CVE-2022-48796
Vulnerability from cvelistv5
Published
2024-07-16 11:43
Modified
2024-12-19 08:07
Severity ?
Summary
In the Linux kernel, the following vulnerability has been resolved: iommu: Fix potential use-after-free during probe Kasan has reported the following use after free on dev->iommu. when a device probe fails and it is in process of freeing dev->iommu in dev_iommu_free function, a deferred_probe_work_func runs in parallel and tries to access dev->iommu->fwspec in of_iommu_configure path thus causing use after free. BUG: KASAN: use-after-free in of_iommu_configure+0xb4/0x4a4 Read of size 8 at addr ffffff87a2f1acb8 by task kworker/u16:2/153 Workqueue: events_unbound deferred_probe_work_func Call trace: dump_backtrace+0x0/0x33c show_stack+0x18/0x24 dump_stack_lvl+0x16c/0x1e0 print_address_description+0x84/0x39c __kasan_report+0x184/0x308 kasan_report+0x50/0x78 __asan_load8+0xc0/0xc4 of_iommu_configure+0xb4/0x4a4 of_dma_configure_id+0x2fc/0x4d4 platform_dma_configure+0x40/0x5c really_probe+0x1b4/0xb74 driver_probe_device+0x11c/0x228 __device_attach_driver+0x14c/0x304 bus_for_each_drv+0x124/0x1b0 __device_attach+0x25c/0x334 device_initial_probe+0x24/0x34 bus_probe_device+0x78/0x134 deferred_probe_work_func+0x130/0x1a8 process_one_work+0x4c8/0x970 worker_thread+0x5c8/0xaec kthread+0x1f8/0x220 ret_from_fork+0x10/0x18 Allocated by task 1: ____kasan_kmalloc+0xd4/0x114 __kasan_kmalloc+0x10/0x1c kmem_cache_alloc_trace+0xe4/0x3d4 __iommu_probe_device+0x90/0x394 probe_iommu_group+0x70/0x9c bus_for_each_dev+0x11c/0x19c bus_iommu_probe+0xb8/0x7d4 bus_set_iommu+0xcc/0x13c arm_smmu_bus_init+0x44/0x130 [arm_smmu] arm_smmu_device_probe+0xb88/0xc54 [arm_smmu] platform_drv_probe+0xe4/0x13c really_probe+0x2c8/0xb74 driver_probe_device+0x11c/0x228 device_driver_attach+0xf0/0x16c __driver_attach+0x80/0x320 bus_for_each_dev+0x11c/0x19c driver_attach+0x38/0x48 bus_add_driver+0x1dc/0x3a4 driver_register+0x18c/0x244 __platform_driver_register+0x88/0x9c init_module+0x64/0xff4 [arm_smmu] do_one_initcall+0x17c/0x2f0 do_init_module+0xe8/0x378 load_module+0x3f80/0x4a40 __se_sys_finit_module+0x1a0/0x1e4 __arm64_sys_finit_module+0x44/0x58 el0_svc_common+0x100/0x264 do_el0_svc+0x38/0xa4 el0_svc+0x20/0x30 el0_sync_handler+0x68/0xac el0_sync+0x160/0x180 Freed by task 1: kasan_set_track+0x4c/0x84 kasan_set_free_info+0x28/0x4c ____kasan_slab_free+0x120/0x15c __kasan_slab_free+0x18/0x28 slab_free_freelist_hook+0x204/0x2fc kfree+0xfc/0x3a4 __iommu_probe_device+0x284/0x394 probe_iommu_group+0x70/0x9c bus_for_each_dev+0x11c/0x19c bus_iommu_probe+0xb8/0x7d4 bus_set_iommu+0xcc/0x13c arm_smmu_bus_init+0x44/0x130 [arm_smmu] arm_smmu_device_probe+0xb88/0xc54 [arm_smmu] platform_drv_probe+0xe4/0x13c really_probe+0x2c8/0xb74 driver_probe_device+0x11c/0x228 device_driver_attach+0xf0/0x16c __driver_attach+0x80/0x320 bus_for_each_dev+0x11c/0x19c driver_attach+0x38/0x48 bus_add_driver+0x1dc/0x3a4 driver_register+0x18c/0x244 __platform_driver_register+0x88/0x9c init_module+0x64/0xff4 [arm_smmu] do_one_initcall+0x17c/0x2f0 do_init_module+0xe8/0x378 load_module+0x3f80/0x4a40 __se_sys_finit_module+0x1a0/0x1e4 __arm64_sys_finit_module+0x44/0x58 el0_svc_common+0x100/0x264 do_el0_svc+0x38/0xa4 el0_svc+0x20/0x30 el0_sync_handler+0x68/0xac el0_sync+0x160/0x180 Fix this by setting dev->iommu to NULL first and then freeing dev_iommu structure in dev_iommu_free function.
