CVE-2022-48869
- Source
- https://cve.org/CVERecord?id=CVE-2022-48869
- Import Source
- https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2022-48869.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/CVE-2022-48869
- Downstream
- Related
- Published
- 2024-08-21T06:09:59.526Z
- Modified
- 2026-04-11T12:43:08.678801Z
- Summary
- USB: gadgetfs: Fix race between mounting and unmounting
- Details
-
In the Linux kernel, the following vulnerability has been resolved:
USB: gadgetfs: Fix race between mounting and unmounting
The syzbot fuzzer and Gerald Lee have identified a use-after-free bug in the gadgetfs driver, involving processes concurrently mounting and unmounting the gadgetfs filesystem. In particular, gadgetfsfillsuper() can race with gadgetfskillsb(), causing the latter to deallocate the_device while the former is using it. The output from KASAN says, in part:
BUG: KASAN: use-after-free in instrumentatomicreadwrite include/linux/instrumented.h:102 [inline] BUG: KASAN: use-after-free in atomicfetchsubrelease include/linux/atomic/atomic-instrumented.h:176 [inline] BUG: KASAN: use-after-free in __refcountsuband_test include/linux/refcount.h:272 [inline] BUG: KASAN: use-after-free in _refcountdecandtest include/linux/refcount.h:315 [inline] BUG: KASAN: use-after-free in refcountdecandtest include/linux/refcount.h:333 [inline] BUG: KASAN: use-after-free in putdev drivers/usb/gadget/legacy/inode.c:159 [inline] BUG: KASAN: use-after-free in gadgetfskillsb+0x33/0x100 drivers/usb/gadget/legacy/inode.c:2086 Write of size 4 at addr ffff8880276d7840 by task syz-executor126/18689
CPU: 0 PID: 18689 Comm: syz-executor126 Not tainted 6.1.0-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022 Call Trace: <TASK> ... atomicfetchsub_release include/linux/atomic/atomic-instrumented.h:176 [inline] __refcountsuband_test include/linux/refcount.h:272 [inline] _refcountdecandtest include/linux/refcount.h:315 [inline] refcountdecandtest include/linux/refcount.h:333 [inline] putdev drivers/usb/gadget/legacy/inode.c:159 [inline] gadgetfskillsb+0x33/0x100 drivers/usb/gadget/legacy/inode.c:2086 deactivatelockedsuper+0xa7/0xf0 fs/super.c:332 vfsgetsuper fs/super.c:1190 [inline] gettreesingle+0xd0/0x160 fs/super.c:1207 vfsgettree+0x88/0x270 fs/super.c:1531 vfsfsconfiglocked fs/fsopen.c:232 [inline]
The simplest solution is to ensure that gadgetfsfillsuper() and gadgetfskillsb() are serialized by making them both acquire a new mutex.
- Database specific
{ "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2022/48xxx/CVE-2022-48869.json", "cna_assigner": "Linux" }- References
-
- https://git.kernel.org/stable/c/616fd34d017000ecf9097368b13d8a266f4920b3
- https://git.kernel.org/stable/c/856e4b5e53f21edbd15d275dde62228dd94fb2b4
- https://git.kernel.org/stable/c/9a39f4626b361ee7aa10fd990401c37ec3b466ae
- https://git.kernel.org/stable/c/a2e075f40122d8daf587db126c562a67abd69cf9
- https://git.kernel.org/stable/c/d18dcfe9860e842f394e37ba01ca9440ab2178f4
- https://github.com/CVEProject/cvelistV5/tree/main/cves/2022/48xxx/CVE-2022-48869.json
- https://nvd.nist.gov/vuln/detail/CVE-2022-48869
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Affected packages
Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Affected ranges
- Type
- GIT
- Repo
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- Events
-
Introducede5d82a7360d124ae1a38c2a5eac92ba49b125191Fixed9a39f4626b361ee7aa10fd990401c37ec3b466aeFixed856e4b5e53f21edbd15d275dde62228dd94fb2b4Fixeda2e075f40122d8daf587db126c562a67abd69cf9Fixed616fd34d017000ecf9097368b13d8a266f4920b3Fixedd18dcfe9860e842f394e37ba01ca9440ab2178f4