CVE-2022-49605

EUVD-2022-54627

26.02.2025, 07:01

In the Linux kernel, the following vulnerability has been resolved:

igc: Reinstate IGC_REMOVED logic and implement it properly

The initially merged version of the igc driver code (via commit
146740f9abc4, "igc: Add support for PF") contained the following
IGC_REMOVED checks in the igc_rd32/wr32() MMIO accessors:

	u32 igc_rd32(struct igc_hw *hw, u32 reg)
	{
		u8 __iomem *hw_addr = READ_ONCE(hw->hw_addr);
		u32 value = 0;

		if (IGC_REMOVED(hw_addr))
			return ~value;

		value = readl(&hw_addr[reg]);

		/* reads should not return all F's */
		if (!(~value) && (!reg || !(~readl(hw_addr))))
			hw->hw_addr = NULL;

		return value;
	}

And:

	#define wr32(reg, val) \
	do { \
		u8 __iomem *hw_addr = READ_ONCE((hw)->hw_addr); \
		if (!IGC_REMOVED(hw_addr)) \
			writel((val), &hw_addr[(reg)]); \
	} while (0)

E.g. igb has similar checks in its MMIO accessors, and has a similar
macro E1000_REMOVED, which is implemented as follows:

	#define E1000_REMOVED(h) unlikely(!(h))

These checks serve to detect and take note of an 0xffffffff MMIO read
return from the device, which can be caused by a PCIe link flap or some
other kind of PCI bus error, and to avoid performing MMIO reads and
writes from that point onwards.

However, the IGC_REMOVED macro was not originally implemented:

	#ifndef IGC_REMOVED
	#define IGC_REMOVED(a) (0)
	#endif /* IGC_REMOVED */

This led to the IGC_REMOVED logic to be removed entirely in a
subsequent commit (commit 3c215fb18e70, "igc: remove IGC_REMOVED
function"), with the rationale that such checks matter only for
virtualization and that igc does not support virtualization -- but a
PCIe device can become detached even without virtualization being in
use, and without proper checks, a PCIe bus error affecting an igc
adapter will lead to various NULL pointer dereferences, as the first
access after the error will set hw->hw_addr to NULL, and subsequent
accesses will blindly dereference this now-NULL pointer.

This patch reinstates the IGC_REMOVED checks in igc_rd32/wr32(), and
implements IGC_REMOVED the way it is done for igb, by checking for the
unlikely() case of hw_addr being NULL.  This change prevents the oopses
seen when a PCIe link flap occurs on an igc adapter.

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	Primary	5.5 MEDIUM	LOCAL	LOW	LOW	CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Base Score

CVSS 3.x

EPSS Score

Percentile: 29%

Affected Products (NVD)

Vendor	Product	Version
linux	linux_kernel	4.20 ≤ 𝑥 < 5.4.208
linux	linux_kernel	5.5 ≤ 𝑥 < 5.10.134
linux	linux_kernel	5.11 ≤ 𝑥 < 5.15.58
linux	linux_kernel	5.16 ≤ 𝑥 < 5.18.15
linux	linux_kernel	5.19:rc1
linux	linux_kernel	5.19:rc2
linux	linux_kernel	5.19:rc3
linux	linux_kernel	5.19:rc4
linux	linux_kernel	5.19:rc5
linux	linux_kernel	5.19:rc6
linux	linux_kernel	5.19:rc7

𝑥

= Vulnerable software versions

Debian Releases

Debian Product

Codename

linux

bookworm	6.1.123-1 fixed
bookworm (security)	6.1.128-1 fixed
bullseye	5.10.223-1 fixed
bullseye (security)	5.10.234-1 fixed
sid	6.12.16-1 fixed
trixie	6.12.12-1 fixed

openSUSE / SLES Releases

openSUSE Product

Release

cluster-md-kmp-default

suse enterprise server 12 SP5	4.12.14-122.255.1 fixed
suse enterprise server 15 SP5	5.14.21-150500.55.100.1 fixed

