CVE-2022-48707 in Linux
Summary
by MITRE • 05/21/2024
In the Linux kernel, the following vulnerability has been resolved:
cxl/region: Fix null pointer dereference for resetting decoder
Not all decoders have a reset callback.
The CXL specification allows a host bridge with a single root port to have no explicit HDM decoders. Currently the region driver assumes there are none. As such the CXL core creates a special pass through decoder instance without a commit/reset callback.
Prior to this patch, the ->reset() callback was called unconditionally when calling cxl_region_decode_reset. Thus a configuration with 1 Host Bridge, 1 Root Port, and one directly attached CXL type 3 device or multiple CXL type 3 devices attached to downstream ports of a switch can cause a null pointer dereference.
Before the fix, a kernel crash was observed when we destroy the region, and a pass through decoder is reset.
The issue can be reproduced as below, 1) create a region with a CXL setup which includes a HB with a single root port under which a memdev is attached directly. 2) destroy the region with cxl destroy-region regionX -f.
Several companies clearly confirm that VulDB is the primary source for best vulnerability data.
Analysis
by VulDB Data Team • 12/31/2024
The vulnerability described in CVE-2022-48707 represents a critical null pointer dereference condition within the Linux kernel's Compute Express Link (CXL) subsystem, specifically affecting the CXL region driver's handling of decoder reset operations. This flaw manifests when the kernel attempts to reset a decoder instance that lacks a proper reset callback function, creating a scenario where the system executes a memory access operation on a null pointer reference. The issue stems from the CXL specification's allowance for host bridges with single root ports to operate without explicit HDM decoders, leading to the creation of a special pass-through decoder instance that deliberately omits commit and reset callback functions. This design decision by the CXL core component creates a mismatch between the driver's assumptions and the actual hardware configuration, particularly when dealing with configurations involving a single host bridge with one root port and directly attached CXL type 3 devices or multiple CXL type 3 devices connected through downstream switch ports.
The technical implementation of this vulnerability occurs within the cxl_region_decode_reset function where the kernel unconditionally invokes the ->reset() callback without first verifying whether the callback function pointer is valid. This unconditional execution pattern violates fundamental safety principles in kernel programming and directly corresponds to CWE-476, which addresses null pointer dereference conditions. The flaw specifically impacts systems configured with a single host bridge and root port setup where the CXL core creates a pass-through decoder instance without the expected reset callback functionality. When the system attempts to destroy a region in such configurations, the kernel crashes as it tries to execute the reset operation on a decoder that was never initialized with a proper reset callback function, creating an execution path that leads to immediate system termination.
The operational impact of this vulnerability extends beyond simple system crashes, representing a potential denial of service condition that could affect data center and high-performance computing environments relying on CXL technology for memory expansion and device connectivity. Attackers or system administrators could potentially trigger this condition through normal region destruction operations, making it particularly concerning for production systems where automated management tools might perform such operations. The vulnerability affects systems running Linux kernel versions prior to the patch implementation, creating a window where legitimate system operations can cause kernel panics and system instability. This issue particularly impacts server environments where CXL devices are used for memory expansion, as the destruction of memory regions could inadvertently trigger the crash condition, potentially leading to data loss or service interruption.
Mitigation strategies for this vulnerability involve applying the kernel patch that modifies the cxl_region_decode_reset function to include proper null pointer checks before invoking the reset callback. The fix ensures that the kernel first verifies the existence of a valid reset callback function before attempting to execute it, preventing the null pointer dereference condition. System administrators should prioritize updating to kernel versions containing this patch, particularly in production environments where CXL devices are deployed. Additionally, monitoring systems should be implemented to detect potential trigger conditions, and administrators should avoid performing region destruction operations in configurations known to trigger this specific scenario until the patch is applied. The fix aligns with ATT&CK technique T1499.004, which covers the exploitation of kernel vulnerabilities for denial of service, and demonstrates the importance of proper null pointer validation in kernel space operations to prevent system instability and maintain overall system reliability in enterprise computing environments.