ghsa-qh76-9567-4h37
Vulnerability from github
Published
2025-09-15 15:31
Modified
2025-09-15 15:31
Details

In the Linux kernel, the following vulnerability has been resolved:

drm/meson: remove drm bridges at aggregate driver unbind time

drm bridges added by meson_encoder_hdmi_init and meson_encoder_cvbs_init were not manually removed at module unload time, which caused dangling references to freed memory to remain linked in the global bridge_list.

When loading the driver modules back in, the same functions would again call drm_bridge_add, and when traversing the global bridge_list, would end up peeking into freed memory.

Once again KASAN revealed the problem:

[ +0.000095] ============================================================= [ +0.000008] BUG: KASAN: use-after-free in __list_add_valid+0x9c/0x120 [ +0.000018] Read of size 8 at addr ffff00003da291f0 by task modprobe/2483

[ +0.000018] CPU: 3 PID: 2483 Comm: modprobe Tainted: G C O 5.19.0-rc6-lrmbkasan+ #1 [ +0.000011] Hardware name: Hardkernel ODROID-N2Plus (DT) [ +0.000008] Call trace: [ +0.000006] dump_backtrace+0x1ec/0x280 [ +0.000012] show_stack+0x24/0x80 [ +0.000008] dump_stack_lvl+0x98/0xd4 [ +0.000011] print_address_description.constprop.0+0x80/0x520 [ +0.000011] print_report+0x128/0x260 [ +0.000008] kasan_report+0xb8/0xfc [ +0.000008] __asan_report_load8_noabort+0x3c/0x50 [ +0.000009] __list_add_valid+0x9c/0x120 [ +0.000009] drm_bridge_add+0x6c/0x104 [drm] [ +0.000165] dw_hdmi_probe+0x1900/0x2360 [dw_hdmi] [ +0.000022] meson_dw_hdmi_bind+0x520/0x814 [meson_dw_hdmi] [ +0.000014] component_bind+0x174/0x520 [ +0.000012] component_bind_all+0x1a8/0x38c [ +0.000010] meson_drv_bind_master+0x5e8/0xb74 [meson_drm] [ +0.000032] meson_drv_bind+0x20/0x2c [meson_drm] [ +0.000027] try_to_bring_up_aggregate_device+0x19c/0x390 [ +0.000010] component_master_add_with_match+0x1c8/0x284 [ +0.000009] meson_drv_probe+0x274/0x280 [meson_drm] [ +0.000026] platform_probe+0xd0/0x220 [ +0.000009] really_probe+0x3ac/0xa80 [ +0.000009] __driver_probe_device+0x1f8/0x400 [ +0.000009] driver_probe_device+0x68/0x1b0 [ +0.000009] __driver_attach+0x20c/0x480 [ +0.000008] bus_for_each_dev+0x114/0x1b0 [ +0.000009] driver_attach+0x48/0x64 [ +0.000008] bus_add_driver+0x390/0x564 [ +0.000009] driver_register+0x1a8/0x3e4 [ +0.000009] __platform_driver_register+0x6c/0x94 [ +0.000008] meson_drm_platform_driver_init+0x3c/0x1000 [meson_drm] [ +0.000027] do_one_initcall+0xc4/0x2b0 [ +0.000011] do_init_module+0x154/0x570 [ +0.000011] load_module+0x1a78/0x1ea4 [ +0.000008] __do_sys_init_module+0x184/0x1cc [ +0.000009] __arm64_sys_init_module+0x78/0xb0 [ +0.000009] invoke_syscall+0x74/0x260 [ +0.000009] el0_svc_common.constprop.0+0xcc/0x260 [ +0.000008] do_el0_svc+0x50/0x70 [ +0.000007] el0_svc+0x68/0x1a0 [ +0.000012] el0t_64_sync_handler+0x11c/0x150 [ +0.000008] el0t_64_sync+0x18c/0x190

