ghsa-h3mh-rq8w-j65m
Vulnerability from github
Published
2025-05-01 15:31
Modified
2025-05-01 15:31
Details

In the Linux kernel, the following vulnerability has been resolved:

i2c: piix4: Fix adapter not be removed in piix4_remove()

In piix4_probe(), the piix4 adapter will be registered in:

piix4_probe() piix4_add_adapters_sb800() / piix4_add_adapter() i2c_add_adapter()

Based on the probed device type, piix4_add_adapters_sb800() or single piix4_add_adapter() will be called. For the former case, piix4_adapter_count is set as the number of adapters, while for antoher case it is not set and kept default zero.

When piix4 is removed, piix4_remove() removes the adapters added in piix4_probe(), basing on the piix4_adapter_count value. Because the count is zero for the single adapter case, the adapter won't be removed and makes the sources allocated for adapter leaked, such as the i2c client and device.

These sources can still be accessed by i2c or bus and cause problems. An easily reproduced case is that if a new adapter is registered, i2c will get the leaked adapter and try to call smbus_algorithm, which was already freed:

Triggered by: rmmod i2c_piix4 && modprobe max31730

BUG: unable to handle page fault for address: ffffffffc053d860 #PF: supervisor read access in kernel mode #PF: error_code(0x0000) - not-present page Oops: 0000 [#1] PREEMPT SMP KASAN CPU: 0 PID: 3752 Comm: modprobe Tainted: G Hardware name: QEMU Standard PC (i440FX + PIIX, 1996) RIP: 0010:i2c_default_probe (drivers/i2c/i2c-core-base.c:2259) i2c_core RSP: 0018:ffff888107477710 EFLAGS: 00000246 ... i2c_detect (drivers/i2c/i2c-core-base.c:2302) i2c_core __process_new_driver (drivers/i2c/i2c-core-base.c:1336) i2c_core bus_for_each_dev (drivers/base/bus.c:301) i2c_for_each_dev (drivers/i2c/i2c-core-base.c:1823) i2c_core i2c_register_driver (drivers/i2c/i2c-core-base.c:1861) i2c_core do_one_initcall (init/main.c:1296) do_init_module (kernel/module/main.c:2455) ... ---[ end trace 0000000000000000 ]---

Fix this problem by correctly set piix4_adapter_count as 1 for the single adapter so it can be normally removed.

Show details on source website

To clipboard 

{
  "affected": [],
  "aliases": [
    "CVE-2022-49900"
  ],
  "database_specific": {
    "cwe_ids": [],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-05-01T15:16:15Z",
    "severity": null
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\ni2c: piix4: Fix adapter not be removed in piix4_remove()\n\nIn piix4_probe(), the piix4 adapter will be registered in:\n\n   piix4_probe()\n     piix4_add_adapters_sb800() / piix4_add_adapter()\n       i2c_add_adapter()\n\nBased on the probed device type, piix4_add_adapters_sb800() or single\npiix4_add_adapter() will be called.\nFor the former case, piix4_adapter_count is set as the number of adapters,\nwhile for antoher case it is not set and kept default *zero*.\n\nWhen piix4 is removed, piix4_remove() removes the adapters added in\npiix4_probe(), basing on the piix4_adapter_count value.\nBecause the count is zero for the single adapter case, the adapter won\u0027t\nbe removed and makes the sources allocated for adapter leaked, such as\nthe i2c client and device.\n\nThese sources can still be accessed by i2c or bus and cause problems.\nAn easily reproduced case is that if a new adapter is registered, i2c\nwill get the leaked adapter and try to call smbus_algorithm, which was\nalready freed:\n\nTriggered by: rmmod i2c_piix4 \u0026\u0026 modprobe max31730\n\n BUG: unable to handle page fault for address: ffffffffc053d860\n #PF: supervisor read access in kernel mode\n #PF: error_code(0x0000) - not-present page\n Oops: 0000 [#1] PREEMPT SMP KASAN\n CPU: 0 PID: 3752 Comm: modprobe Tainted: G\n Hardware name: QEMU Standard PC (i440FX + PIIX, 1996)\n RIP: 0010:i2c_default_probe (drivers/i2c/i2c-core-base.c:2259) i2c_core\n RSP: 0018:ffff888107477710 EFLAGS: 00000246\n ...\n \u003cTASK\u003e\n  i2c_detect (drivers/i2c/i2c-core-base.c:2302) i2c_core\n  __process_new_driver (drivers/i2c/i2c-core-base.c:1336) i2c_core\n  bus_for_each_dev (drivers/base/bus.c:301)\n  i2c_for_each_dev (drivers/i2c/i2c-core-base.c:1823) i2c_core\n  i2c_register_driver (drivers/i2c/i2c-core-base.c:1861) i2c_core\n  do_one_initcall (init/main.c:1296)\n  do_init_module (kernel/module/main.c:2455)\n  ...\n \u003c/TASK\u003e\n ---[ end trace 0000000000000000 ]---\n\nFix this problem by correctly set piix4_adapter_count as 1 for the\nsingle adapter so it can be normally removed.",
  "id": "GHSA-h3mh-rq8w-j65m",
  "modified": "2025-05-01T15:31:52Z",
  "published": "2025-05-01T15:31:52Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-49900"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/569bea74c94d37785682b11bab76f557520477cd"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/bfd5e62f9a7ee214661cb6f143a3b40ccc63317f"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/d78ccdce662e88f41e87e90cf2bee63c1715d2a5"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/fe51636fffc8108c7c4da6aa393010e786530ad9"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.