{"id":"CVE-2022-48870","summary":"tty: fix possible null-ptr-defer in spk_ttyio_release","details":"In the Linux kernel, the following vulnerability has been resolved:\n\ntty: fix possible null-ptr-defer in spk_ttyio_release\n\nRun the following tests on the qemu platform:\n\nsyzkaller:~# modprobe speakup_audptr\n input: Speakup as /devices/virtual/input/input4\n initialized device: /dev/synth, node (MAJOR 10, MINOR 125)\n speakup 3.1.6: initialized\n synth name on entry is: (null)\n synth probe\n\nspk_ttyio_initialise_ldisc failed because tty_kopen_exclusive returned\nfailed (errno -16), then remove the module, we will get a null-ptr-defer\nproblem, as follow:\n\nsyzkaller:~# modprobe -r speakup_audptr\n releasing synth audptr\n BUG: kernel NULL pointer dereference, address: 0000000000000080\n #PF: supervisor write access in kernel mode\n #PF: error_code(0x0002) - not-present page\n PGD 0 P4D 0\n Oops: 0002 [#1] PREEMPT SMP PTI\n CPU: 2 PID: 204 Comm: modprobe Not tainted 6.1.0-rc6-dirty #1\n RIP: 0010:mutex_lock+0x14/0x30\n Call Trace:\n \u003cTASK\u003e\n  spk_ttyio_release+0x19/0x70 [speakup]\n  synth_release.part.6+0xac/0xc0 [speakup]\n  synth_remove+0x56/0x60 [speakup]\n  __x64_sys_delete_module+0x156/0x250\n  ? fpregs_assert_state_consistent+0x1d/0x50\n  do_syscall_64+0x37/0x90\n  entry_SYSCALL_64_after_hwframe+0x63/0xcd\n \u003c/TASK\u003e\n Modules linked in: speakup_audptr(-) speakup\n Dumping ftrace buffer:\n\nin_synth-\u003edev was not initialized during modprobe, so we add check\nfor in_synth-\u003edev to fix this bug.","modified":"2026-03-20T12:21:57.858451Z","published":"2024-08-21T06:10:00.678Z","related":["SUSE-SU-2024:3190-1","SUSE-SU-2024:3209-1","SUSE-SU-2024:3227-1","SUSE-SU-2024:3408-1","SUSE-SU-2024:3483-1"],"database_specific":{"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2022/48xxx/CVE-2022-48870.json","cna_assigner":"Linux"},"references":[{"type":"WEB","url":"https://git.kernel.org/stable/c/2da67bff29ab49caafb0766e8b8383b735ff796f"},{"type":"WEB","url":"https://git.kernel.org/stable/c/5abbeebd8296c2301023b8dc4b5a6c0d5229b4f5"},{"type":"WEB","url":"https://git.kernel.org/stable/c/64152e05a4de3ebf59f1740a0985a6d5fba0c77b"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2022/48xxx/CVE-2022-48870.json"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2022-48870"},{"type":"PACKAGE","url":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"4f2a81f3a88217e7340b2cab5c0a5ebd0112514c"},{"fixed":"2da67bff29ab49caafb0766e8b8383b735ff796f"},{"fixed":"64152e05a4de3ebf59f1740a0985a6d5fba0c77b"},{"fixed":"5abbeebd8296c2301023b8dc4b5a6c0d5229b4f5"}]}],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2022-48870.json"}}],"schema_version":"1.7.5"}