CVE-2022-48898

21.08.2024, 07:15

In the Linux kernel, the following vulnerability has been resolved:

drm/msm/dp: do not complete dp_aux_cmd_fifo_tx() if irq is not for aux transfer

There are 3 possible interrupt sources are handled by DP controller,
HPDstatus, Controller state changes and Aux read/write transaction.
At every irq, DP controller have to check isr status of every interrupt
sources and service the interrupt if its isr status bits shows interrupts
are pending. There is potential race condition may happen at current aux
isr handler implementation since it is always complete dp_aux_cmd_fifo_tx()
even irq is not for aux read or write transaction. This may cause aux read
transaction return premature if host aux data read is in the middle of
waiting for sink to complete transferring data to host while irq happen.
This will cause host's receiving buffer contains unexpected data. This
patch fixes this problem by checking aux isr and return immediately at
aux isr handler if there are no any isr status bits set.

Current there is a bug report regrading eDP edid corruption happen during
system booting up. After lengthy debugging to found that VIDEO_READY
interrupt was continuously firing during system booting up which cause
dp_aux_isr() to complete dp_aux_cmd_fifo_tx() prematurely to retrieve data
from aux hardware buffer which is not yet contains complete data transfer
from sink. This cause edid corruption.

Follows are the signature at kernel logs when problem happen,
EDID has corrupt header
panel-simple-dp-aux aux-aea0000.edp: Couldn't identify panel via EDID

Changes in v2:
-- do complete if (ret == IRQ_HANDLED) ay dp-aux_isr()
-- add more commit text

Changes in v3:
-- add Stephen suggested
-- dp_aux_isr() return IRQ_XXX back to caller
-- dp_ctrl_isr() return IRQ_XXX back to caller

Changes in v4:
-- split into two patches

Changes in v5:
-- delete empty line between tags

Changes in v6:
-- remove extra "that" and fixed line more than 75 char at commit text

Patchwork: https://patchwork.freedesktop.org/patch/516121/

Race Condition

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	Primary	4.7 MEDIUM	LOCAL	HIGH	LOW	CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H

Base Score

CVSS 3.x

EPSS Score

Percentile: 1%

Affected Products (NVD)

Vendor	Product	Version
linux	linux_kernel	5.10 ≤ 𝑥 < 5.10.164
linux	linux_kernel	5.11 ≤ 𝑥 < 5.15.89
linux	linux_kernel	5.16 ≤ 𝑥 < 6.1.7
linux	linux_kernel	6.2:rc1
linux	linux_kernel	6.2:rc2
linux	linux_kernel	6.2:rc3

𝑥

= Vulnerable software versions

Debian Releases

Debian Product

Codename

linux

bookworm	6.1.106-3 fixed
bookworm (security)	6.1.112-1 fixed
bullseye	5.10.223-1 fixed
bullseye (security)	5.10.226-1 fixed
sid	6.11.6-1 fixed
trixie	6.11.5-1 fixed

Ubuntu Releases

Ubuntu Product

Codename

linux

bionic	not-affected
focal	not-affected
jammy	Fixed 5.15.0-70.77 released
noble	not-affected
trusty	not-affected
xenial	not-affected

linux-allwinner-5.19

focal	dne
jammy	ignored
noble	dne

linux-aws

bionic	not-affected
focal	not-affected
jammy	Fixed 5.15.0-1034.38 released
noble	not-affected
trusty	not-affected
xenial	not-affected

linux-aws-5.0

bionic	ignored
focal	dne
jammy	dne
noble	dne

linux-aws-5.11

focal	ignored
jammy	dne
noble	dne

linux-aws-5.13

focal	ignored
jammy	dne
noble	dne

linux-aws-5.15

focal	Fixed 5.15.0-1034.38~20.04.1 released
jammy	dne
noble	dne

linux-aws-5.19

focal	dne
jammy	ignored
noble	dne

linux-aws-5.3

bionic	ignored
focal	dne
jammy	dne
noble	dne

linux-aws-5.4

bionic	not-affected
focal	dne
jammy	dne
noble	dne

linux-aws-5.8

focal	ignored
jammy	dne
noble	dne

linux-aws-6.2

focal	dne
jammy	ignored
noble	dne

linux-aws-6.5

focal	dne
jammy	ignored
noble	dne

linux-aws-fips

focal	dne
jammy	dne
noble	dne

linux-aws-hwe

focal	dne
jammy	dne
noble	dne
xenial	not-affected

linux-azure

bionic	ignored
focal	not-affected
jammy	Fixed 5.15.0-1036.43 released
noble	not-affected
trusty	not-affected
xenial	not-affected

