CVE-2022-48649
- Source
- https://nvd.nist.gov/vuln/detail/CVE-2022-48649
- Import Source
- https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2022-48649.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/CVE-2022-48649
- Related
- Published
- 2024-04-28T13:15:07Z
- Modified
- 2025-01-10T17:49:53Z
- Severity
-
- 7.8 (High) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
- Summary
- [none]
- Details
-
In the Linux kernel, the following vulnerability has been resolved:
mm/slabcommon: fix possible double free of kmemcache
When doing slubdebug test, kfence's 'testmemcachetypesafeby_rcu' kunit test case cause a use-after-free error:
BUG: KASAN: use-after-free in kobjectdel+0x14/0x30 Read of size 8 at addr ffff888007679090 by task kunittry_catch/261
CPU: 1 PID: 261 Comm: kunittrycatch Tainted: G B N 6.0.0-rc5-next-20220916 #17 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014 Call Trace: <TASK> dumpstacklvl+0x34/0x48 printaddressdescription.constprop.0+0x87/0x2a5 printreport+0x103/0x1ed kasanreport+0xb7/0x140 kobjectdel+0x14/0x30 kmemcachedestroy+0x130/0x170 testexit+0x1a/0x30 kunittryruncase+0xad/0xc0 kunitgenericrunthreadfn_adapter+0x26/0x50 kthread+0x17b/0x1b0 </TASK>
The cause is inside kmemcachedestroy():
kmemcachedestroy acquire lock/mutex shutdowncache schedulework(kmemcacherelease) (if RCU flag set) release lock/mutex kmemcacherelease (if RCU flag not set)
In some certain timing, the scheduled work could be run before the next RCU flag checking, which can then get a wrong value and lead to double kmemcacherelease().
Fix it by caching the RCU flag inside protected area, just like 'refcnt'
- References
Affected packages
Debian:12 / linux
Package
- Name
- linux
- Purl
- pkg:deb/debian/linux?arch=source
Debian:13 / linux
Package
- Name
- linux
- Purl
- pkg:deb/debian/linux?arch=source