Impacted products
Vendor Product Version
Linux Linux Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
Linux Linux
Show details on NVD website


{
   containers: {
      adp: [
         {
            providerMetadata: {
               dateUpdated: "2024-08-03T15:25:01.525Z",
               orgId: "af854a3a-2127-422b-91ae-364da2661108",
               shortName: "CVE",
            },
            references: [
               {
                  tags: [
                     "x_transferred",
                  ],
                  url: "https://git.kernel.org/stable/c/cb86e511e78e796de6947b8f3acca1b7c76fb2ff",
               },
               {
                  tags: [
                     "x_transferred",
                  ],
                  url: "https://git.kernel.org/stable/c/65ab30f6a6952fa9ee13009862736cf8d110e6e5",
               },
               {
                  tags: [
                     "x_transferred",
                  ],
                  url: "https://git.kernel.org/stable/c/f74fc4b5bd533ea3d30ce47cccb8ef8d21fda85a",
               },
               {
                  tags: [
                     "x_transferred",
                  ],
                  url: "https://git.kernel.org/stable/c/b54240ad494300ff0994c4539a531727874381f4",
               },
            ],
            title: "CVE Program Container",
         },
         {
            metrics: [
               {
                  other: {
                     content: {
                        id: "CVE-2022-48796",
                        options: [
                           {
                              Exploitation: "none",
                           },
                           {
                              Automatable: "no",
                           },
                           {
                              "Technical Impact": "partial",
                           },
                        ],
                        role: "CISA Coordinator",
                        timestamp: "2024-09-10T16:59:19.404709Z",
                        version: "2.0.3",
                     },
                     type: "ssvc",
                  },
               },
            ],
            providerMetadata: {
               dateUpdated: "2024-09-11T17:34:14.954Z",
               orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0",
               shortName: "CISA-ADP",
            },
            title: "CISA ADP Vulnrichment",
         },
      ],
      cna: {
         affected: [
            {
               defaultStatus: "unaffected",
               product: "Linux",
               programFiles: [
                  "drivers/iommu/iommu.c",
               ],
               repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
               vendor: "Linux",
               versions: [
                  {
                     lessThan: "cb86e511e78e796de6947b8f3acca1b7c76fb2ff",
                     status: "affected",
                     version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
                     versionType: "git",
                  },
                  {
                     lessThan: "65ab30f6a6952fa9ee13009862736cf8d110e6e5",
                     status: "affected",
                     version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
                     versionType: "git",
                  },
                  {
                     lessThan: "f74fc4b5bd533ea3d30ce47cccb8ef8d21fda85a",
                     status: "affected",
                     version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
                     versionType: "git",
                  },
                  {
                     lessThan: "b54240ad494300ff0994c4539a531727874381f4",
                     status: "affected",
