CVE-2022-48972

In the Linux kernel, the following vulnerability has been resolved:

mac802154: fix missing INIT_LIST_HEAD in ieee802154_if_add()

Kernel fault injection test reports null-ptr-deref as follows:

BUG: kernel NULL pointer dereference, address: 0000000000000008
RIP: 0010:cfg802154_netdev_notifier_call+0x120/0x310 include/linux/list.h:114
Call Trace:
 <TASK>
 raw_notifier_call_chain+0x6d/0xa0 kernel/notifier.c:87
 call_netdevice_notifiers_info+0x6e/0xc0 net/core/dev.c:1944
 unregister_netdevice_many_notify+0x60d/0xcb0 net/core/dev.c:1982
 unregister_netdevice_queue+0x154/0x1a0 net/core/dev.c:10879
 register_netdevice+0x9a8/0xb90 net/core/dev.c:10083
 ieee802154_if_add+0x6ed/0x7e0 net/mac802154/iface.c:659
 ieee802154_register_hw+0x29c/0x330 net/mac802154/main.c:229
 mcr20a_probe+0xaaa/0xcb1 drivers/net/ieee802154/mcr20a.c:1316

ieee802154_if_add() allocates wpan_dev as netdev's private data, but not
init the list in struct wpan_dev. cfg802154_netdev_notifier_call() manage
the list when device register/unregister, and may lead to null-ptr-deref.

Use INIT_LIST_HEAD() on it to initialize it correctly.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
5.5 MEDIUM
LOCAL
LOW
LOW
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
LinuxCNA
---
---
CISA-ADPADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 12%
VendorProductVersion
linuxlinux_kernel
3.19 ≤
𝑥
< 4.9.336
linuxlinux_kernel
4.10 ≤
𝑥
< 4.14.302
linuxlinux_kernel
4.15 ≤
𝑥
< 4.19.269
linuxlinux_kernel
4.20 ≤
𝑥
< 5.4.227
linuxlinux_kernel
5.5 ≤
𝑥
< 5.10.159
linuxlinux_kernel
5.11 ≤
𝑥
< 5.15.83
linuxlinux_kernel
5.16 ≤
𝑥
< 6.0.13
linuxlinux_kernel
6.1:rc1
linuxlinux_kernel
6.1:rc2
linuxlinux_kernel
6.1:rc3
linuxlinux_kernel
6.1:rc4
linuxlinux_kernel
6.1:rc5
linuxlinux_kernel
6.1:rc6
linuxlinux_kernel
6.1:rc7
linuxlinux_kernel
6.1:rc8
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
linux
bullseye
5.10.223-1
fixed
bullseye (security)
5.10.226-1
fixed
bookworm
6.1.106-3
fixed
bookworm (security)
6.1.112-1
fixed
trixie
6.11.5-1
fixed
sid
6.11.6-1
fixed
Common Weakness Enumeration
References
https://git.kernel.org/stable/c/1831d4540406708e48239cf38fd9c3b7ea98e08f
https://git.kernel.org/stable/c/42c319635c0cf7eb36eccac6cda76532f47b61a3
https://git.kernel.org/stable/c/623918f40fa68e3bb21312a3fafb90f491bf5358
https://git.kernel.org/stable/c/7410f4d1221bb182510b7778ab6eefa8b9b7102d
https://git.kernel.org/stable/c/9980a3ea20de40c83817877106c909cb032692d2
https://git.kernel.org/stable/c/a110287ef4a423980309490df632e1c1e73b3dc9
https://git.kernel.org/stable/c/b3d72d3135d2ef68296c1ee174436efd65386f04
https://git.kernel.org/stable/c/f00c84fb1635c27ba24ec5df65d5bd7d7dc00008