CVE-2022-48761 in Linux
Summary
by MITRE • 06/20/2024
In the Linux kernel, the following vulnerability has been resolved:
usb: xhci-plat: fix crash when suspend if remote wake enable
Crashed at i.mx8qm platform when suspend if enable remote wakeup
Internal error: synchronous external abort: 96000210 [#1] PREEMPT SMP
Modules linked in: CPU: 2 PID: 244 Comm: kworker/u12:6 Not tainted 5.15.5-dirty #12 Hardware name: Freescale i.MX8QM MEK (DT) Workqueue: events_unbound async_run_entry_fn pstate: 600000c5 (nZCv daIF -PAN -UAO -TCO -DIT -SSBS BTYPE=--) pc : xhci_disable_hub_port_wake.isra.62+0x60/0xf8 lr : xhci_disable_hub_port_wake.isra.62+0x34/0xf8 sp : ffff80001394bbf0 x29: ffff80001394bbf0 x28: 0000000000000000 x27: ffff00081193b578 x26: ffff00081193b570 x25: 0000000000000000 x24: 0000000000000000 x23: ffff00081193a29c x22: 0000000000020001 x21: 0000000000000001 x20: 0000000000000000 x19: ffff800014e90490 x18: 0000000000000000 x17: 0000000000000000 x16: 0000000000000000 x15: 0000000000000000 x14: 0000000000000000 x13: 0000000000000002 x12: 0000000000000000 x11: 0000000000000000 x10: 0000000000000960 x9 : ffff80001394baa0 x8 : ffff0008145d1780 x7 : ffff0008f95b8e80 x6 : 000000001853b453 x5 : 0000000000000496 x4 : 0000000000000000 x3 : ffff00081193a29c x2 : 0000000000000001 x1 : 0000000000000000 x0 : ffff000814591620 Call trace: xhci_disable_hub_port_wake.isra.62+0x60/0xf8 xhci_suspend+0x58/0x510 xhci_plat_suspend+0x50/0x78 platform_pm_suspend+0x2c/0x78 dpm_run_callback.isra.25+0x50/0xe8 __device_suspend+0x108/0x3c0
The basic flow: 1. run time suspend call xhci_suspend, xhci parent devices gate the clock. 2. echo mem >/sys/power/state, system _device_suspend call xhci_suspend 3. xhci_suspend call xhci_disable_hub_port_wake, which access register, but clock already gated by run time suspend.
This problem was hidden by power domain driver, which call run time resume before it.
But the below commit remove it and make this issue happen. commit c1df456d0f06e ("PM: domains: Don't runtime resume devices at genpd_prepare()")
This patch call run time resume before suspend to make sure clock is on before access register.
Testeb-by: Abel Vesa
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
Analysis
by VulDB Data Team • 10/30/2024
The vulnerability CVE-2022-48761 represents a critical synchronization issue within the Linux kernel's USB xHCI platform driver specifically affecting the i.MX8QM platform. This flaw manifests as a system crash during suspend operations when remote wakeup functionality is enabled, demonstrating a classic race condition between power management operations and hardware register access. The issue occurs when the system attempts to disable hub port wake capabilities during suspend, but the necessary hardware clocks have already been gated by runtime suspend operations, resulting in synchronous external abort errors that crash the kernel.
The technical root cause stems from improper sequencing in the power management flow where the xhci_suspend function attempts to access hardware registers through xhci_disable_hub_port_wake without ensuring that the required clock domains remain active. This violates fundamental power management principles and creates a scenario where hardware state is accessed in an inconsistent power domain. The crash occurs at the instruction pointer location xhci_disable_hub_port_wake.isra.62+0x60/0xf8, indicating direct access to memory-mapped registers that are no longer accessible due to clock gating. The call trace reveals the execution path through platform power management subsystems including platform_pm_suspend and dpm_run_callback, ultimately failing during the device suspend sequence.
This vulnerability directly relates to CWE-362: Concurrent Execution using Shared Resource with Unprotected Race Condition and CWE-787: Out-of-bounds Write, as it involves improper synchronization between power management operations and hardware register access. The issue demonstrates a clear violation of the ATT&CK technique T1547.001: Registry Run Keys / Startup Folder, though more specifically represents a system-level power management failure that could enable privilege escalation or denial of service attacks. The problem was introduced by commit c1df456d0f06e which removed runtime resume calls from genpd_prepare(), exposing the underlying race condition that was previously masked by the power domain driver's defensive programming.
The operational impact of this vulnerability extends beyond simple system crashes, potentially enabling attackers to cause persistent denial of service conditions in embedded systems and IoT devices running the affected kernel versions. Systems utilizing the i.MX8QM platform with USB peripherals and remote wakeup capabilities are particularly vulnerable, as the crash occurs during normal power management transitions. The vulnerability affects devices that rely on USB suspend/resume functionality for power optimization, making it particularly concerning for battery-powered devices and embedded systems where proper power management is critical. Mitigation requires applying the kernel patch that ensures runtime resume is called before suspend operations to maintain clock availability during register access, or alternatively implementing proper power domain management that prevents concurrent access to gated hardware resources.