{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2022-49070", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2025-02-26T01:49:39.244Z", "datePublished": "2025-02-26T01:54:36.360Z", "dateUpdated": "2025-02-26T01:54:36.360Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2025-02-26T01:54:36.360Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nfbdev: Fix unregistering of framebuffers without device\n\nOF framebuffers do not have an underlying device in the Linux\ndevice hierarchy. Do a regular unregister call instead of hot\nunplugging such a non-existing device. Fixes a NULL dereference.\nAn example error message on ppc64le is shown below.\n\n BUG: Kernel NULL pointer dereference on read at 0x00000060\n Faulting instruction address: 0xc00000000080dfa4\n Oops: Kernel access of bad area, sig: 11 [#1]\n LE PAGE_SIZE=64K MMU=Hash SMP NR_CPUS=2048 NUMA pSeries\n [...]\n CPU: 2 PID: 139 Comm: systemd-udevd Not tainted 5.17.0-ae085d7f9365 #1\n NIP: c00000000080dfa4 LR: c00000000080df9c CTR: c000000000797430\n REGS: c000000004132fe0 TRAP: 0300 Not tainted (5.17.0-ae085d7f9365)\n MSR: 8000000002009033 <SF,VEC,EE,ME,IR,DR,RI,LE> CR: 28228282 XER: 20000000\n CFAR: c00000000000c80c DAR: 0000000000000060 DSISR: 40000000 IRQMASK: 0\n GPR00: c00000000080df9c c000000004133280 c00000000169d200 0000000000000029\n GPR04: 00000000ffffefff c000000004132f90 c000000004132f88 0000000000000000\n GPR08: c0000000015658f8 c0000000015cd200 c0000000014f57d0 0000000048228283\n GPR12: 0000000000000000 c00000003fffe300 0000000020000000 0000000000000000\n GPR16: 0000000000000000 0000000113fc4a40 0000000000000005 0000000113fcfb80\n GPR20: 000001000f7283b0 0000000000000000 c000000000e4a588 c000000000e4a5b0\n GPR24: 0000000000000001 00000000000a0000 c008000000db0168 c0000000021f6ec0\n GPR28: c0000000016d65a8 c000000004b36460 0000000000000000 c0000000016d64b0\n NIP [c00000000080dfa4] do_remove_conflicting_framebuffers+0x184/0x1d0\n [c000000004133280] [c00000000080df9c] do_remove_conflicting_framebuffers+0x17c/0x1d0 (unreliable)\n [c000000004133350] [c00000000080e4d0] remove_conflicting_framebuffers+0x60/0x150\n [c0000000041333a0] [c00000000080e6f4] remove_conflicting_pci_framebuffers+0x134/0x1b0\n [c000000004133450] [c008000000e70438] drm_aperture_remove_conflicting_pci_framebuffers+0x90/0x100 [drm]\n [c000000004133490] [c008000000da0ce4] bochs_pci_probe+0x6c/0xa64 [bochs]\n [...]\n [c000000004133db0] [c00000000002aaa0] system_call_exception+0x170/0x2d0\n [c000000004133e10] [c00000000000c3cc] system_call_common+0xec/0x250\n\nThe bug [1] was introduced by commit 27599aacbaef (\"fbdev: Hot-unplug\nfirmware fb devices on forced removal\"). Most firmware framebuffers\nhave an underlying platform device, which can be hot-unplugged\nbefore loading the native graphics driver. OF framebuffers do not\n(yet) have that device. Fix the code by unregistering the framebuffer\nas before without a hot unplug.\n\nTested with 5.17 on qemu ppc64le emulation."}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["drivers/video/fbdev/core/fbmem.c"], "versions": [{"version": "c894ac44786cfed383a6c6b20c1bfb12eb96018a", "lessThan": "2388f826cdc9af2651991adc0feb79de9bdf2232", "status": "affected", "versionType": "git"}, {"version": "9565a3b5203a4d57acbc1d0e981c6df71864b4ab", "lessThan": "de33df481545974ba47c46f05194e769e4307843", "status": "affected", "versionType": "git"}, {"version": "4d695d7c276f15adb1d2b64c584c3cf8f4f9e9ce", "lessThan": "feed87ff122b1640c221d4dd559442ab2cd50bb1", "status": "affected", "versionType": "git"}, {"version": "27599aacbaefcbf2af7b06b0029459bbf682000d", "lessThan": "0f525289ff0ddeb380813bd81e0f9bdaaa1c9078", