CVE-2022-48806 - OpenCVE

In the Linux kernel, the following vulnerability has been resolved: eeprom: ee1004: limit i2c reads to I2C_SMBUS_BLOCK_MAX Commit effa453168a7 ("i2c: i801: Don't silently correct invalid transfer size") revealed that ee1004_eeprom_read() did not properly limit how many bytes to read at once. In particular, i2c_smbus_read_i2c_block_data_or_emulated() takes the length to read as an u8. If count == 256 after taking into account the offset and page boundary, the cast to u8 overflows. And this is common when user space tries to read the entire EEPROM at once. To fix it, limit each read to I2C_SMBUS_BLOCK_MAX (32) bytes, already the maximum length i2c_smbus_read_i2c_block_data_or_emulated() allows.

No CVSS v4.0

Attack Vector Local

Attack Complexity Low

Privileges Required High

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Exploitation none

Automatable no

Technical Impact partial

No data.

No data.

No data.

References

Link	Providers
https://git.kernel.org/stable/c/3937c35493ee2847aaefcfa5460e94b7443eef49
https://git.kernel.org/stable/c/9443ddeb3754e9e382a396b50adc1961301713ce
https://git.kernel.org/stable/c/9a5f471ae380f9fcb9756d453c12ca1f8595a93c
https://git.kernel.org/stable/c/a37960df7eac3cc8094bd1ab84864e9e32c91345
https://git.kernel.org/stable/c/c0689e46be23160d925dca95dfc411f1a0462708
https://lore.kernel.org/linux-cve-announce/2024071645-CVE-2022-48806-445c@gregkh/T
https://nvd.nist.gov/vuln/detail/CVE-2022-48806
https://www.cve.org/CVERecord?id=CVE-2022-48806

