Message-ID: <2024071650-CVE-2022-48822-48d1@gregkh>
Date: Tue, 16 Jul 2024 13:46:14 +0200
From: Greg Kroah-Hartman <gregkh@...uxfoundation.org>
To: linux-cve-announce@...r.kernel.org
Cc: Greg Kroah-Hartman <gregkh@...uxfoundation.org>
Subject: CVE-2022-48822: usb: f_fs: Fix use-after-free for epfile

Description
===========

In the Linux kernel, the following vulnerability has been resolved:

usb: f_fs: Fix use-after-free for epfile

Consider a case where ffs_func_eps_disable is called from
ffs_func_disable as part of composition switch and at the
same time ffs_epfile_release get called from userspace.
ffs_epfile_release will free up the read buffer and call
ffs_data_closed which in turn destroys ffs->epfiles and
mark it as NULL. While this was happening the driver has
already initialized the local epfile in ffs_func_eps_disable
which is now freed and waiting to acquire the spinlock. Once
spinlock is acquired the driver proceeds with the stale value
of epfile and tries to free the already freed read buffer
causing use-after-free.

Following is the illustration of the race:

      CPU1                                  CPU2

   ffs_func_eps_disable
   epfiles (local copy)
					ffs_epfile_release
					ffs_data_closed
					if (last file closed)
					ffs_data_reset
					ffs_data_clear
					ffs_epfiles_destroy
spin_lock
dereference epfiles

Fix this races by taking epfiles local copy & assigning it under
spinlock and if epfiles(local) is null then update it in ffs->epfiles
then finally destroy it.
Extending the scope further from the race, protecting the ep related
structures, and concurrent accesses.

The Linux kernel CVE team has assigned CVE-2022-48822 to this issue.


Affected and fixed versions
===========================

	Issue introduced in 4.9 with commit a9e6f83c2df1 and fixed in 4.14.267 with commit 32048f4be071
	Issue introduced in 4.9 with commit a9e6f83c2df1 and fixed in 4.19.230 with commit cfe5f6fd335d
	Issue introduced in 4.9 with commit a9e6f83c2df1 and fixed in 5.4.180 with commit c9fc422c9a43
	Issue introduced in 4.9 with commit a9e6f83c2df1 and fixed in 5.10.101 with commit 0042178a69eb
	Issue introduced in 4.9 with commit a9e6f83c2df1 and fixed in 5.15.24 with commit 72a8aee863af
	Issue introduced in 4.9 with commit a9e6f83c2df1 and fixed in 5.16.10 with commit 3e078b187536
	Issue introduced in 4.9 with commit a9e6f83c2df1 and fixed in 5.17 with commit ebe2b1add105
	Issue introduced in 4.8.10 with commit 5cd8f6788ff3

Please see https://www.kernel.org for a full list of currently supported
kernel versions by the kernel community.

Unaffected versions might change over time as fixes are backported to
older supported kernel versions.  The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2022-48822
will be updated if fixes are backported, please check that for the most
up to date information about this issue.


Affected files
==============

The file(s) affected by this issue are:
	drivers/usb/gadget/function/f_fs.c


Mitigation
==========

The Linux kernel CVE team recommends that you update to the latest
stable kernel version for this, and many other bugfixes.  Individual
changes are never tested alone, but rather are part of a larger kernel
release.  Cherry-picking individual commits is not recommended or
supported by the Linux kernel community at all.  If however, updating to
the latest release is impossible, the individual changes to resolve this
issue can be found at these commits:
	https://git.kernel.org/stable/c/32048f4be071f9a6966744243f1786f45bb22dc2
	https://git.kernel.org/stable/c/cfe5f6fd335d882bcc829a1c8a7d462a455c626e
	https://git.kernel.org/stable/c/c9fc422c9a43e3d58d246334a71f3390401781dc
	https://git.kernel.org/stable/c/0042178a69eb77a979e36a50dcce9794a3140ef8
	https://git.kernel.org/stable/c/72a8aee863af099d4434314c4536d6c9a61dcf3c
	https://git.kernel.org/stable/c/3e078b18753669615301d946297bafd69294ad2c
	https://git.kernel.org/stable/c/ebe2b1add1055b903e2acd86b290a85297edc0b3

Powered by blists - more mailing lists