CVE-2022-48869

In the Linux kernel, the following vulnerability has been resolved: USB: gadgetfs: Fix race between mounting and unmounting The syzbot fuzzer and Gerald Lee have identified a use-after-free bug in the gadgetfs driver, involving processes concurrently mounting and unmounting the gadgetfs filesystem. In particular, gadgetfs_fill_super() can race with gadgetfs_kill_sb(), causing the latter to deallocate the_device while the former is using it. The output from KASAN says, in part: BUG: KASAN: use-after-free in instrument_atomic_read_write include/linux/instrumented.h:102 [inline] BUG: KASAN: use-after-free in atomic_fetch_sub_release include/linux/atomic/atomic-instrumented.h:176 [inline] BUG: KASAN: use-after-free in __refcount_sub_and_test include/linux/refcount.h:272 [inline] BUG: KASAN: use-after-free in __refcount_dec_and_test include/linux/refcount.h:315 [inline] BUG: KASAN: use-after-free in refcount_dec_and_test include/linux/refcount.h:333 [inline] BUG: KASAN: use-after-free in put_dev drivers/usb/gadget/legacy/inode.c:159 [inline] BUG: KASAN: use-after-free in gadgetfs_kill_sb+0x33/0x100 drivers/usb/gadget/legacy/inode.c:2086 Write of size 4 at addr ffff8880276d7840 by task syz-executor126/18689 CPU: 0 PID: 18689 Comm: syz-executor126 Not tainted 6.1.0-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022 Call Trace: <TASK> ... atomic_fetch_sub_release include/linux/atomic/atomic-instrumented.h:176 [inline] __refcount_sub_and_test include/linux/refcount.h:272 [inline] __refcount_dec_and_test include/linux/refcount.h:315 [inline] refcount_dec_and_test include/linux/refcount.h:333 [inline] put_dev drivers/usb/gadget/legacy/inode.c:159 [inline] gadgetfs_kill_sb+0x33/0x100 drivers/usb/gadget/legacy/inode.c:2086 deactivate_locked_super+0xa7/0xf0 fs/super.c:332 vfs_get_super fs/super.c:1190 [inline] get_tree_single+0xd0/0x160 fs/super.c:1207 vfs_get_tree+0x88/0x270 fs/super.c:1531 vfs_fsconfig_locked fs/fsopen.c:232 [inline] The simplest solution is to ensure that gadgetfs_fill_super() and gadgetfs_kill_sb() are serialized by making them both acquire a new mutex.
Configurations

Configuration 1 (hide)

OR cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*

History

06 Sep 2024, 14:19

Type Values Removed Values Added
References () https://git.kernel.org/stable/c/616fd34d017000ecf9097368b13d8a266f4920b3 - () https://git.kernel.org/stable/c/616fd34d017000ecf9097368b13d8a266f4920b3 - Patch
References () https://git.kernel.org/stable/c/856e4b5e53f21edbd15d275dde62228dd94fb2b4 - () https://git.kernel.org/stable/c/856e4b5e53f21edbd15d275dde62228dd94fb2b4 - Patch
References () https://git.kernel.org/stable/c/9a39f4626b361ee7aa10fd990401c37ec3b466ae - () https://git.kernel.org/stable/c/9a39f4626b361ee7aa10fd990401c37ec3b466ae - Patch
References () https://git.kernel.org/stable/c/a2e075f40122d8daf587db126c562a67abd69cf9 - () https://git.kernel.org/stable/c/a2e075f40122d8daf587db126c562a67abd69cf9 - Patch
References () https://git.kernel.org/stable/c/d18dcfe9860e842f394e37ba01ca9440ab2178f4 - () https://git.kernel.org/stable/c/d18dcfe9860e842f394e37ba01ca9440ab2178f4 - Patch
Summary
  • (es) En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: USB: gadgetfs: corrige la ejecución entre montar y desmontar Syzbot fuzzer y Gerald Lee han identificado un error de use-after-free en el controlador gadgetfs, que involucra procesos que montan y desmontan simultáneamente los gadgetfs. sistema de archivos. En particular, gadgetfs_fill_super() puede competir con gadgetfs_kill_sb(), provocando que este último desasigne the_device mientras el primero lo está usando. El resultado de KASAN dice, en parte: ERROR: KASAN: use-after-free en instrument_atomic_read_write include/linux/instrumented.h:102 [en línea] ERROR: KASAN: use-after-free en atomic_fetch_sub_release include/linux/atomic/atomic -instrumented.h:176 [en línea] ERROR: KASAN: uso después de liberación en __refcount_sub_and_test include/linux/refcount.h:272 [en línea] ERROR: KASAN: uso después de liberación en __refcount_dec_and_test include/linux/refcount.h :315 [en línea] ERROR: KASAN: uso después de liberación en refcount_dec_and_test include/linux/refcount.h:333 [en línea] ERROR: KASAN: uso después de liberación en put_dev drivers/usb/gadget/legacy/inode.c :159 [en línea] ERROR: KASAN: use-after-free en gadgetfs_kill_sb+0x33/0x100 drivers/usb/gadget/legacy/inode.c:2086 Escritura de tamaño 4 en la dirección ffff8880276d7840 mediante la tarea syz-executor126/18689 CPU: 0 PID: 18689 Comunicación: syz-executor126 No contaminado 6.1.0-syzkaller #0 Nombre del hardware: Google Google Compute Engine/Google Compute Engine, BIOS Google 26/10/2022 Seguimiento de llamadas: ... atomic_fetch_sub_release include/linux/ atomic/atomic-instrumented.h:176 [en línea] __refcount_sub_and_test include/linux/refcount.h:272 [en línea] __refcount_dec_and_test include/linux/refcount.h:315 [en línea] refcount_dec_and_test include/linux/refcount.h:333 [en línea ] put_dev drivers/usb/gadget/legacy/inode.c:159 [en línea] gadgetfs_kill_sb+0x33/0x100 drivers/usb/gadget/legacy/inode.c:2086 deactivate_locked_super+0xa7/0xf0 fs/super.c:332 vfs_get_super fs /super.c:1190 [en línea] get_tree_single+0xd0/0x160 fs/super.c:1207 vfs_get_tree+0x88/0x270 fs/super.c:1531 vfs_fsconfig_locked fs/fsopen.c:232 [en línea] La solución más sencilla es garantizar que gadgetfs_fill_super() y gadgetfs_kill_sb() se serializan haciendo que ambos adquieran un nuevo mutex.
CVSS v2 : unknown
v3 : unknown
v2 : unknown
v3 : 4.7
First Time Linux linux Kernel
Linux
CPE cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
CWE CWE-416

21 Aug 2024, 07:15

Type Values Removed Values Added
New CVE

Information

Published : 2024-08-21 07:15

Updated : 2024-09-06 14:19


NVD link : CVE-2022-48869

Mitre link : CVE-2022-48869

CVE.ORG link : CVE-2022-48869


JSON object : View

Products Affected

linux

  • linux_kernel
CWE
CWE-416

Use After Free