CVE-2022-48869

See a problem?

Source

https://nvd.nist.gov/vuln/detail/CVE-2022-48869

Import Source

https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2022-48869.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2022-48869

Related

Published

2024-08-21T07:15:04Z

Modified

2024-09-11T04:57:04.620730Z

Severity

4.7 (Medium) CVSS_V3 - CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H CVSS Calculator

Summary

[none]

Details

In the Linux kernel, the following vulnerability has been resolved:

USB: gadgetfs: Fix race between mounting and unmounting

The syzbot fuzzer and Gerald Lee have identified a use-after-free bug in the gadgetfs driver, involving processes concurrently mounting and unmounting the gadgetfs filesystem. In particular, gadgetfsfillsuper() can race with gadgetfskillsb(), causing the latter to deallocate the_device while the former is using it. The output from KASAN says, in part:

BUG: KASAN: use-after-free in instrumentatomicreadwrite include/linux/instrumented.h:102 [inline] BUG: KASAN: use-after-free in atomicfetchsubrelease include/linux/atomic/atomic-instrumented.h:176 [inline] BUG: KASAN: use-after-free in _refcountsubandtest include/linux/refcount.h:272 [inline] BUG: KASAN: use-after-free in _refcountdecandtest include/linux/refcount.h:315 [inline] BUG: KASAN: use-after-free in refcountdecandtest include/linux/refcount.h:333 [inline] BUG: KASAN: use-after-free in putdev drivers/usb/gadget/legacy/inode.c:159 [inline] BUG: KASAN: use-after-free in gadgetfskillsb+0x33/0x100 drivers/usb/gadget/legacy/inode.c:2086 Write of size 4 at addr ffff8880276d7840 by task syz-executor126/18689

CPU: 0 PID: 18689 Comm: syz-executor126 Not tainted 6.1.0-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022 Call Trace: <TASK> ... atomicfetchsubrelease include/linux/atomic/atomic-instrumented.h:176 [inline] _refcountsubandtest include/linux/refcount.h:272 [inline] _refcountdecandtest include/linux/refcount.h:315 [inline] refcountdecandtest include/linux/refcount.h:333 [inline] putdev drivers/usb/gadget/legacy/inode.c:159 [inline] gadgetfskillsb+0x33/0x100 drivers/usb/gadget/legacy/inode.c:2086 deactivatelockedsuper+0xa7/0xf0 fs/super.c:332 vfsgetsuper fs/super.c:1190 [inline] gettreesingle+0xd0/0x160 fs/super.c:1207 vfsgettree+0x88/0x270 fs/super.c:1531 vfsfsconfig_locked fs/fsopen.c:232 [inline]

The simplest solution is to ensure that gadgetfsfillsuper() and gadgetfskillsb() are serialized by making them both acquire a new mutex.

References

Affected packages

Debian:11 / linux

Package

Name: linux
Purl: pkg:deb/debian/linux?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

5.10.178-1

Affected versions

5.*

5.10.46-4

5.10.46-5

5.10.70-1~bpo10+1

5.10.70-1

5.10.84-1

5.10.92-1~bpo10+1

5.10.92-1

5.10.92-2

5.10.103-1~bpo10+1

5.10.103-1

5.10.106-1

5.10.113-1

5.10.120-1~bpo10+1

5.10.120-1

5.10.127-1

5.10.127-2~bpo10+1

5.10.127-2

5.10.136-1

5.10.140-1

5.10.148-1

5.10.149-1

5.10.149-2

5.10.158-1

5.10.158-2

5.10.162-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:12 / linux

Package

Name: linux
Purl: pkg:deb/debian/linux?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

6.1.8-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:13 / linux

Package

Name: linux
Purl: pkg:deb/debian/linux?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

6.1.8-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}