CVE-2022-49196
Severity CVSS v4.0:
Pending analysis
Type:
CWE-416
Use After Free
Publication date:
26/02/2025
Last modified:
25/03/2025
Description
In the Linux kernel, the following vulnerability has been resolved:<br />
<br />
powerpc/pseries: Fix use after free in remove_phb_dynamic()<br />
<br />
In remove_phb_dynamic() we use &phb->io_resource, after we&#39;ve called<br />
device_unregister(&host_bridge->dev). But the unregister may have freed<br />
phb, because pcibios_free_controller_deferred() is the release function<br />
for the host_bridge.<br />
<br />
If there are no outstanding references when we call device_unregister()<br />
then phb will be freed out from under us.<br />
<br />
This has gone mainly unnoticed, but with slub_debug and page_poison<br />
enabled it can lead to a crash:<br />
<br />
PID: 7574 TASK: c0000000d492cb80 CPU: 13 COMMAND: "drmgr"<br />
#0 [c0000000e4f075a0] crash_kexec at c00000000027d7dc<br />
#1 [c0000000e4f075d0] oops_end at c000000000029608<br />
#2 [c0000000e4f07650] __bad_page_fault at c0000000000904b4<br />
#3 [c0000000e4f076c0] do_bad_slb_fault at c00000000009a5a8<br />
#4 [c0000000e4f076f0] data_access_slb_common_virt at c000000000008b30<br />
Data SLB Access [380] exception frame:<br />
R0: c000000000167250 R1: c0000000e4f07a00 R2: c000000002a46100<br />
R3: c000000002b39ce8 R4: 00000000000000c0 R5: 00000000000000a9<br />
R6: 3894674d000000c0 R7: 0000000000000000 R8: 00000000000000ff<br />
R9: 0000000000000100 R10: 6b6b6b6b6b6b6b6b R11: 0000000000008000<br />
R12: c00000000023da80 R13: c0000009ffd38b00 R14: 0000000000000000<br />
R15: 000000011c87f0f0 R16: 0000000000000006 R17: 0000000000000003<br />
R18: 0000000000000002 R19: 0000000000000004 R20: 0000000000000005<br />
R21: 000000011c87ede8 R22: 000000011c87c5a8 R23: 000000011c87d3a0<br />
R24: 0000000000000000 R25: 0000000000000001 R26: c0000000e4f07cc8<br />
R27: c00000004d1cc400 R28: c0080000031d00e8 R29: c00000004d23d800<br />
R30: c00000004d1d2400 R31: c00000004d1d2540<br />
NIP: c000000000167258 MSR: 8000000000009033 OR3: c000000000e9f474<br />
CTR: 0000000000000000 LR: c000000000167250 XER: 0000000020040003<br />
CCR: 0000000024088420 MQ: 0000000000000000 DAR: 6b6b6b6b6b6b6ba3<br />
DSISR: c0000000e4f07920 Syscall Result: fffffffffffffff2<br />
[NIP : release_resource+56]<br />
[LR : release_resource+48]<br />
#5 [c0000000e4f07a00] release_resource at c000000000167258 (unreliable)<br />
#6 [c0000000e4f07a30] remove_phb_dynamic at c000000000105648<br />
#7 [c0000000e4f07ab0] dlpar_remove_slot at c0080000031a09e8 [rpadlpar_io]<br />
#8 [c0000000e4f07b50] remove_slot_store at c0080000031a0b9c [rpadlpar_io]<br />
#9 [c0000000e4f07be0] kobj_attr_store at c000000000817d8c<br />
#10 [c0000000e4f07c00] sysfs_kf_write at c00000000063e504<br />
#11 [c0000000e4f07c20] kernfs_fop_write_iter at c00000000063d868<br />
#12 [c0000000e4f07c70] new_sync_write at c00000000054339c<br />
#13 [c0000000e4f07d10] vfs_write at c000000000546624<br />
#14 [c0000000e4f07d60] ksys_write at c0000000005469f4<br />
#15 [c0000000e4f07db0] system_call_exception at c000000000030840<br />
#16 [c0000000e4f07e10] system_call_vectored_common at c00000000000c168<br />
<br />
To avoid it, we can take a reference to the host_bridge->dev until we&#39;re<br />
done using phb. Then when we drop the reference the phb will be freed.
Impact
Base Score 3.x
7.80
Severity 3.x
HIGH
Vulnerable products and versions
| CPE | From | Up to |
|---|---|---|
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 3.16.39 (including) | 3.17 (excluding) |
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 4.7.8 (including) | 5.15.33 (excluding) |
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 5.16 (including) | 5.16.19 (excluding) |
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 5.17 (including) | 5.17.2 (excluding) |
To consult the complete list of CPE names with products and versions, see this page