CVE-2022-49070 in Linux
Summary
by MITRE • 02/26/2025
In the Linux kernel, the following vulnerability has been resolved:
fbdev: Fix unregistering of framebuffers without device
OF framebuffers do not have an underlying device in the Linux device hierarchy. Do a regular unregister call instead of hot unplugging such a non-existing device. Fixes a NULL dereference. An example error message on ppc64le is shown below.
BUG: Kernel NULL pointer dereference on read at 0x00000060 Faulting instruction address: 0xc00000000080dfa4 Oops: Kernel access of bad area, sig: 11 [#1]
LE PAGE_SIZE=64K MMU=Hash SMP NR_CPUS=2048 NUMA pSeries [...]
CPU: 2 PID: 139 Comm: systemd-udevd Not tainted 5.17.0-ae085d7f9365 #1 NIP: c00000000080dfa4 LR: c00000000080df9c CTR: c000000000797430 REGS: c000000004132fe0 TRAP: 0300 Not tainted (5.17.0-ae085d7f9365) MSR: 8000000002009033 CR: 28228282 XER: 20000000 CFAR: c00000000000c80c DAR: 0000000000000060 DSISR: 40000000 IRQMASK: 0 GPR00: c00000000080df9c c000000004133280 c00000000169d200 0000000000000029 GPR04: 00000000ffffefff c000000004132f90 c000000004132f88 0000000000000000 GPR08: c0000000015658f8 c0000000015cd200 c0000000014f57d0 0000000048228283 GPR12: 0000000000000000 c00000003fffe300 0000000020000000 0000000000000000 GPR16: 0000000000000000 0000000113fc4a40 0000000000000005 0000000113fcfb80 GPR20: 000001000f7283b0 0000000000000000 c000000000e4a588 c000000000e4a5b0 GPR24: 0000000000000001 00000000000a0000 c008000000db0168 c0000000021f6ec0 GPR28: c0000000016d65a8 c000000004b36460 0000000000000000 c0000000016d64b0 NIP [c00000000080dfa4] do_remove_conflicting_framebuffers+0x184/0x1d0
[c000000004133280] [c00000000080df9c] do_remove_conflicting_framebuffers+0x17c/0x1d0 (unreliable)
[c000000004133350] [c00000000080e4d0] remove_conflicting_framebuffers+0x60/0x150
[c0000000041333a0] [c00000000080e6f4] remove_conflicting_pci_framebuffers+0x134/0x1b0
[c000000004133450] [c008000000e70438] drm_aperture_remove_conflicting_pci_framebuffers+0x90/0x100 [drm]
[c000000004133490] [c008000000da0ce4] bochs_pci_probe+0x6c/0xa64 [bochs]
[...]
[c000000004133db0] [c00000000002aaa0] system_call_exception+0x170/0x2d0
[c000000004133e10] [c00000000000c3cc] system_call_common+0xec/0x250
The bug [1] was introduced by commit 27599aacbaef ("fbdev: Hot-unplug
firmware fb devices on forced removal"). Most firmware framebuffers have an underlying platform device, which can be hot-unplugged before loading the native graphics driver. OF framebuffers do not (yet) have that device. Fix the code by unregistering the framebuffer as before without a hot unplug.
Tested with 5.17 on qemu ppc64le emulation.
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
Analysis
by VulDB Data Team • 03/19/2025
The vulnerability CVE-2022-49070 represents a critical NULL pointer dereference issue within the Linux kernel's framebuffer subsystem, specifically affecting the frame buffer device management during device unregistration processes. This flaw occurs in the context of Open Firmware (OF) framebuffers which do not maintain an underlying device in the Linux device hierarchy, creating a mismatch in how the kernel handles device removal operations. The issue manifests when the kernel attempts to perform a hot-unplug operation on a framebuffer that lacks an actual device reference, leading to a kernel panic due to accessing invalid memory addresses.
The technical root cause stems from a regression introduced by commit 27599aacbaef which modified the framebuffer device removal logic to implement hot-unplug functionality for firmware framebuffers. This change assumed that all framebuffers would have an underlying platform device that could be hot-unplugged before driver loading, but OF framebuffers specifically lack this device structure. When the kernel attempts to unregister such framebuffers, it follows the hot-unplug path which results in dereferencing a NULL pointer, causing the kernel to crash with a NULL pointer dereference error at address 0x00000060. The stack trace shows the fault occurring in the do_remove_conflicting_framebuffers function where the kernel attempts to access device structures that do not exist for OF framebuffers.
This vulnerability impacts systems running on PowerPC 64-bit architectures, particularly those using QEMU emulation for testing, and affects the kernel's ability to properly manage framebuffer devices during system initialization or driver loading sequences. The operational impact includes complete system crashes and potential denial of service conditions when the kernel encounters firmware framebuffers that lack proper device references. The flaw specifically affects the graphics subsystem's ability to properly clean up conflicting framebuffers during device initialization, particularly in scenarios involving PCI framebuffer devices where the drm_aperture subsystem attempts to remove conflicting framebuffers.
The fix implemented addresses this issue by reverting to the original framebuffer unregistration approach for OF framebuffers, avoiding the hot-unplug mechanism that was causing the NULL pointer dereference. This solution aligns with the principle of maintaining backward compatibility and proper device hierarchy handling within the kernel's device management subsystem. The vulnerability demonstrates the importance of proper device abstraction handling in kernel code and the potential for seemingly small changes to introduce critical regressions in complex subsystems. This issue relates to CWE-476 which covers NULL pointer dereference vulnerabilities and can be categorized under ATT&CK technique T1490 for Deobfuscation of Files or Information, as the vulnerability affects the kernel's ability to properly handle device registration and unregistration operations. The fix ensures that OF framebuffers are properly unregistered through standard mechanisms rather than attempting hot-unplug operations on non-existent devices, thereby preventing the kernel from crashing during normal operation sequences.