CVE-2022-48703

thermal/int340x_thermal: handle data_vault when the value is ZERO_SIZE_PTR

Severity Score

5.5

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

Track

*SSVC

Descriptions

In the Linux kernel, the following vulnerability has been resolved: thermal/int340x_thermal: handle data_vault when the value is ZERO_SIZE_PTR In some case, the GDDV returns a package with a buffer which has
zero length. It causes that kmemdup() returns ZERO_SIZE_PTR (0x10). Then the data_vault_read() got NULL point dereference problem when
accessing the 0x10 value in data_vault. [ 71.024560] BUG: kernel NULL pointer dereference, address:
0000000000000010 This patch uses ZERO_OR_NULL_PTR() for checking ZERO_SIZE_PTR or
NULL value in data_vault.

En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: Thermal/int340x_thermal: maneja data_vault cuando el valor es ZERO_SIZE_PTR. En algunos casos, el GDDV devuelve un paquete con un buffer que tiene longitud cero. Provoca que kmemdup() devuelva ZERO_SIZE_PTR (0x10). Luego, data_vault_read() tuvo un problema de desreferencia de punto NULL al acceder al valor 0x10 en data_vault. [71.024560] ERROR: desreferencia del puntero NULL del kernel, dirección: 00000000000000010 Este parche usa ZERO_OR_NULL_PTR() para verificar ZERO_SIZE_PTR o el valor NULL en data_vault.

A flaw was found in the Linux kernel in the `thermal/int340x_thermal` driver. This issue occurs when the Global Device Data Vault (GDDV) returns a zero-length buffer, causing the `kmemdup()` function to return a `ZERO_SIZE_PTR` (0x10), leading to a NULL pointer dereference in `data_vault_read()`, potentially causing a kernel crash. The issue has been fixed by adding checks for `ZERO_SIZE_PTR` or `NULL` using the `ZERO_OR_NULL_PTR()` macro.

In the Linux kernel, the following vulnerability has been resolved: thermal/int340x_thermal: handle data_vault when the value is ZERO_SIZE_PTR In some case, the GDDV returns a package with a buffer which has zero length. It causes that kmemdup() returns ZERO_SIZE_PTR (0x10). Then the data_vault_read() got NULL point dereference problem when accessing the 0x10 value in data_vault. [ 71.024560] BUG: kernel NULL pointer dereference, address: 0000000000000010 This patch uses ZERO_OR_NULL_PTR() for checking ZERO_SIZE_PTR or NULL value in data_vault.

*Credits: N/A

Attack Vector

Local

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

None

Availability

High

Attack Vector

Local

Attack Complexity

Low

Authentication

Single

Confidentiality

None

Integrity

None

Availability

Complete

* Common Vulnerability Scoring System

SSVC

Decision:Track

Exploitation

None

Automatable

Tech. Impact

Partial

* Organization's Worst-case Scenario

Timeline

2024-05-03 CVE Reserved
2024-05-03 CVE Published
2024-12-19 CVE Updated
2025-03-18 EPSS Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CAPEC

References (4)

URL	Tag	Source

URL	Date	SRC

URL	Date	SRC
https://git.kernel.org/stable/c/dae42083b045a4ddf71c57cf350cb2412b5915c2	2022-09-15
https://git.kernel.org/stable/c/7931e28098a4c1a2a6802510b0cbe57546d2049d	2022-08-23

URL	Date	SRC
https://access.redhat.com/security/cve/CVE-2022-48703	2024-11-12
https://bugzilla.redhat.com/show_bug.cgi?id=2278960	2024-11-12

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				< 5.19.9 Search vendor "Linux" for product "Linux Kernel" and version " < 5.19.9"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				< 6.0 Search vendor "Linux" for product "Linux Kernel" and version " < 6.0"		en		Affected