CVE-2022-48869
N/A
Summary
In the Linux kernel, the following vulnerability has been resolved:
USB: gadgetfs: Fix race between mounting and unmounting
The syzbot fuzzer and Gerald Lee have identified a use-after-free bug in the gadgetfs driver, involving processes concurrently mounting and unmounting the gadgetfs filesystem. In particular, gadgetfs_fill_super() can race with gadgetfs_kill_sb(), causing the latter to deallocate the_device while the former is using it. The output from KASAN says, in part:
BUG: KASAN: use-after-free in instrument_atomic_read_write include/linux/instrumented.h:102 [inline] BUG: KASAN: use-after-free in atomic_fetch_sub_release include/linux/atomic/atomic-instrumented.h:176 [inline] BUG: KASAN: use-after-free in __refcount_sub_and_test include/linux/refcount.h:272 [inline] BUG: KASAN: use-after-free in __refcount_dec_and_test include/linux/refcount.h:315 [inline] BUG: KASAN: use-after-free in refcount_dec_and_test include/linux/refcount.h:333 [inline] BUG: KASAN: use-after-free in put_dev drivers/usb/gadget/legacy/inode.c:159 [inline] BUG: KASAN: use-after-free in gadgetfs_kill_sb+0x33/0x100 drivers/usb/gadget/legacy/inode.c:2086 Write of size 4 at addr ffff8880276d7840 by task syz-executor126/18689
CPU: 0 PID: 18689 Comm: syz-executor126 Not tainted 6.1.0-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022 Call Trace: <TASK> … atomic_fetch_sub_release include/linux/atomic/atomic-instrumented.h:176 [inline] __refcount_sub_and_test include/linux/refcount.h:272 [inline] __refcount_dec_and_test include/linux/refcount.h:315 [inline] refcount_dec_and_test include/linux/refcount.h:333 [inline] put_dev drivers/usb/gadget/legacy/inode.c:159 [inline] gadgetfs_kill_sb+0x33/0x100 drivers/usb/gadget/legacy/inode.c:2086 deactivate_locked_super+0xa7/0xf0 fs/super.c:332 vfs_get_super fs/super.c:1190 [inline] get_tree_single+0xd0/0x160 fs/super.c:1207 vfs_get_tree+0x88/0x270 fs/super.c:1531 vfs_fsconfig_locked fs/fsopen.c:232 [inline]
The simplest solution is to ensure that gadgetfs_fill_super() and gadgetfs_kill_sb() are serialized by making them both acquire a new mutex.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| Linux | Linux | e5d82a7360d124ae1a38c2a5eac92ba49b125191 < 9a39f4626b361ee7aa10fd990401c37ec3b466ae | affected |
| Linux | Linux | e5d82a7360d124ae1a38c2a5eac92ba49b125191 < 856e4b5e53f21edbd15d275dde62228dd94fb2b4 | affected |
| Linux | Linux | e5d82a7360d124ae1a38c2a5eac92ba49b125191 < a2e075f40122d8daf587db126c562a67abd69cf9 | affected |
| Linux | Linux | e5d82a7360d124ae1a38c2a5eac92ba49b125191 < 616fd34d017000ecf9097368b13d8a266f4920b3 | affected |
| Linux | Linux | e5d82a7360d124ae1a38c2a5eac92ba49b125191 < d18dcfe9860e842f394e37ba01ca9440ab2178f4 | affected |
| Linux | Linux | 5.3 | affected |
| Linux | Linux | 0 < 5.3 | unaffected |
| Linux | Linux | 5.4.230 <= 5.4.* | unaffected |
| Linux | Linux | 5.10.165 <= 5.10.* | unaffected |
| Linux | Linux | 5.15.90 <= 5.15.* | unaffected |
| Linux | Linux | 6.1.8 <= 6.1.* | unaffected |
| Linux | Linux | 6.2 <= * | unaffected |
Weaknesses
ADP Enrichment
CISA ADP Vulnrichment
- SSVC:
- Exploitation: none
- Automatable: no
- Technical Impact: partial
References
- https://git.kernel.org/stable/c/9a39f4626b361ee7aa10fd990401c37ec3b466ae
- https://git.kernel.org/stable/c/856e4b5e53f21edbd15d275dde62228dd94fb2b4
- https://git.kernel.org/stable/c/a2e075f40122d8daf587db126c562a67abd69cf9
- https://git.kernel.org/stable/c/616fd34d017000ecf9097368b13d8a266f4920b3
- https://git.kernel.org/stable/c/d18dcfe9860e842f394e37ba01ca9440ab2178f4
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.