Overview
About vulnerability
In the Linux kernel, the following vulnerability has been resolved:
ACPI: processor: Fix NULL-pointer dereference in acpi_processor_errata_piix4()
In acpi_processor_errata_piix4(), the pointer dev is first assigned an IDE device and then reassigned an ISA device:
dev = pci_get_subsys(…, PCI_DEVICE_ID_INTEL_82371AB, …); dev = pci_get_subsys(…, PCI_DEVICE_ID_INTEL_82371AB_0, …);
If the first lookup succeeds but the second fails, dev becomes NULL. This leads to a potential null-pointer dereference when dev_dbg() is called:
if (errata.piix4.bmisx) dev_dbg(&dev->dev, …);
To prevent this, use two temporary pointers and retrieve each device independently, avoiding overwriting dev with a possible NULL value.
[ rjw: Subject adjustment, added an empty code line ]
Details
- Affected product:
- AlmaLinux 9.2 ESU , CentOS 6 ELS , CentOS 7 ELS , CentOS 8.4 ELS , CentOS 8.5 ELS , CentOS Stream 8 ELS , CloudLinux 7 ELS , Oracle Linux 6 ELS , Oracle Linux 7 ELS , RHEL 7 ELS , TuxCare 9.6 ESU , Ubuntu 16.04 ELS , Ubuntu 18.04 ELS , Ubuntu 20.04 ELS
- Affected packages:
- kernel @ 2.6.32 (+15 more)
In the Linux kernel, the following vulnerability has been resolved:
ACPI: processor: Fix NULL-pointer dereference in acpi_processor_errata_piix4()
In acpi_processor_errata_piix4(), the pointer dev is first assigned an IDE device and then reassigned an ISA device:
dev = pci_get_subsys(…, PCI_DEVICE_ID_INTEL_82371AB, …); dev = pci_get_subsys(…, PCI_DEVICE_ID_INTEL_82371AB_0, …);
If the first lookup succeeds but the second fails, dev becomes NULL. This leads to a potential null-pointer dereference when dev_dbg() is called:
if (errata.piix4.bmisx) dev_dbg(&dev->dev, …);
To prevent this, use two temporary pointers and retrieve each device independently, avoiding overwriting dev with a possible NULL value.
[ rjw: Subject adjustment, added an empty code line ]