CVE-2022-48803

EUVD-2022-53682

16.07.2024, 12:15

In the Linux kernel, the following vulnerability has been resolved:

phy: ti: Fix missing sentinel for clk_div_table

_get_table_maxdiv() tries to access "clk_div_table" array out of bound
defined in phy-j721e-wiz.c. Add a sentinel entry to prevent
the following global-out-of-bounds error reported by enabling KASAN.

[    9.552392] BUG: KASAN: global-out-of-bounds in _get_maxdiv+0xc0/0x148
[    9.558948] Read of size 4 at addr ffff8000095b25a4 by task kworker/u4:1/38
[    9.565926]
[    9.567441] CPU: 1 PID: 38 Comm: kworker/u4:1 Not tainted 5.16.0-116492-gdaadb3bd0e8d-dirty #360
[    9.576242] Hardware name: Texas Instruments J721e EVM (DT)
[    9.581832] Workqueue: events_unbound deferred_probe_work_func
[    9.587708] Call trace:
[    9.590174]  dump_backtrace+0x20c/0x218
[    9.594038]  show_stack+0x18/0x68
[    9.597375]  dump_stack_lvl+0x9c/0xd8
[    9.601062]  print_address_description.constprop.0+0x78/0x334
[    9.606830]  kasan_report+0x1f0/0x260
[    9.610517]  __asan_load4+0x9c/0xd8
[    9.614030]  _get_maxdiv+0xc0/0x148
[    9.617540]  divider_determine_rate+0x88/0x488
[    9.622005]  divider_round_rate_parent+0xc8/0x124
[    9.626729]  wiz_clk_div_round_rate+0x54/0x68
[    9.631113]  clk_core_determine_round_nolock+0x124/0x158
[    9.636448]  clk_core_round_rate_nolock+0x68/0x138
[    9.641260]  clk_core_set_rate_nolock+0x268/0x3a8
[    9.645987]  clk_set_rate+0x50/0xa8
[    9.649499]  cdns_sierra_phy_init+0x88/0x248
[    9.653794]  phy_init+0x98/0x108
[    9.657046]  cdns_pcie_enable_phy+0xa0/0x170
[    9.661340]  cdns_pcie_init_phy+0x250/0x2b0
[    9.665546]  j721e_pcie_probe+0x4b8/0x798
[    9.669579]  platform_probe+0x8c/0x108
[    9.673350]  really_probe+0x114/0x630
[    9.677037]  __driver_probe_device+0x18c/0x220
[    9.681505]  driver_probe_device+0xac/0x150
[    9.685712]  __device_attach_driver+0xec/0x170
[    9.690178]  bus_for_each_drv+0xf0/0x158
[    9.694124]  __device_attach+0x184/0x210
[    9.698070]  device_initial_probe+0x14/0x20
[    9.702277]  bus_probe_device+0xec/0x100
[    9.706223]  deferred_probe_work_func+0x124/0x180
[    9.710951]  process_one_work+0x4b0/0xbc0
[    9.714983]  worker_thread+0x74/0x5d0
[    9.718668]  kthread+0x214/0x230
[    9.721919]  ret_from_fork+0x10/0x20
[    9.725520]
[    9.727032] The buggy address belongs to the variable:
[    9.732183]  clk_div_table+0x24/0x440

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	Primary	5.5 MEDIUM	LOCAL	LOW	LOW	CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Base Score

CVSS 3.x

EPSS Score

Percentile: 1%

Affected Products (NVD)

Vendor	Product	Version
linux	linux_kernel	5.6 ≤ 𝑥 < 5.10.101
linux	linux_kernel	5.11 ≤ 𝑥 < 5.15.24
linux	linux_kernel	5.16 ≤ 𝑥 < 5.16.10
linux	linux_kernel	5.17:rc1
linux	linux_kernel	5.17:rc2
linux	linux_kernel	5.17:rc3

