CVE-2022-49980

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> USB: gadget: Fix use-after-free Read in usb_udc_uevent()<br /> <br /> The syzbot fuzzer found a race between uevent callbacks and gadget<br /> driver unregistration that can cause a use-after-free bug:<br /> <br /> ---------------------------------------------------------------<br /> BUG: KASAN: use-after-free in usb_udc_uevent+0x11f/0x130<br /> drivers/usb/gadget/udc/core.c:1732<br /> Read of size 8 at addr ffff888078ce2050 by task udevd/2968<br /> <br /> CPU: 1 PID: 2968 Comm: udevd Not tainted 5.19.0-rc4-next-20220628-syzkaller #0<br /> Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google<br /> 06/29/2022<br /> Call Trace:<br /> <br /> __dump_stack lib/dump_stack.c:88 [inline]<br /> dump_stack_lvl+0xcd/0x134 lib/dump_stack.c:106<br /> print_address_description mm/kasan/report.c:317 [inline]<br /> print_report.cold+0x2ba/0x719 mm/kasan/report.c:433<br /> kasan_report+0xbe/0x1f0 mm/kasan/report.c:495<br /> usb_udc_uevent+0x11f/0x130 drivers/usb/gadget/udc/core.c:1732<br /> dev_uevent+0x290/0x770 drivers/base/core.c:2424<br /> ---------------------------------------------------------------<br /> <br /> The bug occurs because usb_udc_uevent() dereferences udc-&gt;driver but<br /> does so without acquiring the udc_lock mutex, which protects this<br /> field. If the gadget driver is unbound from the udc concurrently with<br /> uevent processing, the driver structure may be accessed after it has<br /> been deallocated.<br /> <br /> To prevent the race, we make sure that the routine holds the mutex<br /> around the racing accesses.