{"timestamp":"2024-09-10T16:05:32.027830Z","id":"CVE-2022-48870","options":[{"exploitation":"none"},{"automatable":"no"},{"technicalImpact":"partial"}],"role":"CISA Coordinator","version":"2.0.3"}

[{"vendor":"Linux","product":"Linux","defaultStatus":"unaffected","programFiles":["drivers/accessibility/speakup/spk_ttyio.c"],"repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","versions":[{"version":"4f2a81f3a88217e7340b2cab5c0a5ebd0112514c","lessThan":"2da67bff29ab49caafb0766e8b8383b735ff796f","versionType":"git","status":"affected"},{"version":"4f2a81f3a88217e7340b2cab5c0a5ebd0112514c","lessThan":"64152e05a4de3ebf59f1740a0985a6d5fba0c77b","versionType":"git","status":"affected"},{"version":"4f2a81f3a88217e7340b2cab5c0a5ebd0112514c","lessThan":"5abbeebd8296c2301023b8dc4b5a6c0d5229b4f5","versionType":"git","status":"affected"}]},{"vendor":"Linux","product":"Linux","defaultStatus":"affected","programFiles":["drivers/accessibility/speakup/spk_ttyio.c"],"repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","versions":[{"version":"5.12","status":"affected"},{"version":"0","lessThan":"5.12","versionType":"semver","status":"unaffected"},{"version":"5.15.90","lessThanOrEqual":"5.15.*","versionType":"semver","status":"unaffected"},{"version":"6.1.8","lessThanOrEqual":"6.1.*","versionType":"semver","status":"unaffected"},{"version":"6.2","lessThanOrEqual":"*","versionType":"original_commit_for_fix","status":"unaffected"}]}]

NIST AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

NIST CWE-476

OR
     *cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* versions from (including) 5.12 up to (excluding) 5.15.90
     *cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* versions from (including) 5.16 up to (excluding) 6.1.8

https://git.kernel.org/stable/c/2da67bff29ab49caafb0766e8b8383b735ff796f No Types Assigned

https://git.kernel.org/stable/c/2da67bff29ab49caafb0766e8b8383b735ff796f Patch

https://git.kernel.org/stable/c/5abbeebd8296c2301023b8dc4b5a6c0d5229b4f5 No Types Assigned

https://git.kernel.org/stable/c/5abbeebd8296c2301023b8dc4b5a6c0d5229b4f5 Patch

https://git.kernel.org/stable/c/64152e05a4de3ebf59f1740a0985a6d5fba0c77b No Types Assigned

https://git.kernel.org/stable/c/64152e05a4de3ebf59f1740a0985a6d5fba0c77b Patch

In the Linux kernel, the following vulnerability has been resolved:

tty: fix possible null-ptr-defer in spk_ttyio_release

Run the following tests on the qemu platform:

syzkaller:~# modprobe speakup_audptr
 input: Speakup as /devices/virtual/input/input4
 initialized device: /dev/synth, node (MAJOR 10, MINOR 125)
 speakup 3.1.6: initialized
 synth name on entry is: (null)
 synth probe

spk_ttyio_initialise_ldisc failed because tty_kopen_exclusive returned
failed (errno -16), then remove the module, we will get a null-ptr-defer
problem, as follow:

syzkaller:~# modprobe -r speakup_audptr
 releasing synth audptr
 BUG: kernel NULL pointer dereference, address: 0000000000000080
 #PF: supervisor write access in kernel mode
 #PF: error_code(0x0002) - not-present page
 PGD 0 P4D 0
 Oops: 0002 [#1] PREEMPT SMP PTI
 CPU: 2 PID: 204 Comm: modprobe Not tainted 6.1.0-rc6-dirty #1
 RIP: 0010:mutex_lock+0x14/0x30
 Call Trace:
 <TASK>
  spk_ttyio_release+0x19/0x70 [speakup]
  synth_release.part.6+0xac/0xc0 [speakup]
  synth_remove+0x56/0x60 [speakup]
  __x64_sys_delete_module+0x156/0x250
  ? fpregs_assert_state_consistent+0x1d/0x50
  do_syscall_64+0x37/0x90
  entry_SYSCALL_64_after_hwframe+0x63/0xcd
 </TASK>
 Modules linked in: speakup_audptr(-) speakup
 Dumping ftrace buffer:

in_synth->dev was not initialized during modprobe, so we add check
for in_synth->dev to fix this bug.

kernel.org https://git.kernel.org/stable/c/2da67bff29ab49caafb0766e8b8383b735ff796f [No types assigned]

kernel.org https://git.kernel.org/stable/c/5abbeebd8296c2301023b8dc4b5a6c0d5229b4f5 [No types assigned]

kernel.org https://git.kernel.org/stable/c/64152e05a4de3ebf59f1740a0985a6d5fba0c77b [No types assigned]