linux-azure-4.15

bionic	not-affected
focal	dne
jammy	dne
noble	dne

linux-azure-5.11

focal	ignored
jammy	dne
noble	dne

linux-azure-5.13

focal	ignored
jammy	dne
noble	dne

linux-azure-5.15

focal	Fixed 5.15.0-1036.43~20.04.1 released
jammy	dne
noble	dne

linux-azure-5.19

focal	dne
jammy	ignored
noble	dne

linux-azure-5.3

bionic	ignored
focal	dne
jammy	dne
noble	dne

linux-azure-5.4

bionic	not-affected
focal	dne
jammy	dne
noble	dne

linux-azure-5.8

focal	ignored
jammy	dne
noble	dne

linux-azure-6.2

focal	dne
jammy	ignored
noble	dne

linux-azure-6.5

focal	dne
jammy	ignored
noble	dne

linux-azure-edge

bionic	ignored
focal	dne
jammy	dne
noble	dne

linux-azure-fde

focal	ignored
jammy	Fixed 5.15.0-1036.43.1 released
noble	dne

linux-azure-fde-5.15

focal	Fixed 5.15.0-1036.43~20.04.1.1 released
jammy	dne
noble	dne

linux-azure-fde-5.19

focal	dne
jammy	ignored
noble	dne

linux-azure-fde-6.2

focal	dne
jammy	ignored
noble	dne

linux-azure-fips

focal	dne
jammy	dne
noble	dne

linux-bluefield

focal	not-affected
jammy	dne
noble	dne

linux-fips

focal	dne
jammy	dne
noble	dne

linux-gcp

bionic	ignored
focal	not-affected
jammy	Fixed 5.15.0-1032.40 released
noble	not-affected
xenial	not-affected

linux-gcp-4.15

bionic	not-affected
focal	dne
jammy	dne
noble	dne

linux-gcp-5.11

focal	ignored
jammy	dne
noble	dne

linux-gcp-5.13

focal	ignored
jammy	dne
noble	dne

linux-gcp-5.15

focal	Fixed 5.15.0-1032.40~20.04.1 released
jammy	dne
noble	dne

linux-gcp-5.19

focal	dne
jammy	ignored
noble	dne

linux-gcp-5.3

bionic	ignored
focal	dne
jammy	dne
noble	dne

linux-gcp-5.4

bionic	not-affected
focal	dne
jammy	dne
noble	dne

linux-gcp-5.8

focal	ignored
jammy	dne
noble	dne

linux-gcp-6.2

focal	dne
jammy	ignored
noble	dne

linux-gcp-6.5

focal	dne
jammy	ignored
noble	dne

linux-gcp-fips

focal	dne
jammy	dne
noble	dne

linux-gke

focal	ignored
jammy	Fixed 5.15.0-1031.36 released
noble	not-affected

linux-gke-4.15

bionic	ignored
focal	dne
jammy	dne
noble	dne

linux-gke-5.15

focal	ignored
jammy	dne
noble	dne

linux-gke-5.4

bionic	ignored
focal	dne
jammy	dne
noble	dne

linux-gkeop

focal	not-affected
jammy	Fixed 5.15.0-1018.23 released
noble	dne

linux-gkeop-5.15

focal	Fixed 5.15.0-1018.23~20.04.1 released
jammy	dne
noble	dne

linux-gkeop-5.4

bionic	ignored
focal	dne
jammy	dne
noble	dne

linux-hwe

bionic	ignored
focal	dne
jammy	dne
noble	dne
xenial	not-affected

linux-hwe-5.11

focal	ignored
jammy	dne
noble	dne

linux-hwe-5.13

focal	ignored
jammy	dne
noble	dne

linux-hwe-5.15

focal	Fixed 5.15.0-70.77~20.04.1 released
jammy	dne
noble	dne

linux-hwe-5.19

focal	dne
jammy	ignored
noble	dne

linux-hwe-5.4

bionic	not-affected
focal	dne
jammy	dne
noble	dne

linux-hwe-5.8

focal	ignored
jammy	dne
noble	dne

linux-hwe-6.2

focal	dne
jammy	ignored
noble	dne

linux-hwe-6.5

focal	dne
jammy	ignored
noble	dne

linux-hwe-6.8

focal	dne
jammy	not-affected
noble	dne

linux-hwe-edge

bionic	ignored
focal	dne
jammy	dne
noble	dne
xenial	ignored

linux-ibm

focal	not-affected
jammy	Fixed 5.15.0-1028.31 released
noble	not-affected

linux-ibm-5.15

focal	not-affected
jammy	dne
noble	dne

linux-ibm-5.4

bionic	not-affected
focal	dne
jammy	dne
noble	dne

linux-intel

bionic	dne
focal	dne
jammy	dne
noble	not-affected
trusty	dne
xenial	dne

linux-intel-5.13

focal	ignored
jammy	dne
noble	dne

linux-intel-iot-realtime

bionic	dne
focal	dne
jammy	dne
noble	dne
trusty	dne
xenial	dne

linux-intel-iotg

focal	dne
jammy	Fixed 5.15.0-1028.33 released
noble	dne

linux-intel-iotg-5.15

focal	Fixed 5.15.0-1030.35~20.04.1 released
jammy	dne
noble	dne

linux-iot

focal	not-affected
jammy	dne
noble	dne

linux-kvm

bionic	not-affected
focal	not-affected
jammy	Fixed 5.15.0-1031.36 released
noble	dne
xenial	not-affected