dlm-kmp-default

suse enterprise server 12 SP5	4.12.14-122.255.1 fixed
suse enterprise server 15 SP5	5.14.21-150500.55.100.1 fixed

gfs2-kmp-default

suse enterprise server 12 SP5	4.12.14-122.255.1 fixed
suse enterprise server 15 SP5	5.14.21-150500.55.100.1 fixed

kernel-64kb

suse enterprise server 15 SP4	5.14.21-150400.24.158.1 fixed
suse enterprise server 15 SP5	5.14.21-150500.55.100.1 fixed

kernel-default

suse enterprise server 12 SP5	4.12.14-122.255.1 fixed
suse enterprise server 15 SP4	5.14.21-150400.24.158.1 fixed
suse enterprise server 15 SP5	5.14.21-150500.55.100.1 fixed

kernel-default-base

suse enterprise server 12 SP5	4.12.14-122.255.1 fixed
suse enterprise server 15 SP4	5.14.21-150400.24.158.1.150400.24.78.1 fixed
suse enterprise server 15 SP5	5.14.21-150500.55.100.1.150500.6.47.1 fixed

kernel-default-man

suse enterprise server 12 SP5

4.12.14-122.255.1

fixed

kernel-docs

suse enterprise server 15 SP4	5.14.21-150400.24.158.1 fixed
suse enterprise server 15 SP5	5.14.21-150500.55.100.1 fixed

kernel-macros

suse enterprise server 12 SP5	4.12.14-122.255.1 fixed
suse enterprise server 15 SP4	5.14.21-150400.24.158.1 fixed
suse enterprise server 15 SP5	5.14.21-150500.55.100.1 fixed

kernel-obs-build

suse enterprise server 15 SP4	5.14.21-150400.24.158.1 fixed
suse enterprise server 15 SP5	5.14.21-150500.55.100.1 fixed

kernel-source

suse enterprise server 12 SP5	4.12.14-122.255.1 fixed
suse enterprise server 15 SP4	5.14.21-150400.24.158.1 fixed
suse enterprise server 15 SP5	5.14.21-150500.55.100.1 fixed

kernel-syms

suse enterprise server 12 SP5	4.12.14-122.255.1 fixed
suse enterprise server 15 SP4	5.14.21-150400.24.158.1 fixed
suse enterprise server 15 SP5	5.14.21-150500.55.100.1 fixed

kernel-zfcpdump

suse enterprise server 15 SP4	5.14.21-150400.24.158.1 fixed
suse enterprise server 15 SP5	5.14.21-150500.55.100.1 fixed

ocfs2-kmp-default

suse enterprise server 12 SP5	4.12.14-122.255.1 fixed
suse enterprise server 15 SP5	5.14.21-150500.55.100.1 fixed

reiserfs-kmp-default

suse enterprise server 15 SP4	5.14.21-150400.24.158.1 fixed
suse enterprise server 15 SP5	5.14.21-150500.55.100.1 fixed