[ +0.000016] Allocated by task 879: [ +0.000008] kasan_save_stack+0x2c/0x5c [ +0.000011] __kasan_kmalloc+0x90/0xd0 [ +0.000007] __kmalloc+0x278/0x4a0 [ +0.000011] mpi_resize+0x13c/0x1d0 [ +0.000011] mpi_powm+0xd24/0x1570 [ +0.000009] rsa_enc+0x1a4/0x30c [ +0.000009] pkcs1pad_verify+0x3f0/0x580 [ +0.000009] public_key_verify_signature+0x7a8/0xba4 [ +0.000010] public_key_verify_signature_2+0x40/0x60 [ +0.000008] verify_signature+0xb4/0x114 [ +0.000008] pkcs7_validate_trust_one.constprop.0+0x3b8/0x574 [ +0.000009] pkcs7_validate_trust+0xb8/0x15c [ +0.000008] verify_pkcs7_message_sig+0xec/0x1b0 [ +0.000012] verify_pkcs7_signature+0x78/0xac [ +0.000007] mod_verify_sig+0x110/0x190 [ +0.000009] module_sig_check+0x114/0x1e0 [ +0.000009] load_module+0xa0/0x1ea4 [ +0.000008] __do_sys_init_module+0x184/0x1cc [ +0.000008] __arm64_sys_init_module+0x78/0xb0 [ +0.000008] invoke_syscall+0x74/0x260 [ +0.000009] el0_svc_common.constprop.0+0x1a8/0x260 [ +0.000008] do_el0_svc+0x50/0x70 [ +0.000007] el0_svc+0x68/0x1a0 [ +0.000009] el0t_64_sync_handler+0x11c/0x150 [ +0.000009] el0t_64 ---truncated---

