fkie_cve-2022-48953
Vulnerability from fkie_nvd
Published
2024-10-21 20:15
Modified
2024-10-25 20:07
Severity ?
5.5 (Medium) - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Summary
In the Linux kernel, the following vulnerability has been resolved: rtc: cmos: Fix event handler registration ordering issue Because acpi_install_fixed_event_handler() enables the event automatically on success, it is incorrect to call it before the handler routine passed to it is ready to handle events. Unfortunately, the rtc-cmos driver does exactly the incorrect thing by calling cmos_wake_setup(), which passes rtc_handler() to acpi_install_fixed_event_handler(), before cmos_do_probe(), because rtc_handler() uses dev_get_drvdata() to get to the cmos object pointer and the driver data pointer is only populated in cmos_do_probe(). This leads to a NULL pointer dereference in rtc_handler() on boot if the RTC fixed event happens to be active at the init time. To address this issue, change the initialization ordering of the driver so that cmos_wake_setup() is always called after a successful cmos_do_probe() call. While at it, change cmos_pnp_probe() to call cmos_do_probe() after the initial if () statement used for computing the IRQ argument to be passed to cmos_do_probe() which is cleaner than calling it in each branch of that if () (local variable "irq" can be of type int, because it is passed to that function as an argument of type int). Note that commit 6492fed7d8c9 ("rtc: rtc-cmos: Do not check ACPI_FADT_LOW_POWER_S0") caused this issue to affect a larger number of systems, because previously it only affected systems with ACPI_FADT_LOW_POWER_S0 set, but it is present regardless of that commit.
References
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/0bcfccb48696aba475f046c2021f0733659ce0efPatch
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/1ba745fce13d19775100eece30b0bfb8b8b10ea6Patch
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/4919d3eb2ec0ee364f7e3cf2d99646c1b224fae8Patch
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/60c6e563a843032cf6ff84b2fb732cd8754fc10dPatch
Impacted products
Vendor Product Version
linux linux_kernel *
linux linux_kernel *
linux linux_kernel *
linux linux_kernel 6.1
linux linux_kernel 6.1
linux linux_kernel 6.1
linux linux_kernel 6.1
linux linux_kernel 6.1
linux linux_kernel 6.1
linux linux_kernel 6.1
linux linux_kernel 6.1


To clipboard 

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "D2853A0C-C4B1-4484-864A-7B42421570AE",
              "versionEndExcluding": "5.10.163",
              "versionStartIncluding": "2.6.28",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "47237296-55D1-4ED4-8075-D00FC85A61EE",
              "versionEndExcluding": "5.15.86",
              "versionStartIncluding": "5.11",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "8761B6C5-F658-46D1-92B8-4ED28F931D6A",
              "versionEndExcluding": "6.0.14",
              "versionStartIncluding": "5.16",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:linux:linux_kernel:6.1:rc1:*:*:*:*:*:*",
              "matchCriteriaId": "E7E331DA-1FB0-4DEC-91AC-7DA69D461C11",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:linux:linux_kernel:6.1:rc2:*:*:*:*:*:*",
              "matchCriteriaId": "17F0B248-42CF-4AE6-A469-BB1BAE7F4705",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:linux:linux_kernel:6.1:rc3:*:*:*:*:*:*",
              "matchCriteriaId": "E2422816-0C14-4B5E-A1E6-A9D776E5C49B",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:linux:linux_kernel:6.1:rc4:*:*:*:*:*:*",
              "matchCriteriaId": "1C6E00FE-5FB9-4D20-A1A1-5A32128F9B76",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:linux:linux_kernel:6.1:rc5:*:*:*:*:*:*",
              "matchCriteriaId": "35B26BE4-43A6-4A36-A7F6-5B3F572D9186",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:linux:linux_kernel:6.1:rc6:*:*:*:*:*:*",
              "matchCriteriaId": "3FFFB0B3-930D-408A-91E2-BAE0C2715D80",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:linux:linux_kernel:6.1:rc7:*:*:*:*:*:*",
              "matchCriteriaId": "8535320E-A0DB-4277-800E-D0CE5BBA59E8",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:linux:linux_kernel:6.1:rc8:*:*:*:*:*:*",
              "matchCriteriaId": "21718AA4-4056-40F2-968E-BDAA465A7872",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nrtc: cmos: Fix event handler registration ordering issue\n\nBecause acpi_install_fixed_event_handler() enables the event\nautomatically on success, it is incorrect to call it before the\nhandler routine passed to it is ready to handle events.\n\nUnfortunately, the rtc-cmos driver does exactly the incorrect thing\nby calling cmos_wake_setup(), which passes rtc_handler() to\nacpi_install_fixed_event_handler(), before cmos_do_probe(), because\nrtc_handler() uses dev_get_drvdata() to get to the cmos object\npointer and the driver data pointer is only populated in\ncmos_do_probe().\n\nThis leads to a NULL pointer dereference in rtc_handler() on boot\nif the RTC fixed event happens to be active at the init time.\n\nTo address this issue, change the initialization ordering of the\ndriver so that cmos_wake_setup() is always called after a successful\ncmos_do_probe() call.\n\nWhile at it, change cmos_pnp_probe() to call cmos_do_probe() after\nthe initial if () statement used for computing the IRQ argument to\nbe passed to cmos_do_probe() which is cleaner than calling it in\neach branch of that if () (local variable \"irq\" can be of type int,\nbecause it is passed to that function as an argument of type int).\n\nNote that commit 6492fed7d8c9 (\"rtc: rtc-cmos: Do not check\nACPI_FADT_LOW_POWER_S0\") caused this issue to affect a larger number\nof systems, because previously it only affected systems with\nACPI_FADT_LOW_POWER_S0 set, but it is present regardless of that\ncommit."