linux-lowlatency

focal	dne
jammy	Fixed 5.15.0-70.77 released
noble	not-affected

linux-lowlatency-hwe-5.15

focal	Fixed 5.15.0-70.77~20.04.1 released
jammy	dne
noble	dne

linux-lowlatency-hwe-5.19

focal	dne
jammy	ignored
noble	dne

linux-lowlatency-hwe-6.2

focal	dne
jammy	ignored
noble	dne

linux-lowlatency-hwe-6.5

focal	dne
jammy	ignored
noble	dne

linux-lowlatency-hwe-6.8

focal	dne
jammy	not-affected
noble	dne

linux-lts-xenial

focal	dne
jammy	dne
noble	dne
trusty	not-affected

linux-nvidia

focal	dne
jammy	Fixed 5.15.0-1023.23 released
noble	not-affected

linux-nvidia-6.2

focal	dne
jammy	ignored
noble	dne

linux-nvidia-6.5

focal	dne
jammy	not-affected
noble	dne

linux-nvidia-6.8

focal	dne
jammy	not-affected
noble	dne

linux-nvidia-lowlatency

focal	dne
jammy	dne
noble	not-affected

linux-oem

bionic	ignored
focal	dne
jammy	dne
noble	dne

linux-oem-5.10

focal	ignored
jammy	dne
noble	dne

linux-oem-5.13

focal	ignored
jammy	dne
noble	dne

linux-oem-5.14

focal	ignored
jammy	dne
noble	dne

linux-oem-5.17

focal	dne
jammy	ignored
noble	dne

linux-oem-5.6

focal	ignored
jammy	dne
noble	dne

linux-oem-6.0

focal	dne
jammy	ignored
noble	dne

linux-oem-6.1

focal	dne
jammy	ignored
noble	dne

linux-oem-6.5

focal	dne
jammy	ignored
noble	dne

linux-oem-6.8

focal	dne
jammy	dne
noble	not-affected

linux-oracle

bionic	not-affected
focal	not-affected
jammy	Fixed 5.15.0-1033.39 released
noble	not-affected
xenial	not-affected

linux-oracle-5.0

bionic	ignored
focal	dne
jammy	dne
noble	dne

linux-oracle-5.11

focal	ignored
jammy	dne
noble	dne

linux-oracle-5.13

focal	ignored
jammy	dne
noble	dne

linux-oracle-5.15

focal	Fixed 5.15.0-1033.39~20.04.1 released
jammy	dne
noble	dne

linux-oracle-5.3

bionic	ignored
focal	dne
jammy	dne
noble	dne

linux-oracle-5.4

bionic	not-affected
focal	dne
jammy	dne
noble	dne

linux-oracle-5.8

focal	ignored
jammy	dne
noble	dne

linux-oracle-6.5

focal	dne
jammy	ignored
noble	dne

linux-raspi

focal	not-affected
jammy	Fixed 5.15.0-1027.29 released
noble	not-affected

linux-raspi-5.4

bionic	not-affected
focal	dne
jammy	dne
noble	dne

linux-raspi-realtime

bionic	dne
focal	dne
jammy	dne
noble	dne
trusty	dne
xenial	dne

linux-raspi2

focal	ignored
jammy	dne
noble	dne

linux-realtime

bionic	dne
focal	dne
jammy	ignored
noble	dne
trusty	dne
xenial	dne

linux-riscv

focal	ignored
jammy	ignored
noble	not-affected

linux-riscv-5.11

focal	ignored
jammy	dne
noble	dne

linux-riscv-5.15

focal	Fixed 5.15.0-1031.35~20.04.1 released
jammy	dne
noble	dne

linux-riscv-5.19

focal	dne
jammy	ignored
noble	dne

linux-riscv-5.8

focal	ignored
jammy	dne
noble	dne

linux-riscv-6.5

focal	dne
jammy	ignored
noble	dne

linux-riscv-6.8

focal	dne
jammy	not-affected
noble	dne

linux-starfive-5.19

focal	dne
jammy	ignored
noble	dne

linux-starfive-6.2

focal	dne
jammy	ignored
noble	dne

linux-starfive-6.5

focal	dne
jammy	ignored
noble	dne

linux-xilinx-zynqmp

focal	not-affected
jammy	not-affected
noble	dne

Common Weakness Enumeration

CWE-362 - Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')
The program contains a code sequence that can run concurrently with other code, and the code sequence requires temporary, exclusive access to a shared resource, but a timing window exists in which the shared resource can be modified by another code sequence that is operating concurrently.

References

https://git.kernel.org/stable/c/1cba0d150fa102439114a91b3e215909efc9f169

https://git.kernel.org/stable/c/785607e5e6fb52caf141e4580de40405565f04f1

https://git.kernel.org/stable/c/984ad875db804948c86ca9e1c2e784ae8252715a

https://git.kernel.org/stable/c/b7dcbca46db3c77fdb02c2a9d6239e5aa3b06a59