br /> Unable to handle kernel NULL pointer dereference at virtual address 00000000000000a8<br /> pc : iommu_get_dma_domain+0x14/0x20<br /> lr : iommu_dma_unmap_page+0x38/0xe0<br /> Call trace:<br /> iommu_get_dma_domain+0x14/0x20<br /> dma_unmap_page_attrs+0x38/0x1d0<br /> en<br /> ---truncated---

Impact

Vector 3.x
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVSS v3.1 Severity and Metrics:

Base Score: 5.50 MEDIUM
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Attack Vector (AV): Local
Attack Complexity (AC): Low
Privileges Required (PR): Low
User Interaction (UI): None
Scope (S): Unchanged
Confidentiality (C): None
Integrity (I): None
Availability (A): High

Base Score 3.x
5.50
Severity 3.x
MEDIUM

Vulnerable products and versions

CPE From Up to
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 6.1 (including) 6.1.7 (excluding)
cpe:2.3:o:linux:linux_kernel:6.2:rc1:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.2:rc2:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.2:rc3:*:*:*:*:*:*

To consult the complete list of CPE names with products and versions, see this page


References to Advisories, Solutions, and Tools