                     version: "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
                     versionType: "git",
                  },
               ],
            },
            {
               defaultStatus: "affected",
               product: "Linux",
               programFiles: [
                  "drivers/iommu/iommu.c",
               ],
               repo: "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
               vendor: "Linux",
               versions: [
                  {
                     lessThanOrEqual: "5.10.*",
                     status: "unaffected",
                     version: "5.10.101",
                     versionType: "semver",
                  },
                  {
                     lessThanOrEqual: "5.15.*",
                     status: "unaffected",
                     version: "5.15.24",
                     versionType: "semver",
                  },
                  {
                     lessThanOrEqual: "5.16.*",
                     status: "unaffected",
                     version: "5.16.10",
                     versionType: "semver",
                  },
                  {
                     lessThanOrEqual: "*",
                     status: "unaffected",
                     version: "5.17",
                     versionType: "original_commit_for_fix",
                  },
               ],
            },
         ],
         descriptions: [
            {
               lang: "en",
               value: "In the Linux kernel, the following vulnerability has been resolved:\n\niommu: Fix potential use-after-free during probe\n\nKasan has reported the following use after free on dev->iommu.\nwhen a device probe fails and it is in process of freeing dev->iommu\nin dev_iommu_free function, a deferred_probe_work_func runs in parallel\nand tries to access dev->iommu->fwspec in of_iommu_configure path thus\ncausing use after free.\n\nBUG: KASAN: use-after-free in of_iommu_configure+0xb4/0x4a4\nRead of size 8 at addr ffffff87a2f1acb8 by task kworker/u16:2/153\n\nWorkqueue: events_unbound deferred_probe_work_func\nCall trace:\n dump_backtrace+0x0/0x33c\n show_stack+0x18/0x24\n dump_stack_lvl+0x16c/0x1e0\n print_address_description+0x84/0x39c\n __kasan_report+0x184/0x308\n kasan_report+0x50/0x78\n __asan_load8+0xc0/0xc4\n of_iommu_configure+0xb4/0x4a4\n of_dma_configure_id+0x2fc/0x4d4\n platform_dma_configure+0x40/0x5c\n really_probe+0x1b4/0xb74\n driver_probe_device+0x11c/0x228\n __device_attach_driver+0x14c/0x304\n bus_for_each_drv+0x124/0x1b0\n __device_attach+0x25c/0x334\n device_initial_probe+0x24/0x34\n bus_probe_device+0x78/0x134\n deferred_probe_work_func+0x130/0x1a8\n process_one_work+0x4c8/0x970\n worker_thread+0x5c8/0xaec\n kthread+0x1f8/0x220\n ret_from_fork+0x10/0x18\n\nAllocated by task 1:\n ____kasan_kmalloc+0xd4/0x114\n __kasan_kmalloc+0x10/0x1c\n kmem_cache_alloc_trace+0xe4/0x3d4\n __iommu_probe_device+0x90/0x394\n probe_iommu_group+0x70/0x9c\n bus_for_each_dev+0x11c/0x19c\n bus_iommu_probe+0xb8/0x7d4\n bus_set_iommu+0xcc/0x13c\n arm_smmu_bus_init+0x44/0x130 [arm_smmu]\n arm_smmu_device_probe+0xb88/0xc54 [arm_smmu]\n platform_drv_probe+0xe4/0x13c\n really_probe+0x2c8/0xb74\n driver_probe_device+0x11c/0x228\n device_driver_attach+0xf0/0x16c\n __driver_attach+0x80/0x320\n bus_for_each_dev+0x11c/0x19c\n driver_attach+0x38/0x48\n bus_add_driver+0x1dc/0x3a4\n driver_register+0x18c/0x244\n __platform_driver_register+0x88/0x9c\n init_module+0x64/0xff4 [arm_smmu]\n do_one_initcall+0x17c/0x2f0\n do_init_module+0xe8/0x378\n load_module+0x3f80/0x4a40\n __se_sys_finit_module+0x1a0/0x1e4\n __arm64_sys_finit_module+0x44/0x58\n el0_svc_common+0x100/0x264\n do_el0_svc+0x38/0xa4\n el0_svc+0x20/0x30\n el0_sync_handler+0x68/0xac\n el0_sync+0x160/0x180\n\nFreed by task 1:\n kasan_set_track+0x4c/0x84\n kasan_set_free_info+0x28/0x4c\n ____kasan_slab_free+0x120/0x15c\n __kasan_slab_free+0x18/0x28\n slab_free_freelist_hook+0x204/0x2fc\n kfree+0xfc/0x3a4\n __iommu_probe_device+0x284/0x394\n probe_iommu_group+0x70/0x9c\n bus_for_each_dev+0x11c/0x19c\n bus_iommu_probe+0xb8/0x7d4\n bus_set_iommu+0xcc/0x13c\n arm_smmu_bus_init+0x44/0x130 [arm_smmu]\n arm_smmu_device_probe+0xb88/0xc54 [arm_smmu]\n platform_drv_probe+0xe4/0x13c\n really_probe+0x2c8/0xb74\n driver_probe_device+0x11c/0x228\n device_driver_attach+0xf0/0x16c\n __driver_attach+0x80/0x320\n bus_for_each_dev+0x11c/0x19c\n driver_attach+0x38/0x48\n bus_add_driver+0x1dc/0x3a4\n driver_register+0x18c/0x244\n __platform_driver_register+0x88/0x9c\n init_module+0x64/0xff4 [arm_smmu]\n do_one_initcall+0x17c/0x2f0\n do_init_module+0xe8/0x378\n load_module+0x3f80/0x4a40\n __se_sys_finit_module+0x1a0/0x1e4\n __arm64_sys_finit_module+0x44/0x58\n el0_svc_common+0x100/0x264\n do_el0_svc+0x38/0xa4\n el0_svc+0x20/0x30\n el0_sync_handler+0x68/0xac\n el0_sync+0x160/0x180\n\nFix this by setting dev->iommu to NULL first and\nthen freeing dev_iommu structure in dev_iommu_free\nfunction.",
            },
         ],
         providerMetadata: {
            dateUpdated: "2024-12-19T08:07:53.866Z",
            orgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
            shortName: "Linux",
         },
         references: [
            {
               url: "https://git.kernel.org/stable/c/cb86e511e78e796de6947b8f3acca1b7c76fb2ff",
            },
            {
               url: "https://git.kernel.org/stable/c/65ab30f6a6952fa9ee13009862736cf8d110e6e5",
            },
            {
               url: "https://git.kernel.org/stable/c/f74fc4b5bd533ea3d30ce47cccb8ef8d21fda85a",
            },
            {
               url: "https://git.kernel.org/stable/c/b54240ad494300ff0994c4539a531727874381f4",
            },
         ],
         title: "iommu: Fix potential use-after-free during probe",
         x_generator: {
            engine: "bippy-5f407fcff5a0",
         },
      },
   },
   cveMetadata: {
      assignerOrgId: "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      assignerShortName: "Linux",
      cveId: "CVE-2022-48796",
      datePublished: "2024-07-16T11:43:50.796Z",
      dateReserved: "2024-07-16T11:38:08.895Z",
      dateUpdated: "2024-12-19T08:07:53.866Z",
      state: "PUBLISHED",
   },
   dataType: "CVE_RECORD",
   dataVersion: "5.1",
   "vulnerability-lookup:meta": {
      nvd: "{\"cve\":{\"id\":\"CVE-2022-48796\",\"sourceIdentifier\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"published\":\"2024-07-16T12:15:04.293\",\"lastModified\":\"2025-01-10T19:06:40.740\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"In the Linux kernel, the following vulnerability has been resolved:\\n\\niommu: Fix potential use-after-free during probe\\n\\nKasan has reported the following use after free on dev->iommu.\\nwhen a device probe fails and it is in process of freeing dev->iommu\\nin dev_iommu_free function, a deferred_probe_work_func runs in parallel\\nand tries to access dev->iommu->fwspec in of_iommu_configure path thus\\ncausing use after free.\\n\\nBUG: KASAN: use-after-free in of_iommu_configure+0xb4/0x4a4\\nRead of size 8 at addr ffffff87a2f1acb8 by task kworker/u16:2/153\\n\\nWorkqueue: events_unbound deferred_probe_work_func\\nCall trace:\\n dump_backtrace+0x0/0x33c\\n show_stack+0x18/0x24\\n dump_stack_lvl+0x16c/0x1e0\\n print_address_description+0x84/0x39c\\n __kasan_report+0x184/0x308\\n kasan_report+0x50/0x78\\n __asan_load8+0xc0/0xc4\\n of_iommu_configure+0xb4/0x4a4\\n of_dma_configure_id+0x2fc/0x4d4\\n platform_dma_configure+0x40/0x5c\\n really_probe+0x1b4/0xb74\\n driver_probe_device+0x11c/0x228\\n __device_attach_driver+0x14c/0x304\\n bus_for_each_drv+0x124/0x1b0\\n __device_attach+0x25c/0x334\\n