CVE-2022-48857

See a problem?
Please try reporting it to the source first.
Source
https://cve.org/CVERecord?id=CVE-2022-48857
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2022-48857.json
JSON Data
https://api.test.osv.dev/v1/vulns/CVE-2022-48857
Downstream
Related
Published
2024-07-16T12:25:22.464Z
Modified
2026-03-20T12:21:57.066884Z
Summary
NFC: port100: fix use-after-free in port100_send_complete
Details

In the Linux kernel, the following vulnerability has been resolved:

NFC: port100: fix use-after-free in port100sendcomplete

Syzbot reported UAF in port100sendcomplete(). The root case is in missing usbkillurb() calls on error handling path of ->probe function.

port100sendcomplete() accesses devm allocated memory which will be freed on probe failure. We should kill this urbs before returning an error from probe function to prevent reported use-after-free

Fail log:

BUG: KASAN: use-after-free in port100sendcomplete+0x16e/0x1a0 drivers/nfc/port100.c:935 Read of size 1 at addr ffff88801bb59540 by task ksoftirqd/2/26 ... Call Trace: <TASK> __dumpstack lib/dumpstack.c:88 [inline] dump_stacklvl+0xcd/0x134 lib/dumpstack.c:106 printaddressdescription.constprop.0.cold+0x8d/0x303 mm/kasan/report.c:255 __kasanreport mm/kasan/report.c:442 [inline] kasanreport.cold+0x83/0xdf mm/kasan/report.c:459 port100sendcomplete+0x16e/0x1a0 drivers/nfc/port100.c:935 _usbhcdgivebackurb+0x2b0/0x5c0 drivers/usb/core/hcd.c:1670

...

Allocated by task 1255: kasansavestack+0x1e/0x40 mm/kasan/common.c:38 kasansettrack mm/kasan/common.c:45 [inline] setallocinfo mm/kasan/common.c:436 [inline] ____kasan_kmalloc mm/kasan/common.c:515 [inline] ____kasan_kmalloc mm/kasan/common.c:474 [inline] _kasankmalloc+0xa6/0xd0 mm/kasan/common.c:524 allocdr drivers/base/devres.c:116 [inline] devmkmalloc+0x96/0x1d0 drivers/base/devres.c:823 devmkzalloc include/linux/device.h:209 [inline] port100probe+0x8a/0x1320 drivers/nfc/port100.c:1502

Freed by task 1255: kasansavestack+0x1e/0x40 mm/kasan/common.c:38 kasansettrack+0x21/0x30 mm/kasan/common.c:45 kasansetfree_info+0x20/0x30 mm/kasan/generic.c:370 ____kasanslabfree mm/kasan/common.c:366 [inline] ____kasanslabfree+0xff/0x140 mm/kasan/common.c:328 kasanslabfree include/linux/kasan.h:236 [inline] _cachefree mm/slab.c:3437 [inline] kfree+0xf8/0x2b0 mm/slab.c:3794 releasenodes+0x112/0x1a0 drivers/base/devres.c:501 devresreleaseall+0x114/0x190 drivers/base/devres.c:530 reallyprobe+0x626/0xcc0 drivers/base/dd.c:670

Database specific 
{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2022/48xxx/CVE-2022-48857.json",
    "cna_assigner": "Linux"
}
References

Affected packages

Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git

Affected ranges

Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
0347a6ab300a1532c298823408d6e51ccf4e4f45
Fixed
205c4ec78e71cbf561794e6043da80e7bae6790f
Fixed
32e866ae5a7af590597ef4bcff8451bf96d5f980
Fixed
b1db33d4e54bc35d8db96ce143ea0ef92e23d58e
Fixed
cd2a5c0da0d1ddf11d1f84e9c9b1949f50f6e161
Fixed
2b1c85f56512d49e43bc53741fce2f508cd90029
Fixed
0e721b8f2ee5e11376dd55363f9ccb539d754b8a
Fixed
7194737e1be8fdc89d2a9382bd2f371f7ee2eda8
Fixed
f80cfe2f26581f188429c12bd937eb905ad3ac7b

Database specific

source 
"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2022-48857.json"