cve-2022-49900
Vulnerability from cvelistv5
Published
2025-05-01 14:10
Modified
2025-05-04 08:48
Severity ?
EPSS score ?
Summary
i2c: piix4: Fix adapter not be removed in piix4_remove()
References
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/i2c/busses/i2c-piix4.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "bfd5e62f9a7ee214661cb6f143a3b40ccc63317f",
"status": "affected",
"version": "528d53a1592b0e27c423f7cafc1df85f77fc1163",
"versionType": "git"
},
{
"lessThan": "d78ccdce662e88f41e87e90cf2bee63c1715d2a5",
"status": "affected",
"version": "528d53a1592b0e27c423f7cafc1df85f77fc1163",
"versionType": "git"
},
{
"lessThan": "fe51636fffc8108c7c4da6aa393010e786530ad9",
"status": "affected",
"version": "528d53a1592b0e27c423f7cafc1df85f77fc1163",
"versionType": "git"
},
{
"lessThan": "569bea74c94d37785682b11bab76f557520477cd",
"status": "affected",
"version": "528d53a1592b0e27c423f7cafc1df85f77fc1163",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/i2c/busses/i2c-piix4.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.4"
},
{
"lessThan": "5.4",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.154",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.78",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.0.*",
"status": "unaffected",
"version": "6.0.8",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.154",
"versionStartIncluding": "5.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.78",
"versionStartIncluding": "5.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.0.8",
"versionStartIncluding": "5.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1",
"versionStartIncluding": "5.4",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ni2c: piix4: Fix adapter not be removed in piix4_remove()\n\nIn piix4_probe(), the piix4 adapter will be registered in:\n\n piix4_probe()\n piix4_add_adapters_sb800() / piix4_add_adapter()\n i2c_add_adapter()\n\nBased on the probed device type, piix4_add_adapters_sb800() or single\npiix4_add_adapter() will be called.\nFor the former case, piix4_adapter_count is set as the number of adapters,\nwhile for antoher case it is not set and kept default *zero*.\n\nWhen piix4 is removed, piix4_remove() removes the adapters added in\npiix4_probe(), basing on the piix4_adapter_count value.\nBecause the count is zero for the single adapter case, the adapter won\u0027t\nbe removed and makes the sources allocated for adapter leaked, such as\nthe i2c client and device.\n\nThese sources can still be accessed by i2c or bus and cause problems.\nAn easily reproduced case is that if a new adapter is registered, i2c\nwill get the leaked adapter and try to call smbus_algorithm, which was\nalready freed:\n\nTriggered by: rmmod i2c_piix4 \u0026\u0026 modprobe max31730\n\n BUG: unable to handle page fault for address: ffffffffc053d860\n #PF: supervisor read access in kernel mode\n #PF: error_code(0x0000) - not-present page\n Oops: 0000 [#1] PREEMPT SMP KASAN\n CPU: 0 PID: 3752 Comm: modprobe Tainted: G\n Hardware name: QEMU Standard PC (i440FX + PIIX, 1996)\n RIP: 0010:i2c_default_probe (drivers/i2c/i2c-core-base.c:2259) i2c_core\n RSP: 0018:ffff888107477710 EFLAGS: 00000246\n ...\n \u003cTASK\u003e\n i2c_detect (drivers/i2c/i2c-core-base.c:2302) i2c_core\n __process_new_driver (drivers/i2c/i2c-core-base.c:1336) i2c_core\n bus_for_each_dev (drivers/base/bus.c:301)\n i2c_for_each_dev (drivers/i2c/i2c-core-base.c:1823) i2c_core\n i2c_register_driver (drivers/i2c/i2c-core-base.c:1861) i2c_core\n do_one_initcall (init/main.c:1296)\n do_init_module (kernel/module/main.c:2455)\n ...\n \u003c/TASK\u003e\n ---[ end trace 0000000000000000 ]---\n\nFix this problem by correctly set piix4_adapter_count as 1 for the\nsingle adapter so it can be normally removed."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T08:48:16.248Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/bfd5e62f9a7ee214661cb6f143a3b40ccc63317f"
},
{
"url": "https://git.kernel.org/stable/c/d78ccdce662e88f41e87e90cf2bee63c1715d2a5"
},
{
"url": "https://git.kernel.org/stable/c/fe51636fffc8108c7c4da6aa393010e786530ad9"
},
{
"url": "https://git.kernel.org/stable/c/569bea74c94d37785682b11bab76f557520477cd"
}
],
"title": "i2c: piix4: Fix adapter not be removed in piix4_remove()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-49900",
"datePublished": "2025-05-01T14:10:46.362Z",
"dateReserved": "2025-05-01T14:05:17.244Z",
"dateUpdated": "2025-05-04T08:48:16.248Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1",
"meta": {
