CVE-2022-50005

When the pn532 uart device is detaching, the pn532uartremove() is called. But there are no functions in pn532uartremove() that could delete the cmd_timeout timer, which will cause use-after-free bugs. The process is shown below:

(thread 1)                  |        (thread 2)
                            |  pn532_uart_send_frame

This patch adds deltimersync() in pn532uartremove() in order to prevent the use-after-free bugs. What's more, the pn53xunregisternfc() is well synchronized, it sets nfcdev->shuttingdown to true and there are no syscalls could restart the cmd_timeout timer.

Database specific

{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2022/50xxx/CVE-2022-50005.json",
    "cna_assigner": "Linux"
}

References

Affected packages

Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git

Affected ranges

Type: GIT
Repo: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events: Introduced

c656aa4c27b17a8c70da223ed5ab42145800d6b5

Fixed

50403ee6daddf0d7a14e9d3b51a377c39a08ec8c

Fixed

9c34c33893db7a80d0e4b55c23d3b65e29609cfb

Fixed

2c71f5d55a86fd5969428abf525c1ae6b1c7b0f5

Fixed

f1e941dbf80a9b8bab0bffbc4cbe41cc7f4c6fb6

Database specific

source

"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2022-50005.json"

Linux / Kernel

Package

Name: Kernel

Affected ranges

Type: ECOSYSTEM
Events: Introduced

5.5.0

Fixed

5.10.140

Type: ECOSYSTEM
Events: Introduced

5.11.0

Fixed

5.15.64

Type: ECOSYSTEM
Events: Introduced

5.16.0

Fixed

5.19.6

Database specific

source

"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2022-50005.json"