Acknowledged
Created: Sep 21, 2025
Updated: Sep 23, 2025
Found In Version: 10.22.33.1
Severity: Standard
Applicable for: Wind River Linux LTS 22
Component/s: Kernel
In the Linux kernel, the following vulnerability has been resolved:[EOL][EOL]tee: fix NULL pointer dereference in tee_shm_put[EOL][EOL]tee_shm_put have NULL pointer dereference:[EOL][EOL]__optee_disable_shm_cache -->[EOL]\tshm = reg_pair_to_ptr(...);//shm maybe return NULL[EOL] tee_shm_free(shm); -->[EOL]\t\ttee_shm_put(shm);//crash[EOL][EOL]Add check in tee_shm_put to fix it.[EOL][EOL]panic log:[EOL]Unable to handle kernel paging request at virtual address 0000000000100cca[EOL]Mem abort info:[EOL]ESR = 0x0000000096000004[EOL]EC = 0x25: DABT (current EL), IL = 32 bits[EOL]SET = 0, FnV = 0[EOL]EA = 0, S1PTW = 0[EOL]FSC = 0x04: level 0 translation fault[EOL]Data abort info:[EOL]ISV = 0, ISS = 0x00000004, ISS2 = 0x00000000[EOL]CM = 0, WnR = 0, TnD = 0, TagAccess = 0[EOL]GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0[EOL]user pgtable: 4k pages, 48-bit VAs, pgdp=0000002049d07000[EOL][0000000000100cca] pgd=0000000000000000, p4d=0000000000000000[EOL]Internal error: Oops: 0000000096000004 [#1] SMP[EOL]CPU: 2 PID: 14442 Comm: systemd-sleep Tainted: P OE ------- ----[EOL]6.6.0-39-generic #38[EOL]Source Version: 938b255f6cb8817c95b0dd5c8c2944acfce94b07[EOL]Hardware name: greatwall GW-001Y1A-FTH, BIOS Great Wall BIOS V3.0[EOL]10/26/2022[EOL]pstate: 80000005 (Nzcv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--)[EOL]pc : tee_shm_put+0x24/0x188[EOL]lr : tee_shm_free+0x14/0x28[EOL]sp : ffff001f98f9faf0[EOL]x29: ffff001f98f9faf0 x28: ffff0020df543cc0 x27: 0000000000000000[EOL]x26: ffff001f811344a0 x25: ffff8000818dac00 x24: ffff800082d8d048[EOL]x23: ffff001f850fcd18 x22: 0000000000000001 x21: ffff001f98f9fb88[EOL]x20: ffff001f83e76218 x19: ffff001f83e761e0 x18: 000000000000ffff[EOL]x17: 303a30303a303030 x16: 0000000000000000 x15: 0000000000000003[EOL]x14: 0000000000000001 x13: 0000000000000000 x12: 0101010101010101[EOL]x11: 0000000000000001 x10: 0000000000000001 x9 : ffff800080e08d0c[EOL]x8 : ffff001f98f9fb88 x7 : 0000000000000000 x6 : 0000000000000000[EOL]x5 : 0000000000000000 x4 : 0000000000000000 x3 : 0000000000000000[EOL]x2 : ffff001f83e761e0 x1 : 00000000ffff001f x0 : 0000000000100cca[EOL]Call trace:[EOL]tee_shm_put+0x24/0x188[EOL]tee_shm_free+0x14/0x28[EOL]__optee_disable_shm_cache+0xa8/0x108[EOL]optee_shutdown+0x28/0x38[EOL]platform_shutdown+0x28/0x40[EOL]device_shutdown+0x144/0x2b0[EOL]kernel_power_off+0x3c/0x80[EOL]hibernate+0x35c/0x388[EOL]state_store+0x64/0x80[EOL]kobj_attr_store+0x14/0x28[EOL]sysfs_kf_write+0x48/0x60[EOL]kernfs_fop_write_iter+0x128/0x1c0[EOL]vfs_write+0x270/0x370[EOL]ksys_write+0x6c/0x100[EOL]__arm64_sys_write+0x20/0x30[EOL]invoke_syscall+0x4c/0x120[EOL]el0_svc_common.constprop.0+0x44/0xf0[EOL]do_el0_svc+0x24/0x38[EOL]el0_svc+0x24/0x88[EOL]el0t_64_sync_handler+0x134/0x150[EOL]el0t_64_sync+0x14c/0x15