CVE-2022-48801

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> iio: buffer: Fix file related error handling in IIO_BUFFER_GET_FD_IOCTL<br /> <br /> If we fail to copy the just created file descriptor to userland, we<br /> try to clean up by putting back &amp;#39;fd&amp;#39; and freeing &amp;#39;ib&amp;#39;. The code uses<br /> put_unused_fd() for the former which is wrong, as the file descriptor<br /> was already published by fd_install() which gets called internally by<br /> anon_inode_getfd().<br /> <br /> This makes the error handling code leaving a half cleaned up file<br /> descriptor table around and a partially destructed &amp;#39;file&amp;#39; object,<br /> allowing userland to play use-after-free tricks on us, by abusing<br /> the still usable fd and making the code operate on a dangling<br /> &amp;#39;file-&gt;private_data&amp;#39; pointer.<br /> <br /> Instead of leaving the kernel in a partially corrupted state, don&amp;#39;t<br /> attempt to explicitly clean up and leave this to the process exit<br /> path that&amp;#39;ll release any still valid fds, including the one created<br /> by the previous call to anon_inode_getfd(). Simply return -EFAULT to<br /> indicate the error.