CVE-2022-49070

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> fbdev: Fix unregistering of framebuffers without device<br /> <br /> OF framebuffers do not have an underlying device in the Linux<br /> device hierarchy. Do a regular unregister call instead of hot<br /> unplugging such a non-existing device. Fixes a NULL dereference.<br /> An example error message on ppc64le is shown below.<br /> <br /> BUG: Kernel NULL pointer dereference on read at 0x00000060<br /> Faulting instruction address: 0xc00000000080dfa4<br /> Oops: Kernel access of bad area, sig: 11 [#1]<br /> LE PAGE_SIZE=64K MMU=Hash SMP NR_CPUS=2048 NUMA pSeries<br /> [...]<br /> CPU: 2 PID: 139 Comm: systemd-udevd Not tainted 5.17.0-ae085d7f9365 #1<br /> NIP: c00000000080dfa4 LR: c00000000080df9c CTR: c000000000797430<br /> REGS: c000000004132fe0 TRAP: 0300 Not tainted (5.17.0-ae085d7f9365)<br /> MSR: 8000000002009033 CR: 28228282 XER: 20000000<br /> CFAR: c00000000000c80c DAR: 0000000000000060 DSISR: 40000000 IRQMASK: 0<br /> GPR00: c00000000080df9c c000000004133280 c00000000169d200 0000000000000029<br /> GPR04: 00000000ffffefff c000000004132f90 c000000004132f88 0000000000000000<br /> GPR08: c0000000015658f8 c0000000015cd200 c0000000014f57d0 0000000048228283<br /> GPR12: 0000000000000000 c00000003fffe300 0000000020000000 0000000000000000<br /> GPR16: 0000000000000000 0000000113fc4a40 0000000000000005 0000000113fcfb80<br /> GPR20: 000001000f7283b0 0000000000000000 c000000000e4a588 c000000000e4a5b0<br /> GPR24: 0000000000000001 00000000000a0000 c008000000db0168 c0000000021f6ec0<br /> GPR28: c0000000016d65a8 c000000004b36460 0000000000000000 c0000000016d64b0<br /> NIP [c00000000080dfa4] do_remove_conflicting_framebuffers+0x184/0x1d0<br /> [c000000004133280] [c00000000080df9c] do_remove_conflicting_framebuffers+0x17c/0x1d0 (unreliable)<br /> [c000000004133350] [c00000000080e4d0] remove_conflicting_framebuffers+0x60/0x150<br /> [c0000000041333a0] [c00000000080e6f4] remove_conflicting_pci_framebuffers+0x134/0x1b0<br /> [c000000004133450] [c008000000e70438] drm_aperture_remove_conflicting_pci_framebuffers+0x90/0x100 [drm]<br /> [c000000004133490] [c008000000da0ce4] bochs_pci_probe+0x6c/0xa64 [bochs]<br /> [...]<br /> [c000000004133db0] [c00000000002aaa0] system_call_exception+0x170/0x2d0<br /> [c000000004133e10] [c00000000000c3cc] system_call_common+0xec/0x250<br /> <br /> The bug [1] was introduced by commit 27599aacbaef ("fbdev: Hot-unplug<br /> firmware fb devices on forced removal"). Most firmware framebuffers<br /> have an underlying platform device, which can be hot-unplugged<br /> before loading the native graphics driver. OF framebuffers do not<br /> (yet) have that device. Fix the code by unregistering the framebuffer<br /> as before without a hot unplug.<br /> <br /> Tested with 5.17 on qemu ppc64le emulation.