fkie_cve-2022-48872
Vulnerability from fkie_nvd
Published
2024-08-21 07:15
Modified
2024-09-06 14:30
Severity ?
7.0 (High) - CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
Summary
In the Linux kernel, the following vulnerability has been resolved: misc: fastrpc: Fix use-after-free race condition for maps It is possible that in between calling fastrpc_map_get() until map->fl->lock is taken in fastrpc_free_map(), another thread can call fastrpc_map_lookup() and get a reference to a map that is about to be deleted. Rewrite fastrpc_map_get() to only increase the reference count of a map if it's non-zero. Propagate this to callers so they can know if a map is about to be deleted. Fixes this warning: refcount_t: addition on 0; use-after-free. WARNING: CPU: 5 PID: 10100 at lib/refcount.c:25 refcount_warn_saturate ... Call trace: refcount_warn_saturate [fastrpc_map_get inlined] [fastrpc_map_lookup inlined] fastrpc_map_create fastrpc_internal_invoke fastrpc_device_ioctl __arm64_sys_ioctl invoke_syscall
References
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/079c78c68714f7d8d58e66c477b0243b31806907Patch
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/556dfdb226ce1e5231d8836159b23f8bb0395bf4Patch
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/61a0890cb95afec5c8a2f4a879de2b6220984ef1Patch
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/96b328d119eca7563c1edcc4e1039a62e6370ecbPatch
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/b171d0d2cf1b8387c72c8d325c5d5746fa271e39Patch
Impacted products
Vendor Product Version
linux linux_kernel *
linux linux_kernel *
linux linux_kernel *
linux linux_kernel *
linux linux_kernel 6.2
linux linux_kernel 6.2
linux linux_kernel 6.2
linux linux_kernel 6.2


To clipboard 

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "D5DAF18C-BC5F-4D9D-A710-21074AD7750B",
              "versionEndExcluding": "5.4.230",
              "versionStartIncluding": "5.1",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "C6002D5B-9B6A-4788-B943-E3EE01E01303",
              "versionEndExcluding": "5.10.165",
              "versionStartIncluding": "5.5",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "E995CDA5-7223-4FDB-BAD3-81B22C763A43",
              "versionEndExcluding": "5.15.90",
              "versionStartIncluding": "5.11",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "CDB2EE10-7AC0-4F90-BC35-A5139EEE551B",
              "versionEndExcluding": "6.2",
              "versionStartIncluding": "5.16",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:linux:linux_kernel:6.2:rc1:*:*:*:*:*:*",
              "matchCriteriaId": "FF501633-2F44-4913-A8EE-B021929F49F6",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:linux:linux_kernel:6.2:rc2:*:*:*:*:*:*",
              "matchCriteriaId": "2BDA597B-CAC1-4DF0-86F0-42E142C654E9",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:linux:linux_kernel:6.2:rc3:*:*:*:*:*:*",
              "matchCriteriaId": "725C78C9-12CE-406F-ABE8-0813A01D66E8",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:linux:linux_kernel:6.2:rc4:*:*:*:*:*:*",
              "matchCriteriaId": "A127C155-689C-4F67-B146-44A57F4BFD85",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmisc: fastrpc: Fix use-after-free race condition for maps\n\nIt is possible that in between calling fastrpc_map_get() until\nmap-\u003efl-\u003elock is taken in fastrpc_free_map(), another thread can call\nfastrpc_map_lookup() and get a reference to a map that is about to be\ndeleted.\n\nRewrite fastrpc_map_get() to only increase the reference count of a map\nif it\u0027s non-zero. Propagate this to callers so they can know if a map is\nabout to be deleted.\n\nFixes this warning:\nrefcount_t: addition on 0; use-after-free.\nWARNING: CPU: 5 PID: 10100 at lib/refcount.c:25 refcount_warn_saturate\n...\nCall trace:\n refcount_warn_saturate\n [fastrpc_map_get inlined]\n [fastrpc_map_lookup inlined]\n fastrpc_map_create\n fastrpc_internal_invoke\n fastrpc_device_ioctl\n __arm64_sys_ioctl\n invoke_syscall"
    },
    {
      "lang": "es",
      "value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: misc: fastrpc: corrige la condici\u00f3n de ejecuci\u00f3n de use-after-free para mapas. Es posible que entre llamadas a fastrpc_map_get() hasta que se tome map-\u0026gt;fl-\u0026gt;lock en fastrpc_free_map() , otro hilo puede llamar a fastrpc_map_lookup() y obtener una referencia a un mapa que est\u00e1 a punto de ser eliminado. Vuelva a escribir fastrpc_map_get() para aumentar solo el recuento de referencias de un mapa si no es cero. Propague esto a las personas que llaman para que puedan saber si un mapa est\u00e1 a punto de ser eliminado. Corrige esta advertencia: refcount_t: adici\u00f3n en 0; use-after-free. ADVERTENCIA: CPU: 5 PID: 10100 en lib/refcount.c:25 refcount_warn_saturate... Rastreo de llamadas: refcount_warn_saturate [fastrpc_map_get inlined] [fastrpc_map_lookup inlined] fastrpc_map_create fastrpc_internal_invoke fastrpc_device_ioctl __arm64_sys_ioctl invoke_sy llamar"
    }
  ],
  "id": "CVE-2022-48872",
  "lastModified": "2024-09-06T14:30:06.730",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "HIGH",
          "attackVector": "LOCAL",
          "availabilityImpact": "HIGH",
          "baseScore": 7.0,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "LOW",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 1.0,
        "impactScore": 5.9,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ]
  },
  "published": "2024-08-21T07:15:04.267",
  "references": [
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "tags": [
        "Patch"
      ],
      "url": "https://git.kernel.org/stable/c/079c78c68714f7d8d58e66c477b0243b31806907"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "tags": [
        "Patch"
      ],
      "url": "https://git.kernel.org/stable/c/556dfdb226ce1e5231d8836159b23f8bb0395bf4"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "tags": [
        "Patch"
      ],
      "url": "https://git.kernel.org/stable/c/61a0890cb95afec5c8a2f4a879de2b6220984ef1"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "tags": [
        "Patch"
      ],
      "url": "https://git.kernel.org/stable/c/96b328d119eca7563c1edcc4e1039a62e6370ecb"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "tags": [
        "Patch"
      ],
      "url": "https://git.kernel.org/stable/c/b171d0d2cf1b8387c72c8d325c5d5746fa271e39"
    }
  ],
  "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
  "vulnStatus": "Analyzed",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-416"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Primary"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.