CVE-2022-48822

In the Linux kernel, the following vulnerability has been resolved: usb: f_fs: Fix use-after-free for epfile Consider a case where ffs_func_eps_disable is called from ffs_func_disable as part of composition switch and at the same time ffs_epfile_release get called from userspace. ffs_epfile_release will free up the read buffer and call ffs_data_closed which in turn destroys ffs->epfiles and mark it as NULL. While this was happening the driver has already initialized the local epfile in ffs_func_eps_disable which is now freed and waiting to acquire the spinlock. Once spinlock is acquired the driver proceeds with the stale value of epfile and tries to free the already freed read buffer causing use-after-free. Following is the illustration of the race: CPU1 CPU2 ffs_func_eps_disable epfiles (local copy) ffs_epfile_release ffs_data_closed if (last file closed) ffs_data_reset ffs_data_clear ffs_epfiles_destroy spin_lock dereference epfiles Fix this races by taking epfiles local copy & assigning it under spinlock and if epfiles(local) is null then update it in ffs->epfiles then finally destroy it. Extending the scope further from the race, protecting the ep related structures, and concurrent accesses.
Configurations

Configuration 1 (hide)

OR cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*

History

21 Nov 2024, 07:34

Type Values Removed Values Added
References () https://git.kernel.org/stable/c/0042178a69eb77a979e36a50dcce9794a3140ef8 - Patch () https://git.kernel.org/stable/c/0042178a69eb77a979e36a50dcce9794a3140ef8 - Patch
References () https://git.kernel.org/stable/c/32048f4be071f9a6966744243f1786f45bb22dc2 - Patch () https://git.kernel.org/stable/c/32048f4be071f9a6966744243f1786f45bb22dc2 - Patch
References () https://git.kernel.org/stable/c/3e078b18753669615301d946297bafd69294ad2c - Patch () https://git.kernel.org/stable/c/3e078b18753669615301d946297bafd69294ad2c - Patch
References () https://git.kernel.org/stable/c/72a8aee863af099d4434314c4536d6c9a61dcf3c - Patch () https://git.kernel.org/stable/c/72a8aee863af099d4434314c4536d6c9a61dcf3c - Patch
References () https://git.kernel.org/stable/c/c9fc422c9a43e3d58d246334a71f3390401781dc - Patch () https://git.kernel.org/stable/c/c9fc422c9a43e3d58d246334a71f3390401781dc - Patch
References () https://git.kernel.org/stable/c/cfe5f6fd335d882bcc829a1c8a7d462a455c626e - Patch () https://git.kernel.org/stable/c/cfe5f6fd335d882bcc829a1c8a7d462a455c626e - Patch
References () https://git.kernel.org/stable/c/ebe2b1add1055b903e2acd86b290a85297edc0b3 - Patch () https://git.kernel.org/stable/c/ebe2b1add1055b903e2acd86b290a85297edc0b3 - Patch

07 Aug 2024, 19:14

Type Values Removed Values Added
CPE cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
CWE CWE-416
First Time Linux
Linux linux Kernel
CVSS v2 : unknown
v3 : unknown
v2 : unknown
v3 : 7.8
References () https://git.kernel.org/stable/c/0042178a69eb77a979e36a50dcce9794a3140ef8 - () https://git.kernel.org/stable/c/0042178a69eb77a979e36a50dcce9794a3140ef8 - Patch
References () https://git.kernel.org/stable/c/32048f4be071f9a6966744243f1786f45bb22dc2 - () https://git.kernel.org/stable/c/32048f4be071f9a6966744243f1786f45bb22dc2 - Patch
References () https://git.kernel.org/stable/c/3e078b18753669615301d946297bafd69294ad2c - () https://git.kernel.org/stable/c/3e078b18753669615301d946297bafd69294ad2c - Patch
References () https://git.kernel.org/stable/c/72a8aee863af099d4434314c4536d6c9a61dcf3c - () https://git.kernel.org/stable/c/72a8aee863af099d4434314c4536d6c9a61dcf3c - Patch
References () https://git.kernel.org/stable/c/c9fc422c9a43e3d58d246334a71f3390401781dc - () https://git.kernel.org/stable/c/c9fc422c9a43e3d58d246334a71f3390401781dc - Patch
References () https://git.kernel.org/stable/c/cfe5f6fd335d882bcc829a1c8a7d462a455c626e - () https://git.kernel.org/stable/c/cfe5f6fd335d882bcc829a1c8a7d462a455c626e - Patch
References () https://git.kernel.org/stable/c/ebe2b1add1055b903e2acd86b290a85297edc0b3 - () https://git.kernel.org/stable/c/ebe2b1add1055b903e2acd86b290a85297edc0b3 - Patch
Summary
  • (es) En el kernel de Linux, se resolvió la siguiente vulnerabilidad: usb: f_fs: corrige el use-after-free para epfile Considere un caso en el que se llama a ffs_func_eps_disable desde ffs_func_disable como parte del cambio de composición y al mismo tiempo se llama a ffs_epfile_release desde el espacio de usuario. ffs_epfile_release liberará el búfer de lectura y llamará a ffs_data_closed, que a su vez destruirá ffs->epfiles y lo marcará como NULL. Mientras esto sucedía, el controlador ya inicializó el archivo ep local en ffs_func_eps_disable, que ahora está liberado y esperando adquirir el spinlock. Una vez adquirido el spinlock, el controlador continúa con el valor obsoleto de epfile e intenta liberar el búfer de lectura ya liberado, lo que provoca un use-after-free. La siguiente es la ilustración de la ejecución: CPU1 CPU2 ffs_func_eps_disable epfiles (copia local) ffs_epfile_release ffs_data_closed if (último archivo cerrado) ffs_data_reset ffs_data_clear ffs_epfiles_destroy spin_lock desreferenciar epfiles Arregle estas ejecucións tomando la copia local de epfiles y asignándola bajo spinlock y si epfiles(local) es null luego actualícelo en ffs->epfiles y finalmente destrúyalo. Ampliar el alcance más allá de la ejecución, proteger las estructuras relacionadas con ep y los accesos concurrentes.

16 Jul 2024, 12:15

Type Values Removed Values Added
New CVE

Information

Published : 2024-07-16 12:15

Updated : 2024-11-21 07:34


NVD link : CVE-2022-48822

Mitre link : CVE-2022-48822

CVE.ORG link : CVE-2022-48822


JSON object : View

Products Affected

linux

  • linux_kernel
CWE
CWE-416

Use After Free