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["drivers/video/fbdev/core/fbmem.c"], "versions": [{"version": "5.15.33", "lessThan": "5.15.34", "status": "affected", "versionType": "semver"}, {"version": "5.16.19", "lessThan": "5.16.20", "status": "affected", "versionType": "semver"}, {"version": "5.17.2", "lessThan": "5.17.3", "status": "affected", "versionType": "semver"}]}], "references": [{"url": "https://git.kernel.org/stable/c/2388f826cdc9af2651991adc0feb79de9bdf2232"}, {"url": "https://git.kernel.org/stable/c/de33df481545974ba47c46f05194e769e4307843"}, {"url": "https://git.kernel.org/stable/c/feed87ff122b1640c221d4dd559442ab2cd50bb1"}, {"url": "https://git.kernel.org/stable/c/0f525289ff0ddeb380813bd81e0f9bdaaa1c9078"}], "title": "fbdev: Fix unregistering of framebuffers without device", "x_generator": {"engine": "bippy-5f407fcff5a0"}}}}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:linux:linux_kernel:5.15.33:*:*:*:*:*:*:*", "matchCriteriaId": "6131A2B3-2D6E-458C-84F4-DD3DAA7821FF", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:5.16.19:*:*:*:*:*:*:*", "matchCriteriaId": "C2874235-06C6-40EC-97B6-C17C6985DE5D", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:5.17.2:*:*:*:*:*:*:*", "matchCriteriaId": "EB6B77A5-BC82-489A-BB4D-89562A8B34E4", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nfbdev: Fix unregistering of framebuffers without device\n\nOF framebuffers do not have an underlying device in the Linux\ndevice hierarchy. Do a regular unregister call instead of hot\nunplugging such a non-existing device. Fixes a NULL dereference.\nAn example error message on ppc64le is shown below.\n\n BUG: Kernel NULL pointer dereference on read at 0x00000060\n Faulting instruction address: 0xc00000000080dfa4\n Oops: Kernel access of bad area, sig: 11 [#1]\n LE PAGE_SIZE=64K MMU=Hash SMP NR_CPUS=2048 NUMA pSeries\n [...]\n CPU: 2 PID: 139 Comm: systemd-udevd Not tainted 5.17.0-ae085d7f9365 #1\n NIP: c00000000080dfa4 LR: c00000000080df9c CTR: c000000000797430\n REGS: c000000004132fe0 TRAP: 0300 Not tainted (5.17.0-ae085d7f9365)\n MSR: 8000000002009033 <SF,VEC,EE,ME,IR,DR,RI,LE> CR: 28228282 XER: 20000000\n CFAR: c00000000000c80c DAR: 0000000000000060 DSISR: 40000000 IRQMASK: 0\n GPR00: c00000000080df9c c000000004133280 c00000000169d200 0000000000000029\n GPR04: 00000000ffffefff c000000004132f90 c000000004132f88 0000000000000000\n GPR08: c0000000015658f8 c0000000015cd200 c0000000014f57d0 0000000048228283\n GPR12: 0000000000000000 c00000003fffe300 0000000020000000 0000000000000000\n GPR16: 0000000000000000 0000000113fc4a40 0000000000000005 0000000113fcfb80\n GPR20: 000001000f7283b0 0000000000000000 c000000000e4a588 c000000000e4a5b0\n GPR24: 0000000000000001 00000000000a0000 c008000000db0168 c0000000021f6ec0\n GPR28: c0000000016d65a8 c000000004b36460 0000000000000000 c0000000016d64b0\n NIP [c00000000080dfa4] do_remove_conflicting_framebuffers+0x184/0x1d0\n [c000000004133280] [c00000000080df9c] do_remove_conflicting_framebuffers+0x17c/0x1d0 (unreliable)\n [c000000004133350] [c00000000080e4d0] remove_conflicting_framebuffers+0x60/0x150\n [c0000000041333a0] [c00000000080e6f4] remove_conflicting_pci_framebuffers+0x134/0x1b0\n [c000000004133450] [c008000000e70438] drm_aperture_remove_conflicting_pci_framebuffers+0x90/0x100 [drm]\n [c000000004133490] [c008000000da0ce4] bochs_pci_probe+0x6c/0xa64 [bochs]\n [...]\n [c000000004133db0] [c00000000002aaa0] system_call_exception+0x170/0x2d0\n [c000000004133e10] [c00000000000c3cc] system_call_common+0xec/0x250\n\nThe bug [1] was introduced by commit 27599aacbaef (\"fbdev: Hot-unplug\nfirmware fb devices on forced removal\"). Most firmware framebuffers\nhave an underlying platform device, which can be hot-unplugged\nbefore loading the native graphics driver. OF framebuffers do not\n(yet) have that device. Fix the code by unregistering the framebuffer\nas before without a hot unplug.