𝑥

= Vulnerable software versions

Debian Releases

Debian Product

Codename

linux

bookworm	6.1.106-3 fixed
bookworm (security)	6.1.112-1 fixed
bullseye	5.10.223-1 fixed
bullseye (security)	5.10.226-1 fixed
sid	6.11.6-1 fixed
trixie	6.11.5-1 fixed

Ubuntu Releases

Ubuntu Product

Codename

linux

bionic	not-affected
focal	not-affected
jammy	not-affected
noble	not-affected
trusty	not-affected
xenial	not-affected

linux-allwinner-5.19

focal	dne
jammy	ignored
noble	dne

linux-aws

bionic	not-affected
focal	not-affected
jammy	not-affected
noble	not-affected
trusty	not-affected
xenial	not-affected

linux-aws-5.0

bionic	ignored
focal	dne
jammy	dne
noble	dne

linux-aws-5.11

focal	ignored
jammy	dne
noble	dne

linux-aws-5.13

focal	ignored
jammy	dne
noble	dne

linux-aws-5.15

focal	not-affected
jammy	dne
noble	dne

linux-aws-5.19

focal	dne
jammy	ignored
noble	dne

linux-aws-5.3

bionic	ignored
focal	dne
jammy	dne
noble	dne

linux-aws-5.4

bionic	not-affected
focal	dne
jammy	dne
noble	dne

linux-aws-5.8

focal	ignored
jammy	dne
noble	dne

linux-aws-6.2

focal	dne
jammy	ignored
noble	dne

linux-aws-6.5

focal	dne
jammy	not-affected
noble	dne

linux-aws-fips

focal	dne
jammy	dne
noble	dne

linux-aws-hwe

focal	dne
jammy	dne
noble	dne
xenial	not-affected

linux-azure

bionic	ignored
focal	not-affected
jammy	not-affected
noble	not-affected
trusty	not-affected
xenial	not-affected

linux-azure-4.15

bionic	not-affected
focal	dne
jammy	dne
noble	dne

linux-azure-5.11

focal	ignored
jammy	dne
noble	dne

linux-azure-5.13

focal	ignored
jammy	dne
noble	dne

linux-azure-5.15

focal	not-affected
jammy	dne
noble	dne

linux-azure-5.19

focal	dne
jammy	ignored
noble	dne

linux-azure-5.3

bionic	ignored
focal	dne
jammy	dne
noble	dne

linux-azure-5.4

bionic	not-affected
focal	dne
jammy	dne
noble	dne

linux-azure-5.8

focal	ignored
jammy	dne
noble	dne

linux-azure-6.2

focal	dne
jammy	ignored
noble	dne

linux-azure-6.5

focal	dne
jammy	not-affected
noble	dne

linux-azure-edge

bionic	ignored
focal	dne
jammy	dne
noble	dne

linux-azure-fde

focal	ignored
jammy	not-affected
noble	dne

linux-azure-fde-5.15

focal	not-affected
jammy	dne
noble	dne

linux-azure-fde-5.19

focal	dne
jammy	ignored
noble	dne

linux-azure-fde-6.2

focal	dne
jammy	ignored
noble	dne

linux-azure-fips

focal	dne
jammy	dne
noble	dne

linux-bluefield

focal	not-affected
jammy	dne
noble	dne

linux-fips

focal	dne
jammy	dne
noble	dne

linux-gcp

bionic	ignored
focal	not-affected
jammy	not-affected
noble	not-affected
xenial	not-affected

