CVE-2022-48870 Information

Description

In the Linux kernel the following vulnerability has been resolved:

tty: fix possible null-ptr-defer in spk_ttyio_release

Run the following tests on the qemu platform:

syzkaller:~ modprobe speakup_audptr input: Speakup as /devices/virtual/input/input4 initialized device: /dev/synth node (MAJOR 10 MINOR 125) speakup 3.1.6: initialized synth name on entry is: (null) synth probe

spk_ttyio_initialise_ldisc failed because tty_kopen_exclusive returned failed (errno -16) then remove the module we will get a null-ptr-defer problem as follow:

syzkaller:~ modprobe -r speakup_audptr releasing synth audptr BUG: kernel NULL pointer dereference address: 0000000000000080 PF: supervisor write access in kernel mode PF: error_code(0x0002) - not-present page PGD 0 P4D 0 Oops: 0002 [1] PREEMPT SMP PTI CPU: 2 PID: 204 Comm: modprobe Not tainted 6.1.0-rc6-dirty 1 RIP: 0010:mutex_lock+0x14/0x30 Call Trace: spk_ttyio_release+0x19/0x70 [speakup] synth_release.part.6+0xac/0xc0 [speakup] synth_remove+0x56/0x60 [speakup] __x64_sys_delete_module+0x156/0x250 ? fpregs_assert_state_consistent+0x1d/0x50 do_syscall_64+0x37/0x90 entry_SYSCALL_64_after_hwframe+0x63/0xcd Modules linked in: speakup_audptr(-) speakup Dumping ftrace buffer:

in_synth->dev was not initialized during modprobe so we add check for in_synth->dev to fix this bug.

Reference

https://git.kernel.org/stable/c/2da67bff29ab49caafb0766e8b8383b735ff796f https://git.kernel.org/stable/c/64152e05a4de3ebf59f1740a0985a6d5fba0c77b https://git.kernel.org/stable/c/5abbeebd8296c2301023b8dc4b5a6c0d5229b4f5