\n\nTested with 5.17 on qemu ppc64le emulation."}, {"lang": "es", "value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: fbdev: Se corrige la anulaci\u00f3n del registro de los framebuffers sin dispositivo. Los framebuffers OF no tienen un dispositivo subyacente en la jerarqu\u00eda de dispositivos de Linux. Se realiza una llamada de anulaci\u00f3n del registro normal en lugar de desconectar en caliente un dispositivo inexistente. Se corrige una desreferencia NULL. A continuaci\u00f3n se muestra un mensaje de error de ejemplo en ppc64le. ERROR: Desreferencia de puntero NULL del kernel en lectura en 0x00000060 Direcci\u00f3n de instrucci\u00f3n con error: 0xc00000000080dfa4 Oops: Acceso del kernel al \u00e1rea defectuosa, firma: 11 [#1] LE PAGE_SIZE=64K MMU=Hash SMP NR_CPUS=2048 NUMA pSeries [...] CPU: 2 PID: 139 Comm: systemd-udevd No contaminado 5.17.0-ae085d7f9365 #1 NIP: c00000000080dfa4 LR: c00000000080df9c CTR: c000000000797430 REGS: c000000004132fe0 TRAP: 0300 No contaminado (5.17.0-ae085d7f9365) MSR: 8000000002009033 CR: 28228282 XER: 20000000 CFAR: c00000000000c80c DAR: 0000000000000060 DSISR: 40000000 IRQMASK: 0 GPR00: c00000000080df9c c000000004133280 c00000000169d200 0000000000000029 GPR04: 00000000fffffff c000000004132f90 c000000004132f88 00000000000000000 GPR08: c0000000015658f8 c0000000015cd200 c0000000014f57d0 0000000048228283 GPR12: 000000000000000 c0000003fffe300 000000002000000 000000000000000 GPR16: 000000000000000 0000000113fc4a40 000000000000005 0000000113fcfb80 GPR20: 000001000f7283b0 0000000000000000 c000000000e4a588 c000000000e4a5b0 GPR24: 0000000000000001 00000000000a000 c008000000db0168 c0000000021f6ec0 GPR28: c0000000016d65a8 c000000004b36460 000000000000000 c0000000016d64b0 PIP [c00000000080dfa4] do_remove_conflicting_framebuffers+0x184/0x1d0 [c000000004133280] [c00000000080df9c] do_remove_conflicting_framebuffers+0x17c/0x1d0 (no confiable) [c000000004133350] [c00000000080e4d0] remove_conflicting_framebuffers+0x60/0x150 [c0000000041333a0] [c00000000080e6f4] remove_conflicting_pci_framebuffers+0x134/0x1b0 [c000000004133450] [c008000000e70438] drm_aperture_remove_conflicting_pci_framebuffers+0x90/0x100 [drm] [c000000004133490] [c008000000da0ce4] bochs_pci_probe+0x6c/0xa64 [bochs] [...] [c000000004133db0] [c00000000002aaa0] system_call_exception+0x170/0x2d0 [c000000004133e10] [c00000000000c3cc] system_call_common+0xec/0x250 El error [1] fue introducido por el commit 27599aacbaef (\"fbdev: Desconexi\u00f3n en caliente dispositivos fb de firmware en caso de eliminaci\u00f3n forzada\"). La mayor\u00eda de los framebuffers de firmware tienen un dispositivo de plataforma subyacente, que se puede desconectar en caliente antes de cargar el controlador de gr\u00e1ficos nativo. Los framebuffers de OF no tienen (todav\u00eda) ese dispositivo. Corrija el c\u00f3digo anulando el registro del framebuffer como antes sin una desconexi\u00f3n en caliente. Probado con 5.17 en emulaci\u00f3n qemu ppc64le."}], "id": "CVE-2022-49070", "lastModified": "2025-03-18T18:47:17.543", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 5.