device_initial_probe+0x24/0x34\\n bus_probe_device+0x78/0x134\\n deferred_probe_work_func+0x130/0x1a8\\n process_one_work+0x4c8/0x970\\n worker_thread+0x5c8/0xaec\\n kthread+0x1f8/0x220\\n ret_from_fork+0x10/0x18\\n\\nAllocated by task 1:\\n ____kasan_kmalloc+0xd4/0x114\\n __kasan_kmalloc+0x10/0x1c\\n kmem_cache_alloc_trace+0xe4/0x3d4\\n __iommu_probe_device+0x90/0x394\\n probe_iommu_group+0x70/0x9c\\n bus_for_each_dev+0x11c/0x19c\\n bus_iommu_probe+0xb8/0x7d4\\n bus_set_iommu+0xcc/0x13c\\n arm_smmu_bus_init+0x44/0x130 [arm_smmu]\\n arm_smmu_device_probe+0xb88/0xc54 [arm_smmu]\\n platform_drv_probe+0xe4/0x13c\\n really_probe+0x2c8/0xb74\\n driver_probe_device+0x11c/0x228\\n device_driver_attach+0xf0/0x16c\\n __driver_attach+0x80/0x320\\n bus_for_each_dev+0x11c/0x19c\\n driver_attach+0x38/0x48\\n bus_add_driver+0x1dc/0x3a4\\n driver_register+0x18c/0x244\\n __platform_driver_register+0x88/0x9c\\n init_module+0x64/0xff4 [arm_smmu]\\n do_one_initcall+0x17c/0x2f0\\n do_init_module+0xe8/0x378\\n load_module+0x3f80/0x4a40\\n __se_sys_finit_module+0x1a0/0x1e4\\n __arm64_sys_finit_module+0x44/0x58\\n el0_svc_common+0x100/0x264\\n do_el0_svc+0x38/0xa4\\n el0_svc+0x20/0x30\\n el0_sync_handler+0x68/0xac\\n el0_sync+0x160/0x180\\n\\nFreed by task 1:\\n kasan_set_track+0x4c/0x84\\n kasan_set_free_info+0x28/0x4c\\n ____kasan_slab_free+0x120/0x15c\\n __kasan_slab_free+0x18/0x28\\n slab_free_freelist_hook+0x204/0x2fc\\n kfree+0xfc/0x3a4\\n __iommu_probe_device+0x284/0x394\\n probe_iommu_group+0x70/0x9c\\n bus_for_each_dev+0x11c/0x19c\\n bus_iommu_probe+0xb8/0x7d4\\n bus_set_iommu+0xcc/0x13c\\n arm_smmu_bus_init+0x44/0x130 [arm_smmu]\\n arm_smmu_device_probe+0xb88/0xc54 [arm_smmu]\\n platform_drv_probe+0xe4/0x13c\\n really_probe+0x2c8/0xb74\\n driver_probe_device+0x11c/0x228\\n device_driver_attach+0xf0/0x16c\\n __driver_attach+0x80/0x320\\n bus_for_each_dev+0x11c/0x19c\\n driver_attach+0x38/0x48\\n bus_add_driver+0x1dc/0x3a4\\n driver_register+0x18c/0x244\\n __platform_driver_register+0x88/0x9c\\n init_module+0x64/0xff4 [arm_smmu]\\n do_one_initcall+0x17c/0x2f0\\n do_init_module+0xe8/0x378\\n load_module+0x3f80/0x4a40\\n __se_sys_finit_module+0x1a0/0x1e4\\n __arm64_sys_finit_module+0x44/0x58\\n el0_svc_common+0x100/0x264\\n do_el0_svc+0x38/0xa4\\n el0_svc+0x20/0x30\\n el0_sync_handler+0x68/0xac\\n el0_sync+0x160/0x180\\n\\nFix this by setting dev->iommu to NULL first and\\nthen freeing dev_iommu structure in dev_iommu_free\\nfunction.\"},{\"lang\":\"es\",\"value\":\"En el kernel de Linux, se resolvió la siguiente vulnerabilidad: iommu: corrige el posible use-after-free durante la prueba Kasan ha informado el siguiente use-after-free en dev->iommu. cuando falla la sonda de un dispositivo y está en proceso de liberar dev->iommu en la función dev_iommu_free, una deferred_probe_work_func se ejecuta en paralelo e intenta acceder a dev->iommu->fwspec en la ruta of_iommu_configure, lo que provoca el use-after-free. ERROR: KASAN: use-after-free en of_iommu_configure+0xb4/0x4a4 Lectura de tamaño 8 en la dirección ffffff87a2f1acb8 por tarea kworker/u16:2/153 Cola de trabajo: events_unbound deferred_probe_work_func Seguimiento de llamadas: dump_backtrace+0x0/0x33c show_stack+0x18/0x24 dump_stack_ nivel+ 0x16c/0x1e0 print_address_description+0x84/0x39c __kasan_report+0x184/0x308 kasan_report+0x50/0x78 __asan_load8+0xc0/0xc4 of_iommu_configure+0xb4/0x4a4 of_dma_configure_id+0x2fc/0x4d4 platform_ dma_configure+0x40/0x5c very_probe+0x1b4/0xb74 driver_probe_device+0x11c/0x228 __device_attach_driver+ 6 970 work_thread+0x5c8/0xaec kthread+0x1f8/0x220 ret_from_fork+0x10/0x18 Asignado por tarea 1: ____kasan_kmalloc+0xd4/0x114 __kasan_kmalloc+0x10/0x1c kmem_cache_alloc_trace+0xe4/0x3d4 __iommu_probe_device+0x90/0x394 probe_iommu_group+0x70/0x9c bus_for_each_dev+0x11c/0x19c bus_ iommu_probe+0xb8/0x7d4 