CVE-2022-49755

While performing fast composition switch, there is a possibility that the process of ffsep0write/ffsep0read get into a race condition due to ep0req being freed up from functionfs_unbind.

Consider the scenario that the ffsep0write calls the ffsep0queuewait by taking a lock &ffs->ev.waitq.lock. However, the functionfsunbind isn't bounded so it can go ahead and mark the ep0req to NULL, and since there is no NULL check in ffsep0queue_wait we will end up in use-after-free.

Fix this by making a serialized execution between the two functions using a mutex_lock(ffs->mutex).

Database specific

{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2022/49xxx/CVE-2022-49755.json",
    "cna_assigner": "Linux"
}

References

Affected packages

Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git

Affected ranges

Type: GIT
Repo: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events: Introduced

ddf8abd2599491cbad959c700b90ba72a5dce8d0

Fixed

facf353c9e8d7885b686d9a4b173d4e0af6441d2

Fixed

e9036e951f93fb8d7b5e9d6e2c7f94a4da312ae4

Fixed

a8d40942df074f4ebcb9bd3413596d92f323b064

Fixed

6dd9ea05534f323668db94fcc2726c7a84547e78

Fixed

ae8e136bcaae96163b5821984de1036efc9abb1a

Fixed

6aee197b7fbcd61596a78b47d553f2f99111f217

Fixed

6a19da111057f69214b97c62fb0ac59023970850

Database specific

source

"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2022-49755.json"

Linux / Kernel

Package

Name: Kernel

Affected ranges

Type: ECOSYSTEM
Events: Introduced

2.6.35

Fixed

4.14.305

Type: ECOSYSTEM
Events: Introduced

4.15.0

Fixed

4.19.272

Type: ECOSYSTEM
Events: Introduced

4.20.0

Fixed

5.4.231

Type: ECOSYSTEM
Events: Introduced

5.5.0

Fixed

5.10.166

Type: ECOSYSTEM
Events: Introduced

5.11.0

Fixed

5.15.91

Type: ECOSYSTEM
Events: Introduced

5.16.0

Fixed

6.1.9

Database specific

source

"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2022-49755.json"