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2025-02-26T07:00:44.217", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/0f525289ff0ddeb380813bd81e0f9bdaaa1c9078"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/2388f826cdc9af2651991adc0feb79de9bdf2232"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/de33df481545974ba47c46f05194e769e4307843"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/feed87ff122b1640c221d4dd559442ab2cd50bb1"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-476"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"bugzilla": {"description": "kernel: fbdev: Fix unregistering of framebuffers without device", "id": "2347832", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2347832"}, "csaw": false, "cvss3": {"cvss3_base_score": "4.4", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H", "status": "draft"}, "cwe": "CWE-476", "details": ["In the Linux kernel, the following vulnerability has been resolved:\nfbdev: Fix unregistering of framebuffers without device\nOF framebuffers do not have an underlying device in the Linux\ndevice hierarchy. Do a regular unregister call instead of hot\nunplugging such a non-existing device. Fixes a NULL dereference.\nAn example error message on ppc64le is shown below.\nBUG: Kernel NULL pointer dereference on read at 0x00000060\nFaulting instruction address: 0xc00000000080dfa4\nOops: Kernel access of bad area, sig: 11 [#1]\nLE PAGE_SIZE=64K MMU=Hash SMP NR_CPUS=2048 NUMA pSeries\n[...]\nCPU: 2 PID: 139 Comm: systemd-udevd Not tainted 5.17.0-ae085d7f9365 #1\nNIP: c00000000080dfa4 LR: c00000000080df9c CTR: c000000000797430\nREGS: c000000004132fe0 TRAP: 0300 Not tainted (5.17.0-ae085d7f9365)\nMSR: 8000000002009033 <SF,VEC,EE,ME,IR,DR,RI,LE> CR: 28228282 XER: 20000000\nCFAR: c00000000000c80c DAR: 0000000000000060 DSISR: 40000000 IRQMASK: 0\nGPR00: c00000000080df9c c000000004133280 c00000000169d200 0000000000000029\nGPR04: 00000000ffffefff c000000004132f90 c000000004132f88 0000000000000000\nGPR08: c0000000015658f8 c0000000015cd200 c0000000014f57d0 0000000048228283\nGPR12: 0000000000000000 c00000003fffe300 0000000020000000 0000000000000000\nGPR16: 0000000000000000 0000000113fc4a40 0000000000000005 0000000113fcfb80\nGPR20: 000001000f7283b0 0000000000000000 c000000000e4a588 c000000000e4a5b0\nGPR24: 0000000000000001 00000000000a0000 c008000000db0168 c0000000021f6ec0\nGPR28: c0000000016d65a8 c000000004b36460 0000000000000000 c0000000016d64b0\nNIP [c00000000080dfa4] do_remove_conflicting_framebuffers+0x184/0x1d0\n[c000000004133280] [c00000000080df9c] do_remove_conflicting_framebuffers+0x17c/0x1d0 (unreliable)\n[c000000004133350] [c00000000080e4d0] remove_conflicting_framebuffers+0x60/0x150\n[c0000000041333a0] [c00000000080e6f4] remove_conflicting_pci_framebuffers+0x134/0x1b0\n[c000000004133450] [c008000000e70438] drm_aperture_remove_conflicting_pci_framebuffers+0x90/0x100 [drm]\n[c000000004133490] [c008000000da0ce4] bochs_pci_probe+0x6c/0xa64 [bochs]\n[...]\n[c000000004133db0] [c00000000002aaa0] system_call_exception+0x170/0x2d0\n[c000000004133e10] [c00000000000c3cc] system_call_common+0xec/0x250\nThe bug [1] was introduced by commit 27599aacbaef (\"fbdev: Hot-unplug\nfirmware fb devices on forced removal\"). Most firmware framebuffers\nhave an underlying platform device, which can be hot-unplugged\nbefore loading the native graphics driver. OF framebuffers do not\n(yet) have that device. Fix the code by unregistering the framebuffer\nas before without a hot unplug.\nTested with 5.17 on qemu ppc64le emulation."], "name": "CVE-2022-49070", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Out of support scope", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Out of support scope", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2025-02-26T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2022-49070\nhttps://nvd.nist.gov/vuln/detail/CVE-2022-49070\nhttps://lore.kernel.org/linux-cve-announce/2025022655-CVE-2022-49070-6511@gregkh/T"], "threat_severity": "Low"}