| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <2024082106-CVE-2022-48872-6010@gregkh> Date: Wed, 21 Aug 2024 14:11:06 +0800 From: Greg Kroah-Hartman <gregkh@...uxfoundation.org> To: linux-cve-announce@...r.kernel.org Cc: Greg Kroah-Hartman <gregkh@...uxfoundation.org> Subject: CVE-2022-48872: misc: fastrpc: Fix use-after-free race condition for maps Description =========== In the Linux kernel, the following vulnerability has been resolved: misc: fastrpc: Fix use-after-free race condition for maps It is possible that in between calling fastrpc_map_get() until map->fl->lock is taken in fastrpc_free_map(), another thread can call fastrpc_map_lookup() and get a reference to a map that is about to be deleted. Rewrite fastrpc_map_get() to only increase the reference count of a map if it's non-zero. Propagate this to callers so they can know if a map is about to be deleted. Fixes this warning: refcount_t: addition on 0; use-after-free. WARNING: CPU: 5 PID: 10100 at lib/refcount.c:25 refcount_warn_saturate ... Call trace: refcount_warn_saturate [fastrpc_map_get inlined] [fastrpc_map_lookup inlined] fastrpc_map_create fastrpc_internal_invoke fastrpc_device_ioctl __arm64_sys_ioctl invoke_syscall The Linux kernel CVE team has assigned CVE-2022-48872 to this issue. Affected and fixed versions =========================== Issue introduced in 5.1 with commit c68cfb718c8f and fixed in 5.4.230 with commit 556dfdb226ce Issue introduced in 5.1 with commit c68cfb718c8f and fixed in 5.10.165 with commit b171d0d2cf1b Issue introduced in 5.1 with commit c68cfb718c8f and fixed in 5.15.90 with commit 61a0890cb95a Issue introduced in 5.1 with commit c68cfb718c8f and fixed in 6.1.8 with commit 079c78c68714 Issue introduced in 5.1 with commit c68cfb718c8f and fixed in 6.2 with commit 96b328d119ec Please see https://www.kernel.org for a full list of currently supported kernel versions by the kernel community. Unaffected versions might change over time as fixes are backported to older supported kernel versions. The official CVE entry at https://cve.org/CVERecord/?id=CVE-2022-48872 will be updated if fixes are backported, please check that for the most up to date information about this issue. Affected files ============== The file(s) affected by this issue are: drivers/misc/fastrpc.c Mitigation ========== The Linux kernel CVE team recommends that you update to the latest stable kernel version for this, and many other bugfixes. Individual changes are never tested alone, but rather are part of a larger kernel release. Cherry-picking individual commits is not recommended or supported by the Linux kernel community at all. If however, updating to the latest release is impossible, the individual changes to resolve this issue can be found at these commits: https://git.kernel.org/stable/c/556dfdb226ce1e5231d8836159b23f8bb0395bf4 https://git.kernel.org/stable/c/b171d0d2cf1b8387c72c8d325c5d5746fa271e39 https://git.kernel.org/stable/c/61a0890cb95afec5c8a2f4a879de2b6220984ef1 https://git.kernel.org/stable/c/079c78c68714f7d8d58e66c477b0243b31806907 https://git.kernel.org/stable/c/96b328d119eca7563c1edcc4e1039a62e6370ecb
Powered by blists - more mailing lists