CVE-2022-49940

In the Linux kernel, the following vulnerability has been resolved: tty: n_gsm: add sanity check for gsm->receive in gsm_receive_buf() A null pointer dereference can happen when attempting to access the "gsm->receive()" function in gsmld_receive_buf(). Currently, the code assumes that gsm->recieve is only called after MUX activation. Since the gsmld_receive_buf() function can be accessed without the need to initialize the MUX, the gsm->receive() function will not be set and a NULL pointer dereference will occur. Fix this by avoiding the call to "gsm->receive()" in case the function is not initialized by adding a sanity check. Call Trace: <TASK> gsmld_receive_buf+0x1c2/0x2f0 drivers/tty/n_gsm.c:2861 tiocsti drivers/tty/tty_io.c:2293 [inline] tty_ioctl+0xa75/0x15d0 drivers/tty/tty_io.c:2692 vfs_ioctl fs/ioctl.c:51 [inline] __do_sys_ioctl fs/ioctl.c:870 [inline] __se_sys_ioctl fs/ioctl.c:856 [inline] __x64_sys_ioctl+0x193/0x200 fs/ioctl.c:856 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x63/0xcd

CVSS v3 5.5 MEDIUM

5.5^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 1.8 / Impact : 3.6

Attack Vector LOCAL

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact NONE

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://git.kernel.org/stable/c/309aea4b6b813f6678c3a547cfd7fe3a76ffa976	Patch
https://git.kernel.org/stable/c/5a82cf64f8ad63caf6bf115642ce44ddbc64311e	Patch
https://git.kernel.org/stable/c/5aa37f9510345a812c0998bcbbc4d88d1dcc4d8b	Patch
https://git.kernel.org/stable/c/f16c6d2e58a4c2b972efcf9eb12390ee0ba3befb	Patch

Configurations

Configuration 1 (hide)

OR	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel:6.0:rc1::::::
	cpe:2.3:o:linux:linux_kernel:6.0:rc2::::::
	cpe:2.3:o:linux:linux_kernel:6.0:rc3::::::

History

No history.

Information

Published : 2025-06-18 11:15

Updated : 2025-11-14 19:39

NVD link : CVE-2022-49940

Mitre link : CVE-2022-49940

CVE.ORG link : CVE-2022-49940

JSON object : View

Products Affected

linux

linux_kernel

CWE

CWE-476

NULL Pointer Dereference

{"id": "CVE-2022-49940", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.5, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}, "impactScore": 3.6, "exploitabilityScore": 1.8}]}, "published": "2025-06-18T11:15:20.917", "references": [{"url": "https://git.kernel.org/stable/c/309aea4b6b813f6678c3a547cfd7fe3a76ffa976", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/5a82cf64f8ad63caf6bf115642ce44ddbc64311e", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/5aa37f9510345a812c0998bcbbc4d88d1dcc4d8b", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/f16c6d2e58a4c2b972efcf9eb12390ee0ba3befb", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-476"}]}], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ntty: n_gsm: add sanity check for gsm->receive in gsm_receive_buf()\n\nA null pointer dereference can happen when attempting to access the\n\"gsm->receive()\" function in gsmld_receive_buf(). Currently, the code\nassumes that gsm->recieve is only called after MUX activation.\nSince the gsmld_receive_buf() function can be accessed without the need to\ninitialize the MUX, the gsm->receive() function will not be set and a\nNULL pointer dereference will occur.\n\nFix this by avoiding the call to \"gsm->receive()\" in case the function is\nnot initialized by adding a sanity check.\n\nCall Trace:\n <TASK>\n gsmld_receive_buf+0x1c2/0x2f0 drivers/tty/n_gsm.c:2861\n tiocsti drivers/tty/tty_io.c:2293 [inline]\n tty_ioctl+0xa75/0x15d0 drivers/tty/tty_io.c:2692\n vfs_ioctl fs/ioctl.c:51 [inline]\n __do_sys_ioctl fs/ioctl.c:870 [inline]\n __se_sys_ioctl fs/ioctl.c:856 [inline]\n __x64_sys_ioctl+0x193/0x200 fs/ioctl.c:856\n do_syscall_x64 arch/x86/entry/common.c:50 [inline]\n do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80\n entry_SYSCALL_64_after_hwframe+0x63/0xcd"}, {"lang": "es", "value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: tty: n_gsm: a\u00f1adir comprobaci\u00f3n de validez para gsm->receive en gsm_receive_buf(). Se puede producir una desreferencia de puntero nulo al intentar acceder a la funci\u00f3n \"gsm->receive()\" en gsmld_receive_buf(). Actualmente, el c\u00f3digo asume que gsm->recieve solo se llama despu\u00e9s de la activaci\u00f3n del MUX. Dado que se puede acceder a la funci\u00f3n gsmld_receive_buf() sin necesidad de inicializar el MUX, esta funci\u00f3n no se activar\u00e1 y se producir\u00e1 una desreferencia de puntero nulo. Para solucionar esto, se debe evitar la llamada a \"gsm->receive()\" si la funci\u00f3n no se inicializa mediante una comprobaci\u00f3n de validez. Rastreo de llamadas: gsmld_receive_buf+0x1c2/0x2f0 drivers/tty/n_gsm.c:2861 tiocsti drivers/tty/tty_io.c:2293 [en l\u00ednea] tty_ioctl+0xa75/0x15d0 drivers/tty/tty_io.c:2692 vfs_ioctl fs/ioctl.c:51 [en l\u00ednea] __do_sys_ioctl fs/ioctl.c:870 [en l\u00ednea] __se_sys_ioctl fs/ioctl.c:856 [en l\u00ednea] __x64_sys_ioctl+0x193/0x200 fs/ioctl.c:856 do_syscall_x64 arch/x86/entry/common.c:50 [en l\u00ednea] do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x63/0xcd"}], "lastModified": "2025-11-14T19:39:56.137", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "7A949C3C-CF0E-4534-AACE-D99FED95FCAE", "versionEndExcluding": "5.15.66", "versionStartIncluding": "5.15.61"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "B60CAFE2-08C3-461B-B5F8-25BEB0C9853E", "versionEndExcluding": "5.19", "versionStartIncluding": "5.18.18"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "00F39B21-9F82-4FE5-A788-FD1349833FBC", "versionEndExcluding": "5.19.8", "versionStartIncluding": "5.19.2"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.0:rc1:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "E8BD11A3-8643-49B6-BADE-5029A0117325"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.0:rc2:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "5F0AD220-F6A9-4012-8636-155F1B841FAD"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.0:rc3:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "A46498B3-78E1-4623-AAE1-94D29A42BE4E"}], "operator": "OR"}]}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}