Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

CVE-2022-48869

Severity CVSS v4.0:
Pending analysis
Type:
CWE-416 Use After Free
Publication date:
21/08/2024
Last modified:
06/09/2024

Description

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> USB: gadgetfs: Fix race between mounting and unmounting<br /> <br /> The syzbot fuzzer and Gerald Lee have identified a use-after-free bug<br /> in the gadgetfs driver, involving processes concurrently mounting and<br /> unmounting the gadgetfs filesystem. In particular, gadgetfs_fill_super()<br /> can race with gadgetfs_kill_sb(), causing the latter to deallocate<br /> the_device while the former is using it. The output from KASAN says,<br /> in part:<br /> <br /> BUG: KASAN: use-after-free in instrument_atomic_read_write include/linux/instrumented.h:102 [inline]<br /> BUG: KASAN: use-after-free in atomic_fetch_sub_release include/linux/atomic/atomic-instrumented.h:176 [inline]<br /> BUG: KASAN: use-after-free in __refcount_sub_and_test include/linux/refcount.h:272 [inline]<br /> BUG: KASAN: use-after-free in __refcount_dec_and_test include/linux/refcount.h:315 [inline]<br /> BUG: KASAN: use-after-free in refcount_dec_and_test include/linux/refcount.h:333 [inline]<br /> BUG: KASAN: use-after-free in put_dev drivers/usb/gadget/legacy/inode.c:159 [inline]<br /> BUG: KASAN: use-after-free in gadgetfs_kill_sb+0x33/0x100 drivers/usb/gadget/legacy/inode.c:2086<br /> Write of size 4 at addr ffff8880276d7840 by task syz-executor126/18689<br /> <br /> CPU: 0 PID: 18689 Comm: syz-executor126 Not tainted 6.1.0-syzkaller #0<br /> Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022<br /> Call Trace:<br /> <br /> ...<br /> atomic_fetch_sub_release include/linux/atomic/atomic-instrumented.h:176 [inline]<br /> __refcount_sub_and_test include/linux/refcount.h:272 [inline]<br /> __refcount_dec_and_test include/linux/refcount.h:315 [inline]<br /> refcount_dec_and_test include/linux/refcount.h:333 [inline]<br /> put_dev drivers/usb/gadget/legacy/inode.c:159 [inline]<br /> gadgetfs_kill_sb+0x33/0x100 drivers/usb/gadget/legacy/inode.c:2086<br /> deactivate_locked_super+0xa7/0xf0 fs/super.c:332<br /> vfs_get_super fs/super.c:1190 [inline]<br /> get_tree_single+0xd0/0x160 fs/super.c:1207<br /> vfs_get_tree+0x88/0x270 fs/super.c:1531<br /> vfs_fsconfig_locked fs/fsopen.c:232 [inline]<br /> <br /> The simplest solution is to ensure that gadgetfs_fill_super() and<br /> gadgetfs_kill_sb() are serialized by making them both acquire a new<br /> mutex.

Impact

Vector 3.x
CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H CVSS v3.1 Severity and Metrics:

Base Score: 4.70 MEDIUM
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H

Attack Vector (AV): Local
Attack Complexity (AC): High
Privileges Required (PR): Low
User Interaction (UI): None
Scope (S): Unchanged
Confidentiality (C): None
Integrity (I): None
Availability (A): High

Base Score 3.x
4.70
Severity 3.x
MEDIUM

Vulnerable products and versions

CPE From Up to
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 5.3 (including) 5.4.230 (excluding)
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 5.5 (including) 5.10.165 (excluding)
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 5.11 (including) 5.15.90 (excluding)
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 5.16 (including) 6.1.8 (excluding)

To consult the complete list of CPE names with products and versions, see this page


References to Advisories, Solutions, and Tools