History

Wed, 11 Sep 2024 13:30:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

MITRE

Status: PUBLISHED

Assigner: Linux

Published: 2024-07-16T11:43:57.598Z

Updated: 2024-11-04T12:16:56.281Z

Reserved: 2024-07-16T11:38:08.896Z

Link: CVE-2022-48806

Vulnrichment

Updated: 2024-08-03T15:25:01.645Z

NVD

Status : Awaiting Analysis

Published: 2024-07-16T12:15:04.980

Modified: 2024-07-16T13:43:58.773

Link: CVE-2022-48806

Redhat

Severity : Low

Publid Date: 2024-07-16T00:00:00Z

Links: CVE-2022-48806 - Bugzilla

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2022-48806", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2024-07-16T11:38:08.896Z", "datePublished": "2024-07-16T11:43:57.598Z", "dateUpdated": "2024-11-04T12:16:56.281Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2024-11-04T12:16:56.281Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\neeprom: ee1004: limit i2c reads to I2C_SMBUS_BLOCK_MAX\n\nCommit effa453168a7 (\"i2c: i801: Don't silently correct invalid transfer\nsize\") revealed that ee1004_eeprom_read() did not properly limit how\nmany bytes to read at once.\n\nIn particular, i2c_smbus_read_i2c_block_data_or_emulated() takes the\nlength to read as an u8. If count == 256 after taking into account the\noffset and page boundary, the cast to u8 overflows. And this is common\nwhen user space tries to read the entire EEPROM at once.\n\nTo fix it, limit each read to I2C_SMBUS_BLOCK_MAX (32) bytes, already\nthe maximum length i2c_smbus_read_i2c_block_data_or_emulated() allows."}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["drivers/misc/eeprom/ee1004.c"], "versions": [{"version": "aca56c298e2a", "lessThan": "3937c35493ee", "status": "affected", "versionType": "git"}, {"version": "25714ad6bf5e", "lessThan": "a37960df7eac", "status": "affected", "versionType": "git"}, {"version": "be9313f755a7", "lessThan": "9a5f471ae380", "status": "affected", "versionType": "git"}, {"version": "07d9beb6e3c2", "lessThan": "9443ddeb3754", "status": "affected", "versionType": "git"}, {"version": "effa453168a7", "lessThan": "c0689e46be23", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["drivers/misc/eeprom/ee1004.c"], "versions": [{"version": "5.4.174", "lessThan": "5.4.180", "status": "affected", "versionType": "semver"}, {"version": "5.10.94", "lessThan": "5.10.101", "status": "affected", "versionType": "semver"}, {"version": "5.15.17", "lessThan": "5.15.24", "status": "affected", "versionType": "semver"}, {"version": "5.16.3", "lessThan": "5.16.10", "status": "affected", "versionType": "semver"}]}], "references": [{"url": "https://git.kernel.org/stable/c/3937c35493ee2847aaefcfa5460e94b7443eef49"}, {"url": "https://git.kernel.org/stable/c/a37960df7eac3cc8094bd1ab84864e9e32c91345"}, {"url": "https://git.kernel.org/stable/c/9a5f471ae380f9fcb9756d453c12ca1f8595a93c"}, {"url": "https://git.kernel.org/stable/c/9443ddeb3754e9e382a396b50adc1961301713ce"}, {"url": "https://git.kernel.org/stable/c/c0689e46be23160d925dca95dfc411f1a0462708"}], "title": "eeprom: ee1004: limit i2c reads to I2C_SMBUS_BLOCK_MAX", "x_generator": {"engine": "bippy-9e1c9544281a"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T15:25:01.645Z"}, "title": "CVE Program Container", "references": [{"url": "https://git.kernel.org/stable/c/3937c35493ee2847aaefcfa5460e94b7443eef49", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/a37960df7eac3cc8094bd1ab84864e9e32c91345", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/9a5f471ae380f9fcb9756d453c12ca1f8595a93c", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/9443ddeb3754e9e382a396b50adc1961301713ce", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/c0689e46be23160d925dca95dfc411f1a0462708", "tags": ["x_transferred"]}]}, {"metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2022-48806", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-09-10T16:58:47.691859Z"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-09-11T17:34:13.770Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://git.kernel.org/stable/c/3937c35493ee2847aaefcfa5460e94b7443eef49", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/a37960df7eac3cc8094bd1ab84864e9e32c91345", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/9a5f471ae380f9fcb9756d453c12ca1f8595a93c", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/9443ddeb3754e9e382a396b50adc1961301713ce", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/c0689e46be23160d925dca95dfc411f1a0462708", "tags": ["x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T15:25:01.645Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2022-48806", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-09-10T16:58:47.691859Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-09-11T12:42:21.485Z"}}], "cna": {"title": "eeprom: ee1004: limit i2c reads to I2C_SMBUS_BLOCK_MAX", "affected": [{"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "product": "Linux", "versions": [{"status": "affected", "version": "aca56c298e2a", "lessThan": "3937c35493ee", "versionType": "git"}, {"status": "affected", "version": "25714ad6bf5e", "lessThan": "a37960df7eac", "versionType": "git"}, {"status": "affected", "version": "be9313f755a7", "lessThan": "9a5f471ae380", "versionType": "git"}, {"status": "affected", "version": "07d9beb6e3c2", "lessThan": "9443ddeb3754", "versionType": "git"}, {"status": "affected", "version": "effa453168a7", "lessThan": "c0689e46be23", "versionType": "git"}], "programFiles": ["drivers/misc/eeprom/ee1004.c"], "defaultStatus": "unaffected"}, {"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "product": "Linux", "versions": [{"status": "affected", "version": "5.4.174", "lessThan": "5.4.180", "versionType": "semver"}, {"status": "affected", "version": "5.10.94", "lessThan": "5.10.101", "versionType": "semver"}, {"status": "affected", "version": "5.15.17", "lessThan": "5.15.24", "versionType": "semver"}, {"status": "affected", "version": "5.16.3", "lessThan": "5.16.10", "versionType": "semver"}], "programFiles": ["drivers/misc/eeprom/ee1004.c"], "defaultStatus": "unaffected"}], "references": [{"url": "https://git.kernel.org/stable/c/3937c35493ee2847aaefcfa5460e94b7443eef49"}, {"url": "https://git.kernel.org/stable/c/a37960df7eac3cc8094bd1ab84864e9e32c91345"}, {"url": "https://git.kernel.org/stable/c/9a5f471ae380f9fcb9756d453c12ca1f8595a93c"}, {"url": "https://git.kernel.org/stable/c/9443ddeb3754e9e382a396b50adc1961301713ce"}, {"url": "https://git.kernel.org/stable/c/c0689e46be23160d925dca95dfc411f1a0462708"}], "x_generator": {"engine": "bippy-9e1c9544281a"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\neeprom: ee1004: limit i2c reads to I2C_SMBUS_BLOCK_MAX\n\nCommit effa453168a7 (\"i2c: i801: Don't silently correct invalid transfer\nsize\") revealed that ee1004_eeprom_read() did not properly limit how\nmany bytes to read at once.\n\nIn particular, i2c_smbus_read_i2c_block_data_or_emulated() takes the\nlength to read as an u8. If count == 256 after taking into account the\noffset and page boundary, the cast to u8 overflows. And this is common\nwhen user space tries to read the entire EEPROM at once.\n\nTo fix it, limit each read to I2C_SMBUS_BLOCK_MAX (32) bytes, already\nthe maximum length i2c_smbus_read_i2c_block_data_or_emulated() allows."}], "providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2024-11-04T12:16:56.281Z"}}}, "cveMetadata": {"cveId": "CVE-2022-48806", "state": "PUBLISHED", "dateUpdated": "2024-11-04T12:16:56.281Z", "dateReserved": "2024-07-16T11:38:08.896Z", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "datePublished": "2024-07-16T11:43:57.598Z", "assignerShortName": "Linux"}, "dataVersion": "5.1"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\neeprom: ee1004: limit i2c reads to I2C_SMBUS_BLOCK_MAX\n\nCommit effa453168a7 (\"i2c: i801: Don't silently correct invalid transfer\nsize\") revealed that ee1004_eeprom_read() did not properly limit how\nmany bytes to read at once.\n\nIn particular, i2c_smbus_read_i2c_block_data_or_emulated() takes the\nlength to read as an u8. If count == 256 after taking into account the\noffset and page boundary, the cast to u8 overflows. And this is common\nwhen user space tries to read the entire EEPROM at once.\n\nTo fix it, limit each read to I2C_SMBUS_BLOCK_MAX (32) bytes, already\nthe maximum length i2c_smbus_read_i2c_block_data_or_emulated() allows."}, {"lang": "es", "value": "En el kernel de Linux, se resolvi\u00f3 la siguiente vulnerabilidad: eeprom: ee1004: limitar las lecturas de i2c a I2C_SMBUS_BLOCK_MAX El commit effa453168a7 (\"i2c: i801: No corrija silenciosamente el tama\u00f1o de transferencia no v\u00e1lido\") revel\u00f3 que ee1004_eeprom_read() no limitaba adecuadamente cu\u00e1ntas bytes para leer a la vez. En particular, i2c_smbus_read_i2c_block_data_or_emulated() toma la longitud para leer como u8. Si el recuento == 256 despu\u00e9s de tener en cuenta el desplazamiento y el l\u00edmite de la p\u00e1gina, la conversi\u00f3n a u8 se desborda. Y esto es com\u00fan cuando el espacio del usuario intenta leer toda la EEPROM a la vez. Para solucionarlo, limite cada lectura a I2C_SMBUS_BLOCK_MAX (32) bytes, ya que la longitud m\u00e1xima que permite i2c_smbus_read_i2c_block_data_or_emulated()."}], "id": "CVE-2022-48806", "lastModified": "2024-07-16T13:43:58.773", "metrics": {}, "published": "2024-07-16T12:15:04.980", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/3937c35493ee2847aaefcfa5460e94b7443eef49"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/9443ddeb3754e9e382a396b50adc1961301713ce"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/9a5f471ae380f9fcb9756d453c12ca1f8595a93c"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/a37960df7eac3cc8094bd1ab84864e9e32c91345"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/c0689e46be23160d925dca95dfc411f1a0462708"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Awaiting Analysis"}