bus_set_iommu+0xcc/0x13c arm_smmu_bus_init+0x44/0x130 [arm_smmu ] arm_smmu_device_probe+0xb88/0xc54 [arm_smmu] platform_drv_probe+0xe4/0x13c very_probe+0x2c8/0xb74 driver_probe_device+0x11c/0x228 dispositivo_driver_attach+0xf0/0x16c __driver_attach+0x80/0x320 _for_each_dev+0x11c/0x19c driver_attach+0x38/0x48 bus_add_driver+0x1dc/0x3a4 driver_register +0x18c/0x244 __platform_driver_register+0x88/0x9c init_module+0x64/0xff4 [arm_smmu] do_one_initcall+0x17c/0x2f0 do_init_module+0xe8/0x378 load_module+0x3f80/0x4a40 __se_sys_finit_module+ 0x1a0/0x1e4 __arm64_sys_finit_module+0x44/0x58 el0_svc_common+0x100/0x264 do_el0_svc+0x38 /0xa4 el0_svc+0x20/0x30 el0_sync_handler+0x68/0xac el0_sync+0x160/0x180 Liberado por la tarea 1: kasan_set_track+0x4c/0x84 kasan_set_free_info+0x28/0x4c ____kasan_slab_free+0x120/0x15c 0x18/0x28 slab_free_freelist_hook+0x204/0x2fc kfree+0xfc /0x3a4 __iommu_probe_device+0x284/0x394 probe_iommu_group+0x70/0x9c bus_for_each_dev+0x11c/0x19c bus_iommu_probe+0xb8/0x7d4 bus_set_iommu+0xcc/0x13c arm_smmu_bus_init+0x44/0x130 [arm_smmu] arm_smmu_device_probe+0xb88/0xc54 [arm_smmu] platform_drv_probe+0xe4/0x13c realmente_probe+ 0x2c8/0xb74 driver_probe_device+0x11c/0x228 dispositivo_driver_attach+0xf0/0x16c __driver_attach+0x80/0x320 bus_for_each_dev+0x11c/0x19c driver_attach+0x38/0x48 bus_add_driver+0x1dc/0x3a4 ister+0x18c/0x244 __platform_driver_register+0x88/0x9c init_module+0x64/0xff4 [arm_smmu ] do_one_initcall+0x17c/0x2f0 do_init_module+0xe8/0x378 load_module+0x3f80/0x4a40 __se_sys_finit_module+0x1a0/0x1e4 __arm64_sys_finit_module+0x44/0x58 el0_svc_common+0x100/ 0x264 do_el0_svc+0x38/0xa4 el0_svc+0x20/0x30 el0_sync_handler+0x68/0xac el0_sync+0x160/ 0x180 Solucione este problema configurando dev->iommu en NULL primero y luego liberando la estructura dev_iommu en la función dev_iommu_free.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\",\"baseScore\":7.8,\"baseSeverity\":\"HIGH\",\"attackVector\":\"LOCAL\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":1.8,\"impactScore\":5.9}]},\"weaknesses\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-416\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"5.7\",\"versionEndExcluding\":\"5.10.101\",\"matchCriteriaId\":\"432EF7FE-42B1-408E-A4B7-82448815F521\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"5.11\",\"versionEndExcluding\":\"5.15.24\",\"matchCriteriaId\":\"866451F0-299E-416C-B0B8-AE6B33E62CCA\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"5.16\",\"versionEndExcluding\":\"5.16.10\",\"matchCriteriaId\":\"679523BA-1392-404B-AB85-F5A5408B1ECC\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:5.17:rc1:*:*:*:*:*:*\",\"matchCriteriaId\":\"7BD5F8D9-54FA-4CB0-B4F0-CB0471FDDB2D\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:5.17:rc2:*:*:*:*:*:*\",\"matchCriteriaId\":\"E6E34B23-78B4-4516-9BD8-61B33F4AC49A\"}]}]}],\"references\":[{\"url\":\"https://git.kernel.org/stable/c/65ab30f6a6952fa9ee13009862736cf8d110e6e5\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/b54240ad494300ff0994c4539a531727874381f4\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/cb86e511e78e796de6947b8f3acca1b7c76fb2ff\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/f74fc4b5bd533ea3d30ce47cccb8ef8d21fda85a\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/65ab30f6a6952fa9ee13009862736cf8d110e6e5\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/b54240ad494300ff0994c4539a531727874381f4\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/cb86e511e78e796de6947b8f3acca1b7c76fb2ff\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/f74fc4b5bd533ea3d30ce47cccb8ef8d21fda85a\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Patch\"]}]}}",
      vulnrichment: {
