CVE-2022-48821

If the copy back to userland fails for the FASTRPCIOCTLALLOCDMABUFF ioctl(), we shouldn't assume that 'buf->dmabuf' is still valid. In fact, dmabuffd() called fd_install() before, i.e. "consumed" one reference, leaving us with none.

Calling dmabufput() will therefore put a reference we no longer own, leading to a valid file descritor table entry for an already released 'file' object which is a straight use-after-free.

Simply avoid calling dmabufput() and rely on the process exit code to do the necessary cleanup, if needed, i.e. if the file descriptor is still valid.

Database specific

{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2022/48xxx/CVE-2022-48821.json",
    "cna_assigner": "Linux"
}

References

Affected packages

Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git

Affected ranges

Type: GIT
Repo: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events: Introduced

6cffd79504ce040f460831030d3069fa1c99bb71

Fixed

4e6fd2b5fcf8e7119305a6042bd92e7f2b9ed215

Fixed

a5ce7ee5fcc07583159f54ab4af5164de00148f5

Fixed

e4382d0a39f9a1e260d62fdc079ddae5293c037d

Fixed

76f85c307ef9f10aa2cef1b1d5ee654c1f3345fc

Fixed

46963e2e0629cb31c96b1d47ddd89dc3d8990b34

Database specific

source

"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2022-48821.json"

Linux / Kernel

Package

Name: Kernel

Affected ranges

Type: ECOSYSTEM
Events: Introduced

5.1.0

Fixed

5.4.180

Type: ECOSYSTEM
Events: Introduced

5.5.0

Fixed

5.10.101

Type: ECOSYSTEM
Events: Introduced

5.11.0

Fixed

5.15.24

Type: ECOSYSTEM
Events: Introduced

5.16.0

Fixed

5.16.10

Database specific

source

"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2022-48821.json"