{"bugzilla": {"description": "kernel: eeprom: ee1004: limit i2c reads to I2C_SMBUS_BLOCK_MAX", "id": "2298142", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2298142"}, "csaw": false, "cvss3": {"cvss3_base_score": "4.4", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H", "status": "draft"}, "cwe": "CWE-190", "details": ["In the Linux kernel, the following vulnerability has been resolved:\neeprom: ee1004: limit i2c reads to I2C_SMBUS_BLOCK_MAX\nCommit effa453168a7 (\"i2c: i801: Don't silently correct invalid transfer\nsize\") revealed that ee1004_eeprom_read() did not properly limit how\nmany bytes to read at once.\nIn particular, i2c_smbus_read_i2c_block_data_or_emulated() takes the\nlength to read as an u8. If count == 256 after taking into account the\noffset and page boundary, the cast to u8 overflows. And this is common\nwhen user space tries to read the entire EEPROM at once.\nTo fix it, limit each read to I2C_SMBUS_BLOCK_MAX (32) bytes, already\nthe maximum length i2c_smbus_read_i2c_block_data_or_emulated() allows."], "name": "CVE-2022-48806", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Out of support scope", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Out of support scope", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Out of support scope", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Will not fix", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Will not fix", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2024-07-16T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2022-48806\nhttps://nvd.nist.gov/vuln/detail/CVE-2022-48806\nhttps://lore.kernel.org/linux-cve-announce/2024071645-CVE-2022-48806-445c@gregkh/T"], "threat_severity": "Low", "upstream_fix": "kernel 5.4.180, kernel 5.10.101, kernel 5.15.24, kernel 5.16.10"}