    },
    {
      "lang": "es",
      "value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: rtc: cmos: Fix event handler registration ordering issue Debido a que acpi_install_fixed_event_handler() habilita el evento autom\u00e1ticamente en caso de \u00e9xito, es incorrecto llamarlo antes de que la rutina del controlador que se le pasa est\u00e9 lista para manejar eventos. Desafortunadamente, el controlador rtc-cmos hace exactamente lo incorrecto al llamar a cmos_wake_setup(), que pasa rtc_handler() a acpi_install_fixed_event_handler(), antes de cmos_do_probe(), porque rtc_handler() usa dev_get_drvdata() para llegar al puntero del objeto cmos y el puntero de datos del controlador solo se completa en cmos_do_probe(). Esto conduce a una desreferencia de puntero NULL en rtc_handler() en el arranque si el evento RTC fixed est\u00e1 activo en el momento de inicializaci\u00f3n. Para solucionar este problema, cambie el orden de inicializaci\u00f3n del controlador de modo que cmos_wake_setup() siempre se llame despu\u00e9s de una llamada a cmos_do_probe() exitosa. Mientras tanto, cambie cmos_pnp_probe() para llamar a cmos_do_probe() despu\u00e9s de la declaraci\u00f3n if () inicial utilizada para calcular el argumento IRQ que se pasar\u00e1 a cmos_do_probe(), lo que es m\u00e1s limpio que llamarlo en cada rama de ese if () (la variable local \"irq\" puede ser de tipo int, porque se pasa a esa funci\u00f3n como un argumento de tipo int). Tenga en cuenta que el commit 6492fed7d8c9 (\"rtc: rtc-cmos: No marque ACPI_FADT_LOW_POWER_S0\") provoc\u00f3 que este problema afectara a una mayor cantidad de sistemas, porque anteriormente solo afectaba a los sistemas con ACPI_FADT_LOW_POWER_S0 configurado, pero est\u00e1 presente independientemente de esa confirmaci\u00f3n."
    }
  ],
  "id": "CVE-2022-48953",
  "lastModified": "2024-10-25T20:07:48.127",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "LOCAL",
          "availabilityImpact": "HIGH",
          "baseScore": 5.5,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "NONE",
          "integrityImpact": "NONE",
          "privilegesRequired": "LOW",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 1.8,
        "impactScore": 3.6,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ]
  },
  "published": "2024-10-21T20:15:06.700",
  "references": [
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "tags": [
        "Patch"
      ],
      "url": "https://git.kernel.org/stable/c/0bcfccb48696aba475f046c2021f0733659ce0ef"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "tags": [
        "Patch"
      ],
      "url": "https://git.kernel.org/stable/c/1ba745fce13d19775100eece30b0bfb8b8b10ea6"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "tags": [
        "Patch"
      ],
      "url": "https://git.kernel.org/stable/c/4919d3eb2ec0ee364f7e3cf2d99646c1b224fae8"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "tags": [
        "Patch"
      ],
      "url": "https://git.kernel.org/stable/c/60c6e563a843032cf6ff84b2fb732cd8754fc10d"
    }
  ],
  "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
  "vulnStatus": "Analyzed",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-476"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Primary"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.