linux-gcp-4.15

bionic	not-affected
focal	dne
jammy	dne
noble	dne

linux-gcp-5.11

focal	ignored
jammy	dne
noble	dne

linux-gcp-5.13

focal	ignored
jammy	dne
noble	dne

linux-gcp-5.15

focal	not-affected
jammy	dne
noble	dne

linux-gcp-5.19

focal	dne
jammy	ignored
noble	dne

linux-gcp-5.3

bionic	ignored
focal	dne
jammy	dne
noble	dne

linux-gcp-5.4

bionic	not-affected
focal	dne
jammy	dne
noble	dne

linux-gcp-5.8

focal	ignored
jammy	dne
noble	dne

linux-gcp-6.2

focal	dne
jammy	ignored
noble	dne

linux-gcp-6.5

focal	dne
jammy	not-affected
noble	dne

linux-gcp-fips

focal	dne
jammy	dne
noble	dne

linux-gke

focal	ignored
jammy	not-affected
noble	not-affected

linux-gke-4.15

bionic	ignored
focal	dne
jammy	dne
noble	dne

linux-gke-5.15

focal	ignored
jammy	dne
noble	dne

linux-gke-5.4

bionic	ignored
focal	dne
jammy	dne
noble	dne

linux-gkeop

focal	not-affected
jammy	not-affected
noble	dne

linux-gkeop-5.15

focal	not-affected
jammy	dne
noble	dne

linux-gkeop-5.4

bionic	ignored
focal	dne
jammy	dne
noble	dne

linux-hwe

bionic	ignored
focal	dne
jammy	dne
noble	dne
xenial	not-affected

linux-hwe-5.11

focal	ignored
jammy	dne
noble	dne

linux-hwe-5.13

focal	ignored
jammy	dne
noble	dne

linux-hwe-5.15

focal	not-affected
jammy	dne
noble	dne

linux-hwe-5.19

focal	dne
jammy	ignored
noble	dne

linux-hwe-5.4

bionic	not-affected
focal	dne
jammy	dne
noble	dne

linux-hwe-5.8

focal	ignored
jammy	dne
noble	dne

linux-hwe-6.2

focal	dne
jammy	ignored
noble	dne

linux-hwe-6.5

focal	dne
jammy	ignored
noble	dne

linux-hwe-6.8

bionic	dne
focal	dne
jammy	not-affected
noble	dne
trusty	dne
xenial	dne

linux-hwe-edge

bionic	ignored
focal	dne
jammy	dne
noble	dne
xenial	ignored

linux-ibm

focal	not-affected
jammy	not-affected
noble	not-affected

linux-ibm-5.15

focal	not-affected
jammy	dne
noble	dne

linux-ibm-5.4

bionic	not-affected
focal	dne
jammy	dne
noble	dne

linux-intel

focal	dne
jammy	dne
noble	not-affected

linux-intel-5.13

focal	ignored
jammy	dne
noble	dne

linux-intel-iot-realtime

bionic	dne
focal	dne
jammy	dne
noble	dne
trusty	dne
xenial	dne

linux-intel-iotg

focal	dne
jammy	not-affected
noble	dne

linux-intel-iotg-5.15

focal	Fixed 5.15.0-1008.11~20.04.1 released
jammy	dne
noble	dne

linux-iot

focal	not-affected
jammy	dne
noble	dne

linux-kvm

bionic	not-affected
focal	not-affected
jammy	not-affected
noble	dne
xenial	not-affected

