CVE-2022-49900

  1. OpenCVE
  2. Vulnerabilities (CVE)
  3. CVE-2022-49900
In the Linux kernel, the following vulnerability has been resolved: i2c: piix4: Fix adapter not be removed in piix4_remove() In piix4_probe(), the piix4 adapter will be registered in: piix4_probe() piix4_add_adapters_sb800() / piix4_add_adapter() i2c_add_adapter() Based on the probed device type, piix4_add_adapters_sb800() or single piix4_add_adapter() will be called. For the former case, piix4_adapter_count is set as the number of adapters, while for antoher case it is not set and kept default *zero*. When piix4 is removed, piix4_remove() removes the adapters added in piix4_probe(), basing on the piix4_adapter_count value. Because the count is zero for the single adapter case, the adapter won't be removed and makes the sources allocated for adapter leaked, such as the i2c client and device. These sources can still be accessed by i2c or bus and cause problems. An easily reproduced case is that if a new adapter is registered, i2c will get the leaked adapter and try to call smbus_algorithm, which was already freed: Triggered by: rmmod i2c_piix4 && modprobe max31730 BUG: unable to handle page fault for address: ffffffffc053d860 #PF: supervisor read access in kernel mode #PF: error_code(0x0000) - not-present page Oops: 0000 [#1] PREEMPT SMP KASAN CPU: 0 PID: 3752 Comm: modprobe Tainted: G Hardware name: QEMU Standard PC (i440FX + PIIX, 1996) RIP: 0010:i2c_default_probe (drivers/i2c/i2c-core-base.c:2259) i2c_core RSP: 0018:ffff888107477710 EFLAGS: 00000246 ... <TASK> i2c_detect (drivers/i2c/i2c-core-base.c:2302) i2c_core __process_new_driver (drivers/i2c/i2c-core-base.c:1336) i2c_core bus_for_each_dev (drivers/base/bus.c:301) i2c_for_each_dev (drivers/i2c/i2c-core-base.c:1823) i2c_core i2c_register_driver (drivers/i2c/i2c-core-base.c:1861) i2c_core do_one_initcall (init/main.c:1296) do_init_module (kernel/module/main.c:2455) ... </TASK> ---[ end trace 0000000000000000 ]--- Fix this problem by correctly set piix4_adapter_count as 1 for the single adapter so it can be normally removed.

7.8 /10

CVSS v3 : HIGH

V3 Legend

Vector :

Exploitability : 1.8 / Impact : 5.9

Attack Vector LOCAL

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References
Link Resource
https://git.kernel.org/stable/c/569bea74c94d37785682b11bab76f557520477cd Patch
https://git.kernel.org/stable/c/bfd5e62f9a7ee214661cb6f143a3b40ccc63317f Patch
https://git.kernel.org/stable/c/d78ccdce662e88f41e87e90cf2bee63c1715d2a5 Patch
https://git.kernel.org/stable/c/fe51636fffc8108c7c4da6aa393010e786530ad9 Patch
Configurations

Configuration 1 (hide)

OR cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.1:rc1:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.1:rc2:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.1:rc3:*:*:*:*:*:*
History

10 Nov 2025, 21:18

Type Values Removed Values Added
CVSS v2 : unknown
v3 : unknown 		v2 : unknown
v3 : 7.8
CWE CWE-415
First Time Linux
Linux linux Kernel
CPE cpe:2.3:o:linux:linux_kernel:6.1:rc1:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.1:rc3:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.1:rc2:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
References () https://git.kernel.org/stable/c/569bea74c94d37785682b11bab76f557520477cd - () https://git.kernel.org/stable/c/569bea74c94d37785682b11bab76f557520477cd - Patch
References () https://git.kernel.org/stable/c/bfd5e62f9a7ee214661cb6f143a3b40ccc63317f - () https://git.kernel.org/stable/c/bfd5e62f9a7ee214661cb6f143a3b40ccc63317f - Patch
References () https://git.kernel.org/stable/c/d78ccdce662e88f41e87e90cf2bee63c1715d2a5 - () https://git.kernel.org/stable/c/d78ccdce662e88f41e87e90cf2bee63c1715d2a5 - Patch
References () https://git.kernel.org/stable/c/fe51636fffc8108c7c4da6aa393010e786530ad9 - () https://git.kernel.org/stable/c/fe51636fffc8108c7c4da6aa393010e786530ad9 - Patch

02 May 2025, 13:52

Type Values Removed Values Added
Summary
  • (es) En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: i2c: piix4: Adaptador de corrección que no se eliminará en piix4_remove() En piix4_probe(), el adaptador piix4 se registrará en: piix4_probe() piix4_add_adapters_sb800() / piix4_add_adapter() i2c_add_adapter() En función del tipo de dispositivo sondeado, se llamará a piix4_add_adapters_sb800() o a un solo piix4_add_adapter(). Para el primer caso, piix4_adapter_count se establece como el número de adaptadores, mientras que para otro caso no se establece y se mantiene predeterminado *cero*. Cuando se elimina piix4, piix4_remove() elimina los adaptadores agregados en piix4_probe(), basándose en el valor de piix4_adapter_count. Dado que el conteo es cero en el caso de un solo adaptador, este no se eliminará y se filtrarán las fuentes asignadas, como el cliente y el dispositivo i2c. Estas fuentes aún pueden ser accedidas por i2c o el bus, lo que puede causar problemas. Un caso que se reproduce fácilmente es que si se registra un nuevo adaptador, i2c obtendrá el adaptador filtrado e intentará llamar a smbus_algorithm, que ya se había liberado: Activado por: rmmod i2c_piix4 y modprobe max31730 ERROR: no se puede controlar el error de página para la dirección: ffffffffc053d860 #PF: acceso de lectura del supervisor en modo kernel #PF: error_code(0x0000) - página no presente Oops: 0000 [#1] PREEMPT SMP KASAN CPU: 0 PID: 3752 Comm: modprobe Tainted: G Nombre del hardware: QEMU Standard PC (i440FX + PIIX, 1996) RIP: 0010:i2c_default_probe (drivers/i2c/i2c-core-base.c:2259) i2c_core RSP: 0018:ffff888107477710 EFLAGS: 00000246 ... i2c_detect (controladores/i2c/i2c-core-base.c:2302) i2c_core __process_new_driver (controladores/i2c/i2c-core-base.c:1336) i2c_core bus_for_each_dev (controladores/base/bus.c:301) i2c_for_each_dev (controladores/i2c/i2c-core-base.c:1823) i2c_core i2c_register_driver (controladores/i2c/i2c-core-base.c:1861) i2c_core do_one_initcall (init/main.c:1296) do_init_module (kernel/module/main.c:2455) ... ---[ fin del seguimiento 0000000000000000 ]--- Solucione este problema configurando correctamente piix4_adapter_count como 1 para el adaptador único de modo que se pueda quitar normalmente.

01 May 2025, 15:16

Type Values Removed Values Added
New CVE
Information

Published : 2025-05-01 15:16

Updated : 2025-11-10 21:18

NVD link : CVE-2022-49900

Mitre link : CVE-2022-49900

CVE.ORG link : CVE-2022-49900

JSON object : View

Products Affected

linux

  • linux_kernel
CWE
CWE-415

Double Free