CVE-2022-49605

MEDIUM EPSS 14.9%
Published Feb 26, 20251y ago · Modified Jun 17, 20262w ago
5.5 CVSS 3.1
Medium
Find Similar
Published Feb 26, 2025 1y ago
Last Modified Jun 17, 2026 2w ago

Description

In the Linux kernel, the following vulnerability has been resolved: igc: Reinstate IGC_REMOVED logic and implement it properly The initially merged version of the igc driver code (via commit 146740f9abc4, "igc: Add support for PF") contained the following IGC_REMOVED checks in the igc_rd32/wr32() MMIO accessors: u32 igc_rd32(struct igc_hw *hw, u32 reg) { u8 __iomem *hw_addr = READ_ONCE(hw->hw_addr); u32 value = 0; if (IGC_REMOVED(hw_addr)) return ~value; value = readl(&hw_addr[reg]); /* reads should not return all F's */ if (!(~value) && (!reg || !(~readl(hw_addr)))) hw->hw_addr = NULL; return value; } And: #define wr32(reg, val) \ do { \ u8 __iomem *hw_addr = READ_ONCE((hw)->hw_addr); \ if (!IGC_REMOVED(hw_addr)) \ writel((val), &hw_addr[(reg)]); \ } while (0) E.g. igb has similar checks in its MMIO accessors, and has a similar macro E1000_REMOVED, which is implemented as follows: #define E1000_REMOVED(h) unlikely(!(h)) These checks serve to detect and take note of an 0xffffffff MMIO read return from the device, which can be caused by a PCIe link flap or some other kind of PCI bus error, and to avoid performing MMIO reads and writes from that point onwards. However, the IGC_REMOVED macro was not originally implemented: #ifndef IGC_REMOVED #define IGC_REMOVED(a) (0) #endif /* IGC_REMOVED */ This led to the IGC_REMOVED logic to be removed entirely in a subsequent commit (commit 3c215fb18e70, "igc: remove IGC_REMOVED function"), with the rationale that such checks matter only for virtualization and that igc does not support virtualization -- but a PCIe device can become detached even without virtualization being in use, and without proper checks, a PCIe bus error affecting an igc adapter will lead to various NULL pointer dereferences, as the first access after the error will set hw->hw_addr to NULL, and subsequent accesses will blindly dereference this now-NULL pointer. This patch reinstates the IGC_REMOVED checks in igc_rd32/wr32(), and implements IGC_REMOVED the way it is done for igb, by checking for the unlikely() case of hw_addr being NULL. This change prevents the oopses seen when a PCIe link flap occurs on an igc adapter.

CVSS Details

Base Score
5.5
Exploitability
1.8
Impact
3.6
Vector string
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Attack Vector Local
Attack Complexity Low
Privileges Required Low
User Interaction None
Scope Unchanged
Confidentiality None
Integrity None
Availability High

Threat Intelligence

EPSS Exploit Probability
14.9% percentile
Exploit & Patch Status
No Known Exploit
Patch Available

Weaknesses 1

CWE-476 NULL Pointer Dereference Memory Safety

Affected Products 11

VendorProductVersionRange
linuxlinux_kernel*≥4.20  –  <5.4.208
linuxlinux_kernel*≥5.5  –  <5.10.134
linuxlinux_kernel*≥5.11  –  <5.15.58
linuxlinux_kernel*≥5.16  –  <5.18.15
linuxlinux_kernel5.19any
linuxlinux_kernel5.19any
linuxlinux_kernel5.19any
linuxlinux_kernel5.19any
linuxlinux_kernel5.19any
linuxlinux_kernel5.19any
linuxlinux_kernel5.19any

References 5

  • git.kernel.org https://git.kernel.org/stable/c/16cb6717f4f42487ef10583eb8bc98e7d1e33d65
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/70965b6e5c03aa70cc754af1226b9f9cde0c4bf3
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/77836dbe35382aaf8108489060c5c89530c77494
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/7c1ddcee5311f3315096217881d2dbe47cc683f9
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/e75b73081f1ec169518773626c2ff3950476660b
    Patch

Remediation

  • git.kernel.org https://git.kernel.org/stable/c/16cb6717f4f42487ef10583eb8bc98e7d1e33d65
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/70965b6e5c03aa70cc754af1226b9f9cde0c4bf3
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/77836dbe35382aaf8108489060c5c89530c77494
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/7c1ddcee5311f3315096217881d2dbe47cc683f9
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/e75b73081f1ec169518773626c2ff3950476660b
    Patch