linux-lowlatency

focal	dne
jammy	not-affected
noble	not-affected

linux-lowlatency-hwe-5.15

focal	not-affected
jammy	dne
noble	dne

linux-lowlatency-hwe-5.19

focal	dne
jammy	ignored
noble	dne

linux-lowlatency-hwe-6.2

focal	dne
jammy	ignored
noble	dne

linux-lowlatency-hwe-6.5

focal	dne
jammy	ignored
noble	dne

linux-lowlatency-hwe-6.8

bionic	dne
focal	dne
jammy	not-affected
noble	dne
trusty	dne
xenial	dne

linux-lts-xenial

focal	dne
jammy	dne
noble	dne
trusty	not-affected

linux-nvidia

focal	dne
jammy	not-affected
noble	not-affected

linux-nvidia-6.2

focal	dne
jammy	ignored
noble	dne

linux-nvidia-6.5

focal	dne
jammy	not-affected
noble	dne

linux-nvidia-6.8

bionic	dne
focal	dne
jammy	not-affected
noble	dne
trusty	dne
xenial	dne

linux-nvidia-lowlatency

bionic	dne
focal	dne
jammy	dne
noble	not-affected
trusty	dne
xenial	dne

linux-oem

bionic	ignored
focal	dne
jammy	dne
noble	dne

linux-oem-5.10

focal	ignored
jammy	dne
noble	dne

linux-oem-5.13

focal	ignored
jammy	dne
noble	dne

linux-oem-5.14

focal	ignored
jammy	dne
noble	dne

linux-oem-5.17

focal	dne
jammy	ignored
noble	dne

linux-oem-5.6

focal	ignored
jammy	dne
noble	dne

linux-oem-6.0

focal	dne
jammy	ignored
noble	dne

linux-oem-6.1

focal	dne
jammy	ignored
noble	dne

linux-oem-6.5

focal	dne
jammy	not-affected
noble	dne

linux-oem-6.8

focal	dne
jammy	dne
noble	not-affected

linux-oracle

bionic	not-affected
focal	not-affected
jammy	not-affected
noble	not-affected
xenial	not-affected

linux-oracle-5.0

bionic	ignored
focal	dne
jammy	dne
noble	dne

linux-oracle-5.11

focal	ignored
jammy	dne
noble	dne

linux-oracle-5.13

focal	ignored
jammy	dne
noble	dne

linux-oracle-5.15

focal	not-affected
jammy	dne
noble	dne

linux-oracle-5.3

bionic	ignored
focal	dne
jammy	dne
noble	dne

linux-oracle-5.4

bionic	not-affected
focal	dne
jammy	dne
noble	dne

linux-oracle-5.8

focal	ignored
jammy	dne
noble	dne

linux-oracle-6.5

focal	dne
jammy	not-affected
noble	dne

linux-raspi

focal	not-affected
jammy	not-affected
noble	not-affected

linux-raspi-5.4

bionic	not-affected
focal	dne
jammy	dne
noble	dne

linux-raspi-realtime

bionic	dne
focal	dne
jammy	dne
noble	dne
trusty	dne
xenial	dne

linux-raspi2

focal	ignored
jammy	dne
noble	dne

linux-realtime

bionic	dne
focal	dne
jammy	ignored
noble	dne
trusty	dne
xenial	dne

linux-riscv

focal	ignored
jammy	ignored
noble	not-affected

linux-riscv-5.11

focal	ignored
jammy	dne
noble	dne

linux-riscv-5.15

focal	not-affected
jammy	dne
noble	dne

linux-riscv-5.19

focal	dne
jammy	ignored
noble	dne

linux-riscv-5.8

focal	ignored
jammy	dne
noble	dne

linux-riscv-6.5

focal	dne
jammy	ignored
noble	dne

linux-riscv-6.8

bionic	dne
focal	dne
jammy	not-affected
noble	dne
trusty	dne
xenial	dne

linux-starfive-5.19

focal	dne
jammy	ignored
noble	dne

linux-starfive-6.2

focal	dne
jammy	ignored
noble	dne

linux-starfive-6.5

focal	dne
jammy	not-affected
noble	dne

linux-xilinx-zynqmp

focal	not-affected
jammy	not-affected
noble	dne

openSUSE / SLES Releases

openSUSE Product

Release

kernel-64kb

suse enterprise desktop 15 SP5	5.14.21-150500.55.73.1 fixed
suse enterprise sap 15 SP5	5.14.21-150500.55.73.1 fixed
suse enterprise server 15 SP4	5.14.21-150400.24.128.1 fixed
suse enterprise server 15 SP5	5.14.21-150500.55.73.1 fixed

kernel-azure

suse enterprise sap 15 SP5	5.14.21-150500.33.63.1 fixed
suse enterprise server 15 SP5	5.14.21-150500.33.63.1 fixed

kernel-default

suse enterprise desktop 15 SP5	5.14.21-150500.55.73.1 fixed
suse enterprise sap 15 SP5	5.14.21-150500.55.73.1 fixed
suse enterprise server 15 SP4	5.14.21-150400.24.128.1 fixed
suse enterprise server 15 SP5	5.14.21-150500.55.73.1 fixed

