CVE-2022-48649

See a problem?
Please try reporting it to the source first.

Source

https://nvd.nist.gov/vuln/detail/CVE-2022-48649

Import Source

https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2022-48649.json

JSON Data

https://api.test.osv.dev/v1/vulns/CVE-2022-48649

Downstream

DEBIAN-CVE-2022-48649

UBUNTU-CVE-2022-48649

Published

2024-04-28T13:00:33.390Z

Modified

2025-11-28T02:35:12.673299Z

Summary

mm/slab_common: fix possible double free of kmem_cache

Details

In the Linux kernel, the following vulnerability has been resolved:

mm/slabcommon: fix possible double free of kmemcache

When doing slubdebug test, kfence's 'testmemcachetypesafeby_rcu' kunit test case cause a use-after-free error:

BUG: KASAN: use-after-free in kobjectdel+0x14/0x30 Read of size 8 at addr ffff888007679090 by task kunittry_catch/261

CPU: 1 PID: 261 Comm: kunittrycatch Tainted: G B N 6.0.0-rc5-next-20220916 #17 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014 Call Trace: <TASK> dumpstacklvl+0x34/0x48 printaddressdescription.constprop.0+0x87/0x2a5 printreport+0x103/0x1ed kasanreport+0xb7/0x140 kobjectdel+0x14/0x30 kmemcachedestroy+0x130/0x170 testexit+0x1a/0x30 kunittryruncase+0xad/0xc0 kunitgenericrunthreadfn_adapter+0x26/0x50 kthread+0x17b/0x1b0 </TASK>

The cause is inside kmemcachedestroy():

kmemcachedestroy acquire lock/mutex shutdowncache schedulework(kmemcacherelease) (if RCU flag set) release lock/mutex kmemcacherelease (if RCU flag not set)

In some certain timing, the scheduled work could be run before the next RCU flag checking, which can then get a wrong value and lead to double kmemcacherelease().

Fix it by caching the RCU flag inside protected area, just like 'refcnt'

Database specific

{
    "cna_assigner": "Linux",
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2022/48xxx/CVE-2022-48649.json"
}

References

Affected packages

Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git

Affected ranges

Type: GIT
Repo: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events: Introduced

357321557920c805de2b14832002465c320eea4f

Fixed

c673c6ceac53fb2e631c9fbbd79957099a08927f

Type: GIT
Repo: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events: Introduced

0495e337b7039191dfce6e03f5f830454b1fae6b

Fixed

d71608a877362becdc94191f190902fac1e64d35

Affected versions

v5.*

v5.19.10

v5.19.11

v5.19.8

v5.19.9

Database specific

vanir_signatures

[
    {
        "digest": {
            "line_hashes": [
                "135622402269080509341279542204616942122",
                "337540067360844172518858777850094096008",
                "39858172087808749577297405837310931504",
                "14248205142690431408668485894995853861",
                "314608865544236109539394157474603516572",
                "174946191119010604911878928792312539675",
                "150810139199975302972815797484910519422",
                "327358800134008651725218418007813785215",
                "313934161519665829747517583697639797427",
                "118601141434248296103541636210861057880",
                "328195146670271732651256536698788880421"
            ],
            "threshold": 0.9
        },
        "id": "CVE-2022-48649-13063cb0",
        "signature_version": "v1",
        "target": {
            "file": "mm/slab_common.c"
        },
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@d71608a877362becdc94191f190902fac1e64d35",
        "deprecated": false,
        "signature_type": "Line"
    },
    {
        "digest": {
            "function_hash": "192746349992922209968417156848742796757",
            "length": 492.0
        },
        "id": "CVE-2022-48649-8573ee25",
        "signature_version": "v1",
        "target": {
            "file": "mm/slab_common.c",
            "function": "kmem_cache_destroy"
        },
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@c673c6ceac53fb2e631c9fbbd79957099a08927f",
        "deprecated": false,
        "signature_type": "Function"
    },
    {
        "digest": {
            "line_hashes": [
                "135622402269080509341279542204616942122",
                "337540067360844172518858777850094096008",
                "39858172087808749577297405837310931504",
                "14248205142690431408668485894995853861",
                "314608865544236109539394157474603516572",
                "174946191119010604911878928792312539675",
                "150810139199975302972815797484910519422",
                "327358800134008651725218418007813785215",
                "313934161519665829747517583697639797427",
                "118601141434248296103541636210861057880",
                "328195146670271732651256536698788880421"
            ],
            "threshold": 0.9
        },
        "id": "CVE-2022-48649-ae8411d3",
        "signature_version": "v1",
        "target": {
            "file": "mm/slab_common.c"
        },
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@c673c6ceac53fb2e631c9fbbd79957099a08927f",
        "deprecated": false,
        "signature_type": "Line"
    },
    {
        "digest": {
            "function_hash": "192746349992922209968417156848742796757",
            "length": 492.0
        },
        "id": "CVE-2022-48649-be1e9fa8",
        "signature_version": "v1",
        "target": {
            "file": "mm/slab_common.c",
            "function": "kmem_cache_destroy"
        },
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@d71608a877362becdc94191f190902fac1e64d35",
        "deprecated": false,
        "signature_type": "Function"
    }
]

source

"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2022-48649.json"

Linux / Kernel

Package

Name: Kernel

Affected ranges

Type: ECOSYSTEM
Events: Introduced

5.19.8

Fixed

5.19.12

Database specific

source

"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2022-48649.json"