         containers: "{\"adp\": [{\"title\": \"CVE Program Container\", \"references\": [{\"url\": \"https://git.kernel.org/stable/c/cb86e511e78e796de6947b8f3acca1b7c76fb2ff\", \"tags\": [\"x_transferred\"]}, {\"url\": \"https://git.kernel.org/stable/c/65ab30f6a6952fa9ee13009862736cf8d110e6e5\", \"tags\": [\"x_transferred\"]}, {\"url\": \"https://git.kernel.org/stable/c/f74fc4b5bd533ea3d30ce47cccb8ef8d21fda85a\", \"tags\": [\"x_transferred\"]}, {\"url\": \"https://git.kernel.org/stable/c/b54240ad494300ff0994c4539a531727874381f4\", \"tags\": [\"x_transferred\"]}], \"providerMetadata\": {\"orgId\": \"af854a3a-2127-422b-91ae-364da2661108\", \"shortName\": \"CVE\", \"dateUpdated\": \"2024-08-03T15:25:01.525Z\"}}, {\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2022-48796\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2024-09-10T16:59:19.404709Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2024-09-11T12:42:21.593Z\"}}], \"cna\": {\"title\": \"iommu: Fix potential use-after-free during probe\", \"affected\": [{\"repo\": \"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git\", \"vendor\": \"Linux\", \"product\": \"Linux\", \"versions\": [{\"status\": \"affected\", \"version\": \"1da177e4c3f41524e886b7f1b8a0c1fc7321cac2\", \"lessThan\": \"cb86e511e78e796de6947b8f3acca1b7c76fb2ff\", \"versionType\": \"git\"}, {\"status\": \"affected\", \"version\": \"1da177e4c3f41524e886b7f1b8a0c1fc7321cac2\", \"lessThan\": \"65ab30f6a6952fa9ee13009862736cf8d110e6e5\", \"versionType\": \"git\"}, {\"status\": \"affected\", \"version\": \"1da177e4c3f41524e886b7f1b8a0c1fc7321cac2\", \"lessThan\": \"f74fc4b5bd533ea3d30ce47cccb8ef8d21fda85a\", \"versionType\": \"git\"}, {\"status\": \"affected\", \"version\": \"1da177e4c3f41524e886b7f1b8a0c1fc7321cac2\", \"lessThan\": \"b54240ad494300ff0994c4539a531727874381f4\", \"versionType\": \"git\"}], \"programFiles\": [\"drivers/iommu/iommu.c\"], \"defaultStatus\": \"unaffected\"}, {\"repo\": \"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git\", \"vendor\": \"Linux\", \"product\": \"Linux\", \"versions\": [{\"status\": \"unaffected\", \"version\": \"5.10.101\", \"versionType\": \"semver\", \"lessThanOrEqual\": \"5.10.*\"}, {\"status\": \"unaffected\", \"version\": \"5.15.24\", \"versionType\": \"semver\", \"lessThanOrEqual\": \"5.15.*\"}, {\"status\": \"unaffected\", \"version\": \"5.16.10\", \"versionType\": \"semver\", \"lessThanOrEqual\": \"5.16.*\"}, {\"status\": \"unaffected\", \"version\": \"5.17\", \"versionType\": \"original_commit_for_fix\", \"lessThanOrEqual\": \"*\"}], \"programFiles\": [\"drivers/iommu/iommu.c\"], \"defaultStatus\": \"affected\"}], \"references\": [{\"url\": \"https://git.kernel.org/stable/c/cb86e511e78e796de6947b8f3acca1b7c76fb2ff\"}, {\"url\": \"https://git.kernel.org/stable/c/65ab30f6a6952fa9ee13009862736cf8d110e6e5\"}, {\"url\": \"https://git.kernel.org/stable/c/f74fc4b5bd533ea3d30ce47cccb8ef8d21fda85a\"}, {\"url\": \"https://git.kernel.org/stable/c/b54240ad494300ff0994c4539a531727874381f4\"}], \"x_generator\": {\"engine\": \"bippy-5f407fcff5a0\"}, \"descriptions\": [{\"lang\": \"en\", \"value\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\niommu: Fix potential use-after-free during probe\\n\\nKasan has reported the following use after free on dev->iommu.\\nwhen a device probe fails and it is in process of freeing dev->iommu\\nin dev_iommu_free function, a deferred_probe_work_func runs in parallel\\nand tries to access dev->iommu->fwspec in of_iommu_configure path thus\\ncausing use after free.