kernel-default-base

suse enterprise desktop 15 SP5	5.14.21-150500.55.73.1.150500.6.33.8 fixed
suse enterprise sap 15 SP5	5.14.21-150500.55.73.1.150500.6.33.8 fixed
suse enterprise server 15 SP4	5.14.21-150400.24.128.1.150400.24.62.1 fixed
suse enterprise server 15 SP5	5.14.21-150500.55.73.1.150500.6.33.8 fixed

kernel-docs

suse enterprise desktop 15 SP5	5.14.21-150500.55.73.2 fixed
suse enterprise sap 15 SP5	5.14.21-150500.55.73.2 fixed
suse enterprise server 15 SP4	5.14.21-150400.24.128.1 fixed
suse enterprise server 15 SP5	5.14.21-150500.55.73.2 fixed

kernel-macros

suse enterprise desktop 15 SP5	5.14.21-150500.55.73.1 fixed
suse enterprise sap 15 SP5	5.14.21-150500.55.73.1 fixed
suse enterprise server 15 SP4	5.14.21-150400.24.128.1 fixed
suse enterprise server 15 SP5	5.14.21-150500.55.73.1 fixed

kernel-obs-build

suse enterprise desktop 15 SP5	5.14.21-150500.55.73.1 fixed
suse enterprise sap 15 SP5	5.14.21-150500.55.73.1 fixed
suse enterprise server 15 SP4	5.14.21-150400.24.128.1 fixed
suse enterprise server 15 SP5	5.14.21-150500.55.73.1 fixed

kernel-source

suse enterprise desktop 15 SP5	5.14.21-150500.55.73.1 fixed
suse enterprise sap 15 SP5	5.14.21-150500.55.73.1 fixed
suse enterprise server 15 SP4	5.14.21-150400.24.128.1 fixed
suse enterprise server 15 SP5	5.14.21-150500.55.73.1 fixed

kernel-source-azure

suse enterprise sap 15 SP5	5.14.21-150500.33.63.1 fixed
suse enterprise server 15 SP5	5.14.21-150500.33.63.1 fixed

kernel-syms

suse enterprise desktop 15 SP5	5.14.21-150500.55.73.1 fixed
suse enterprise sap 15 SP5	5.14.21-150500.55.73.1 fixed
suse enterprise server 15 SP4	5.14.21-150400.24.128.1 fixed
suse enterprise server 15 SP5	5.14.21-150500.55.73.1 fixed

kernel-syms-azure

suse enterprise sap 15 SP5	5.14.21-150500.33.63.1 fixed
suse enterprise server 15 SP5	5.14.21-150500.33.63.1 fixed

kernel-zfcpdump

suse enterprise desktop 15 SP5	5.14.21-150500.55.73.1 fixed
suse enterprise sap 15 SP5	5.14.21-150500.55.73.1 fixed
suse enterprise server 15 SP4	5.14.21-150400.24.128.1 fixed
suse enterprise server 15 SP5	5.14.21-150500.55.73.1 fixed

reiserfs-kmp-default

suse enterprise server 15 SP4

5.14.21-150400.24.128.1

fixed

Common Weakness Enumeration

CWE-125 - Out-of-bounds Read
The software reads data past the end, or before the beginning, of the intended buffer.

References

https://git.kernel.org/stable/c/3c75d1017cb362b6a4e0935746ef5da28250919f

https://git.kernel.org/stable/c/5b0c9569135a37348c1267c81e8b0274b21a86ed

https://git.kernel.org/stable/c/6d1e6bcb31663ee83aaea1f171f3dbfe95dd4a69

https://git.kernel.org/stable/c/7a360e546ad9e7c3fd53d6bb60348c660cd28f54

https://git.kernel.org/stable/c/3c75d1017cb362b6a4e0935746ef5da28250919f

https://git.kernel.org/stable/c/5b0c9569135a37348c1267c81e8b0274b21a86ed

https://git.kernel.org/stable/c/6d1e6bcb31663ee83aaea1f171f3dbfe95dd4a69

https://git.kernel.org/stable/c/7a360e546ad9e7c3fd53d6bb60348c660cd28f54