5.5

CVE-2022-50080

tee: add overflow check in register_shm_helper()

In the Linux kernel, the following vulnerability has been resolved:

tee: add overflow check in register_shm_helper()

With special lengths supplied by user space, register_shm_helper() has
an integer overflow when calculating the number of pages covered by a
supplied user space memory region.

This causes internal_get_user_pages_fast() a helper function of
pin_user_pages_fast() to do a NULL pointer dereference:

  Unable to handle kernel NULL pointer dereference at virtual address 0000000000000010
  Modules linked in:
  CPU: 1 PID: 173 Comm: optee_example_a Not tainted 5.19.0 #11
  Hardware name: QEMU QEMU Virtual Machine, BIOS 0.0.0 02/06/2015
  pc : internal_get_user_pages_fast+0x474/0xa80
  Call trace:
   internal_get_user_pages_fast+0x474/0xa80
   pin_user_pages_fast+0x24/0x4c
   register_shm_helper+0x194/0x330
   tee_shm_register_user_buf+0x78/0x120
   tee_ioctl+0xd0/0x11a0
   __arm64_sys_ioctl+0xa8/0xec
   invoke_syscall+0x48/0x114

Fix this by adding an an explicit call to access_ok() in
tee_shm_register_user_buf() to catch an invalid user space address
early.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
LinuxLinux Kernel Version >= 4.16 < 4.19.256
LinuxLinux Kernel Version >= 4.20 < 5.4.211
LinuxLinux Kernel Version >= 5.5 < 5.10.137
LinuxLinux Kernel Version >= 5.11 < 5.15.62
LinuxLinux Kernel Version >= 5.16 < 5.18.19
LinuxLinux Kernel Version >= 5.19 < 5.19.3
LinuxLinux Kernel Version6.0 Updaterc1
VulnDex Vulnerability Enrichment
Diese Information steht angemeldeten Benutzern zur Verfügung. Login Login
Zu dieser CVE wurde keine Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 0.22% 0.128
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
nvd@nist.gov 5.5 1.8 3.6
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
CWE-476 NULL Pointer Dereference

The product dereferences a pointer that it expects to be valid but is NULL.

https://git.kernel.org/stable/c/b37e0f17653c00b586cdbcdf0dbca475358ecffd
Patch
https://git.kernel.org/stable/c/965333345fe952cc7eebc8e3a565ffc709441af2
Patch
https://git.kernel.org/stable/c/578c349570d2a912401963783b36e0ec7a25c053
Patch
https://git.kernel.org/stable/c/c12f0e6126ad223806a365084e86370511654bf1
Patch
https://git.kernel.org/stable/c/2f8e79a1a6128214cb9b205a9869341af5dfb16b
Patch
https://git.kernel.org/stable/c/58c008d4d398f792ca67f35650610864725518fd
Patch
https://git.kernel.org/stable/c/573ae4f13f630d6660008f1974c0a8a29c30e18a
Patch