Red Hat Enterprise Linux Releases

Red Hat Product

Release

bpftool

RHEL 8	0:4.18.0-425.3.1.el8 fixed
RHEL 9	0:5.14.0-162.6.1.el9_1 fixed

kernel

RHEL 8	0:4.18.0-425.3.1.el8 fixed
RHEL 9	0:5.14.0-162.6.1.el9_1 fixed

kernel-abi-stablelists

RHEL 8	0:4.18.0-425.3.1.el8 fixed
RHEL 9	0:5.14.0-162.6.1.el9_1 fixed

kernel-core

RHEL 8	0:4.18.0-425.3.1.el8 fixed
RHEL 9	0:5.14.0-162.6.1.el9_1 fixed

kernel-debug

RHEL 8	0:4.18.0-425.3.1.el8 fixed
RHEL 9	0:5.14.0-162.6.1.el9_1 fixed

kernel-debug-core

RHEL 8	0:4.18.0-425.3.1.el8 fixed
RHEL 9	0:5.14.0-162.6.1.el9_1 fixed

kernel-debug-devel

RHEL 8	0:4.18.0-425.3.1.el8 fixed
RHEL 9	0:5.14.0-162.6.1.el9_1 fixed

kernel-debug-devel-matched

RHEL 9

0:5.14.0-162.6.1.el9_1

fixed

kernel-debug-modules

RHEL 8	0:4.18.0-425.3.1.el8 fixed
RHEL 9	0:5.14.0-162.6.1.el9_1 fixed

kernel-debug-modules-extra

RHEL 8	0:4.18.0-425.3.1.el8 fixed
RHEL 9	0:5.14.0-162.6.1.el9_1 fixed

kernel-devel

RHEL 8	0:4.18.0-425.3.1.el8 fixed
RHEL 9	0:5.14.0-162.6.1.el9_1 fixed

kernel-devel-matched

RHEL 9

0:5.14.0-162.6.1.el9_1

fixed

kernel-doc

RHEL 8	0:4.18.0-425.3.1.el8 fixed
RHEL 9	0:5.14.0-162.6.1.el9_1 fixed

kernel-modules

RHEL 8	0:4.18.0-425.3.1.el8 fixed
RHEL 9	0:5.14.0-162.6.1.el9_1 fixed

kernel-modules-extra

RHEL 8	0:4.18.0-425.3.1.el8 fixed
RHEL 9	0:5.14.0-162.6.1.el9_1 fixed

kernel-tools

RHEL 8	0:4.18.0-425.3.1.el8 fixed
RHEL 9	0:5.14.0-162.6.1.el9_1 fixed

kernel-tools-libs

RHEL 8	0:4.18.0-425.3.1.el8 fixed
RHEL 9	0:5.14.0-162.6.1.el9_1 fixed

kernel-tools-libs-devel

RHEL 8	0:4.18.0-425.3.1.el8 fixed
RHEL 9	0:5.14.0-162.6.1.el9_1 fixed

kernel-zfcpdump

RHEL 8	0:4.18.0-425.3.1.el8 fixed
RHEL 9	0:5.14.0-162.6.1.el9_1 fixed

kernel-zfcpdump-core

RHEL 8	0:4.18.0-425.3.1.el8 fixed
RHEL 9	0:5.14.0-162.6.1.el9_1 fixed

kernel-zfcpdump-devel

RHEL 8	0:4.18.0-425.3.1.el8 fixed
RHEL 9	0:5.14.0-162.6.1.el9_1 fixed

kernel-zfcpdump-devel-matched

RHEL 9

0:5.14.0-162.6.1.el9_1

fixed

kernel-zfcpdump-modules

RHEL 8	0:4.18.0-425.3.1.el8 fixed
RHEL 9	0:5.14.0-162.6.1.el9_1 fixed

kernel-zfcpdump-modules-extra

RHEL 8	0:4.18.0-425.3.1.el8 fixed
RHEL 9	0:5.14.0-162.6.1.el9_1 fixed

perf

RHEL 8	0:4.18.0-425.3.1.el8 fixed
RHEL 9	0:5.14.0-162.6.1.el9_1 fixed

python3-perf

RHEL 8	0:4.18.0-425.3.1.el8 fixed
RHEL 9	0:5.14.0-162.6.1.el9_1 fixed

Common Weakness Enumeration

CWE-476 - NULL Pointer Dereference
A NULL pointer dereference occurs when the application dereferences a pointer that it expects to be valid, but is NULL, typically causing a crash or exit.

References

https://git.kernel.org/stable/c/16cb6717f4f42487ef10583eb8bc98e7d1e33d65

https://git.kernel.org/stable/c/70965b6e5c03aa70cc754af1226b9f9cde0c4bf3

https://git.kernel.org/stable/c/77836dbe35382aaf8108489060c5c89530c77494

https://git.kernel.org/stable/c/7c1ddcee5311f3315096217881d2dbe47cc683f9

https://git.kernel.org/stable/c/e75b73081f1ec169518773626c2ff3950476660b