Show details on source website

To clipboard 

{
  "affected": [],
  "aliases": [
    "CVE-2022-50256"
  ],
  "database_specific": {
    "cwe_ids": [],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-09-15T14:15:36Z",
    "severity": null
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/meson: remove drm bridges at aggregate driver unbind time\n\ndrm bridges added by meson_encoder_hdmi_init and meson_encoder_cvbs_init\nwere not manually removed at module unload time, which caused dangling\nreferences to freed memory to remain linked in the global bridge_list.\n\nWhen loading the driver modules back in, the same functions would again\ncall drm_bridge_add, and when traversing the global bridge_list, would\nend up peeking into freed memory.\n\nOnce again KASAN revealed the problem:\n\n[  +0.000095] =============================================================\n[  +0.000008] BUG: KASAN: use-after-free in __list_add_valid+0x9c/0x120\n[  +0.000018] Read of size 8 at addr ffff00003da291f0 by task modprobe/2483\n\n[  +0.000018] CPU: 3 PID: 2483 Comm: modprobe Tainted: G         C O      5.19.0-rc6-lrmbkasan+ #1\n[  +0.000011] Hardware name: Hardkernel ODROID-N2Plus (DT)\n[  +0.000008] Call trace:\n[  +0.000006]  dump_backtrace+0x1ec/0x280\n[  +0.000012]  show_stack+0x24/0x80\n[  +0.000008]  dump_stack_lvl+0x98/0xd4\n[  +0.000011]  print_address_description.constprop.0+0x80/0x520\n[  +0.000011]  print_report+0x128/0x260\n[  +0.000008]  kasan_report+0xb8/0xfc\n[  +0.000008]  __asan_report_load8_noabort+0x3c/0x50\n[  +0.000009]  __list_add_valid+0x9c/0x120\n[  +0.000009]  drm_bridge_add+0x6c/0x104 [drm]\n[  +0.000165]  dw_hdmi_probe+0x1900/0x2360 [dw_hdmi]\n[  +0.000022]  meson_dw_hdmi_bind+0x520/0x814 [meson_dw_hdmi]\n[  +0.000014]  component_bind+0x174/0x520\n[  +0.000012]  component_bind_all+0x1a8/0x38c\n[  +0.000010]  meson_drv_bind_master+0x5e8/0xb74 [meson_drm]\n[  +0.000032]  meson_drv_bind+0x20/0x2c [meson_drm]\n[  +0.000027]  try_to_bring_up_aggregate_device+0x19c/0x390\n[  +0.000010]  component_master_add_with_match+0x1c8/0x284\n[  +0.000009]  meson_drv_probe+0x274/0x280 [meson_drm]\n[  +0.000026]  platform_probe+0xd0/0x220\n[  +0.000009]  really_probe+0x3ac/0xa80\n[  +0.000009]  __driver_probe_device+0x1f8/0x400\n[  +0.000009]  driver_probe_device+0x68/0x1b0\n[  +0.000009]  __driver_attach+0x20c/0x480\n[  +0.000008]  bus_for_each_dev+0x114/0x1b0\n[  +0.000009]  driver_attach+0x48/0x64\n[  +0.000008]  bus_add_driver+0x390/0x564\n[  +0.000009]  driver_register+0x1a8/0x3e4\n[  +0.000009]  __platform_driver_register+0x6c/0x94\n[  +0.000008]  meson_drm_platform_driver_init+0x3c/0x1000 [meson_drm]\n[  +0.000027]  do_one_initcall+0xc4/0x2b0\n[  +0.000011]  do_init_module+0x154/0x570\n[  +0.000011]  load_module+0x1a78/0x1ea4\n[  +0.000008]  __do_sys_init_module+0x184/0x1cc\n[  +0.000009]  __arm64_sys_init_module+0x78/0xb0\n[  +0.000009]  invoke_syscall+0x74/0x260\n[  +0.000009]  el0_svc_common.constprop.0+0xcc/0x260\n[  +0.000008]  do_el0_svc+0x50/0x70\n[  +0.000007]  el0_svc+0x68/0x1a0\n[  +0.000012]  el0t_64_sync_handler+0x11c/0x150\n[  +0.000008]  el0t_64_sync+0x18c/0x190\n\n[  +0.000016] Allocated by task 879:\n[  +0.000008]  kasan_save_stack+0x2c/0x5c\n[  +0.000011]  __kasan_kmalloc+0x90/0xd0\n[  +0.000007]  __kmalloc+0x278/0x4a0\n[  +0.000011]  mpi_resize+0x13c/0x1d0\n[  +0.000011]  mpi_powm+0xd24/0x1570\n[  +0.000009]  rsa_enc+0x1a4/0x30c\n[  +0.000009]  pkcs1pad_verify+0x3f0/0x580\n[  +0.000009]  public_key_verify_signature+0x7a8/0xba4\n[  +0.000010]  public_key_verify_signature_2+0x40/0x60\n[  +0.000008]  verify_signature+0xb4/0x114\n[  +0.000008]  pkcs7_validate_trust_one.constprop.0+0x3b8/0x574\n[  +0.000009]  pkcs7_validate_trust+0xb8/0x15c\n[  +0.000008]  verify_pkcs7_message_sig+0xec/0x1b0\n[  +0.000012]  verify_pkcs7_signature+0x78/0xac\n[  +0.000007]  mod_verify_sig+0x110/0x190\n[  +0.000009]  module_sig_check+0x114/0x1e0\n[  +0.000009]  load_module+0xa0/0x1ea4\n[  +0.000008]  __do_sys_init_module+0x184/0x1cc\n[  +0.000008]  __arm64_sys_init_module+0x78/0xb0\n[  +0.000008]  invoke_syscall+0x74/0x260\n[  +0.000009]  el0_svc_common.constprop.0+0x1a8/0x260\n[  +0.000008]  do_el0_svc+0x50/0x70\n[  +0.000007]  el0_svc+0x68/0x1a0\n[  +0.000009]  el0t_64_sync_handler+0x11c/0x150\n[  +0.000009]  el0t_64\n---truncated---",
  "id": "GHSA-qh76-9567-4h37",
  "modified": "2025-09-15T15:31:22Z",
  "published": "2025-09-15T15:31:22Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-50256"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/09847723c12fc2753749cec3939a02ee92dac468"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/de2b6ebe0cb7746b5b6b35d79e150d934392b958"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/fc1fd114dde3d2623ac37676df3d74ffeedb0da8"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.