\\n\\nBUG: KASAN: use-after-free in of_iommu_configure+0xb4/0x4a4\\nRead of size 8 at addr ffffff87a2f1acb8 by task kworker/u16:2/153\\n\\nWorkqueue: events_unbound deferred_probe_work_func\\nCall trace:\\n dump_backtrace+0x0/0x33c\\n show_stack+0x18/0x24\\n dump_stack_lvl+0x16c/0x1e0\\n print_address_description+0x84/0x39c\\n __kasan_report+0x184/0x308\\n kasan_report+0x50/0x78\\n __asan_load8+0xc0/0xc4\\n of_iommu_configure+0xb4/0x4a4\\n of_dma_configure_id+0x2fc/0x4d4\\n platform_dma_configure+0x40/0x5c\\n really_probe+0x1b4/0xb74\\n driver_probe_device+0x11c/0x228\\n __device_attach_driver+0x14c/0x304\\n bus_for_each_drv+0x124/0x1b0\\n __device_attach+0x25c/0x334\\n device_initial_probe+0x24/0x34\\n bus_probe_device+0x78/0x134\\n deferred_probe_work_func+0x130/0x1a8\\n process_one_work+0x4c8/0x970\\n worker_thread+0x5c8/0xaec\\n kthread+0x1f8/0x220\\n ret_from_fork+0x10/0x18\\n\\nAllocated by task 1:\\n ____kasan_kmalloc+0xd4/0x114\\n __kasan_kmalloc+0x10/0x1c\\n kmem_cache_alloc_trace+0xe4/0x3d4\\n __iommu_probe_device+0x90/0x394\\n probe_iommu_group+0x70/0x9c\\n bus_for_each_dev+0x11c/0x19c\\n bus_iommu_probe+0xb8/0x7d4\\n bus_set_iommu+0xcc/0x13c\\n arm_smmu_bus_init+0x44/0x130 [arm_smmu]\\n arm_smmu_device_probe+0xb88/0xc54 [arm_smmu]\\n platform_drv_probe+0xe4/0x13c\\n really_probe+0x2c8/0xb74\\n driver_probe_device+0x11c/0x228\\n device_driver_attach+0xf0/0x16c\\n __driver_attach+0x80/0x320\\n bus_for_each_dev+0x11c/0x19c\\n driver_attach+0x38/0x48\\n bus_add_driver+0x1dc/0x3a4\\n driver_register+0x18c/0x244\\n __platform_driver_register+0x88/0x9c\\n init_module+0x64/0xff4 [arm_smmu]\\n do_one_initcall+0x17c/0x2f0\\n do_init_module+0xe8/0x378\\n load_module+0x3f80/0x4a40\\n __se_sys_finit_module+0x1a0/0x1e4\\n __arm64_sys_finit_module+0x44/0x58\\n el0_svc_common+0x100/0x264\\n do_el0_svc+0x38/0xa4\\n el0_svc+0x20/0x30\\n el0_sync_handler+0x68/0xac\\n el0_sync+0x160/0x180\\n\\nFreed by task 1:\\n kasan_set_track+0x4c/0x84\\n kasan_set_free_info+0x28/0x4c\\n ____kasan_slab_free+0x120/0x15c\\n __kasan_slab_free+0x18/0x28\\n slab_free_freelist_hook+0x204/0x2fc\\n kfree+0xfc/0x3a4\\n __iommu_probe_device+0x284/0x394\\n probe_iommu_group+0x70/0x9c\\n bus_for_each_dev+0x11c/0x19c\\n bus_iommu_probe+0xb8/0x7d4\\n bus_set_iommu+0xcc/0x13c\\n arm_smmu_bus_init+0x44/0x130 [arm_smmu]\\n arm_smmu_device_probe+0xb88/0xc54 [arm_smmu]\\n platform_drv_probe+0xe4/0x13c\\n really_probe+0x2c8/0xb74\\n driver_probe_device+0x11c/0x228\\n device_driver_attach+0xf0/0x16c\\n __driver_attach+0x80/0x320\\n bus_for_each_dev+0x11c/0x19c\\n driver_attach+0x38/0x48\\n bus_add_driver+0x1dc/0x3a4\\n driver_register+0x18c/0x244\\n __platform_driver_register+0x88/0x9c\\n init_module+0x64/0xff4 [arm_smmu]\\n do_one_initcall+0x17c/0x2f0\\n do_init_module+0xe8/0x378\\n load_module+0x3f80/0x4a40\\n __se_sys_finit_module+0x1a0/0x1e4\\n __arm64_sys_finit_module+0x44/0x58\\n el0_svc_common+0x100/0x264\\n do_el0_svc+0x38/0xa4\\n el0_svc+0x20/0x30\\n el0_sync_handler+0x68/0xac\\n el0_sync+0x160/0x180\\n\\nFix this by setting dev->iommu to NULL first and\\nthen freeing dev_iommu structure in dev_iommu_free\\nfunction.\"}], \"providerMetadata\": {\"orgId\": \"416baaa9-dc9f-4396-8d5f-8c081fb06d67\", \"shortName\": \"Linux\", \"dateUpdated\": \"2024-12-19T08:07:53.866Z\"}}}",
         cveMetadata: "{\"cveId\": \"CVE-2022-48796\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2024-12-19T08:07:53.866Z\", \"dateReserved\": \"2024-07-16T11:38:08.895Z\", \"assignerOrgId\": \"416baaa9-dc9f-4396-8d5f-8c081fb06d67\", \"datePublished\": \"2024-07-16T11:43:50.796Z\", \"assignerShortName\": \"Linux\"}",
         dataType: "CVE_RECORD",
         dataVersion: "5.1",
      },
   },
}


Log in or create an account to share your comment.

Security Advisory comment format.

This schema specifies the format of a comment related to a security advisory.

UUIDv4 of the comment
UUIDv4 of the Vulnerability-Lookup instance
When the comment was created originally
When the comment was last updated
Title of the comment
Description of the comment
The identifier of the vulnerability (CVE ID, GHSA-ID, PYSEC ID, etc.).



Tags
Taxonomy of the tags.


Loading…

Loading…

Loading…

Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.