"nvd": "{\"cve\":{\"id\":\"CVE-2022-49900\",\"sourceIdentifier\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"published\":\"2025-05-01T15:16:15.060\",\"lastModified\":\"2025-05-02T13:52:51.693\",\"vulnStatus\":\"Awaiting Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"In the Linux kernel, the following vulnerability has been resolved:\\n\\ni2c: piix4: Fix adapter not be removed in piix4_remove()\\n\\nIn piix4_probe(), the piix4 adapter will be registered in:\\n\\n piix4_probe()\\n piix4_add_adapters_sb800() / piix4_add_adapter()\\n i2c_add_adapter()\\n\\nBased on the probed device type, piix4_add_adapters_sb800() or single\\npiix4_add_adapter() will be called.\\nFor the former case, piix4_adapter_count is set as the number of adapters,\\nwhile for antoher case it is not set and kept default *zero*.\\n\\nWhen piix4 is removed, piix4_remove() removes the adapters added in\\npiix4_probe(), basing on the piix4_adapter_count value.\\nBecause the count is zero for the single adapter case, the adapter won\u0027t\\nbe removed and makes the sources allocated for adapter leaked, such as\\nthe i2c client and device.\\n\\nThese sources can still be accessed by i2c or bus and cause problems.\\nAn easily reproduced case is that if a new adapter is registered, i2c\\nwill get the leaked adapter and try to call smbus_algorithm, which was\\nalready freed:\\n\\nTriggered by: rmmod i2c_piix4 \u0026\u0026 modprobe max31730\\n\\n BUG: unable to handle page fault for address: ffffffffc053d860\\n #PF: supervisor read access in kernel mode\\n #PF: error_code(0x0000) - not-present page\\n Oops: 0000 [#1] PREEMPT SMP KASAN\\n CPU: 0 PID: 3752 Comm: modprobe Tainted: G\\n Hardware name: QEMU Standard PC (i440FX + PIIX, 1996)\\n RIP: 0010:i2c_default_probe (drivers/i2c/i2c-core-base.c:2259) i2c_core\\n RSP: 0018:ffff888107477710 EFLAGS: 00000246\\n ...\\n \u003cTASK\u003e\\n i2c_detect (drivers/i2c/i2c-core-base.c:2302) i2c_core\\n __process_new_driver (drivers/i2c/i2c-core-base.c:1336) i2c_core\\n bus_for_each_dev (drivers/base/bus.c:301)\\n i2c_for_each_dev (drivers/i2c/i2c-core-base.c:1823) i2c_core\\n i2c_register_driver (drivers/i2c/i2c-core-base.c:1861) i2c_core\\n do_one_initcall (init/main.c:1296)\\n do_init_module (kernel/module/main.c:2455)\\n ...\\n \u003c/TASK\u003e\\n ---[ end trace 0000000000000000 ]---\\n\\nFix this problem by correctly set piix4_adapter_count as 1 for the\\nsingle adapter so it can be normally removed.\"},{\"lang\":\"es\",\"value\":\"En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: i2c: piix4: Adaptador de correcci\u00f3n que no se eliminar\u00e1 en piix4_remove() En piix4_probe(), el adaptador piix4 se registrar\u00e1 en: piix4_probe() piix4_add_adapters_sb800() / piix4_add_adapter() i2c_add_adapter() En funci\u00f3n del tipo de dispositivo sondeado, se llamar\u00e1 a piix4_add_adapters_sb800() o a un solo piix4_add_adapter(). Para el primer caso, piix4_adapter_count se establece como el n\u00famero de adaptadores, mientras que para otro caso no se establece y se mantiene predeterminado *cero*. Cuando se elimina piix4, piix4_remove() elimina los adaptadores agregados en piix4_probe(), bas\u00e1ndose en el valor de piix4_adapter_count. Dado que el conteo es cero en el caso de un solo adaptador, este no se eliminar\u00e1 y se filtrar\u00e1n las fuentes asignadas, como el cliente y el dispositivo i2c. Estas fuentes a\u00fan pueden ser accedidas por i2c o el bus, lo que puede causar problemas. Un caso que se reproduce f\u00e1cilmente es que si se registra un nuevo adaptador, i2c obtendr\u00e1 el adaptador filtrado e intentar\u00e1 llamar a smbus_algorithm, que ya se hab\u00eda liberado: Activado por: rmmod i2c_piix4 y modprobe max31730 ERROR: no se puede controlar el error de p\u00e1gina para la direcci\u00f3n: ffffffffc053d860 #PF: acceso de lectura del supervisor en modo kernel #PF: error_code(0x0000) - p\u00e1gina no presente Oops: 0000 [#1] PREEMPT SMP KASAN CPU: 0 PID: 3752 Comm: modprobe Tainted: G Nombre del hardware: QEMU Standard PC (i440FX + PIIX, 1996) RIP: 0010:i2c_default_probe (drivers/i2c/i2c-core-base.c:2259) i2c_core RSP: 0018:ffff888107477710 EFLAGS: 00000246 ... i2c_detect (controladores/i2c/i2c-core-base.c:2302) i2c_core __process_new_driver (controladores/i2c/i2c-core-base.c:1336) i2c_core bus_for_each_dev (controladores/base/bus.c:301) i2c_for_each_dev (controladores/i2c/i2c-core-base.c:1823) i2c_core i2c_register_driver (controladores/i2c/i2c-core-base.c:1861) i2c_core do_one_initcall (init/main.c:1296) do_init_module (kernel/module/main.c:2455) ... ---[ fin del seguimiento 0000000000000000 ]--- Solucione este problema configurando correctamente piix4_adapter_count como 1 para el adaptador \u00fanico de modo que se pueda quitar normalmente.\"}],\"metrics\":{},\"references\":[{\"url\":\"https://git.kernel.org/stable/c/569bea74c94d37785682b11bab76f557520477cd\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/bfd5e62f9a7ee214661cb6f143a3b40ccc63317f\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/d78ccdce662e88f41e87e90cf2bee63c1715d2a5\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/fe51636fffc8108c7c4da6aa393010e786530ad9\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"}]}}"
}
}
Loading...
Loading...
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.