CVE-2022-48872

Summary

In the Linux kernel, the following vulnerability has been resolved:

misc: fastrpc: Fix use-after-free race condition for maps

It is possible that in between calling fastrpc_map_get() until map->fl->lock is taken in fastrpc_free_map(), another thread can call fastrpc_map_lookup() and get a reference to a map that is about to be deleted.

Rewrite fastrpc_map_get() to only increase the reference count of a map if it's non-zero. Propagate this to callers so they can know if a map is about to be deleted.

Fixes this warning: refcount_t: addition on 0; use-after-free. WARNING: CPU: 5 PID: 10100 at lib/refcount.c:25 refcount_warn_saturate … Call trace: refcount_warn_saturate [fastrpc_map_get inlined] [fastrpc_map_lookup inlined] fastrpc_map_create fastrpc_internal_invoke fastrpc_device_ioctl __arm64_sys_ioctl invoke_syscall

Affected Software

VendorProductVersion RangeStatus
LinuxLinuxc68cfb718c8f97b7f7a50ed66be5feb42d0c8988 < 556dfdb226ce1e5231d8836159b23f8bb0395bf4affected
LinuxLinuxc68cfb718c8f97b7f7a50ed66be5feb42d0c8988 < b171d0d2cf1b8387c72c8d325c5d5746fa271e39affected
LinuxLinuxc68cfb718c8f97b7f7a50ed66be5feb42d0c8988 < 61a0890cb95afec5c8a2f4a879de2b6220984ef1affected
LinuxLinuxc68cfb718c8f97b7f7a50ed66be5feb42d0c8988 < 079c78c68714f7d8d58e66c477b0243b31806907affected
LinuxLinuxc68cfb718c8f97b7f7a50ed66be5feb42d0c8988 < 96b328d119eca7563c1edcc4e1039a62e6370ecbaffected
LinuxLinux5.1affected
LinuxLinux0 < 5.1unaffected
LinuxLinux5.4.230 <= 5.4.*unaffected
LinuxLinux5.10.165 <= 5.10.*unaffected
LinuxLinux5.15.90 <= 5.15.*unaffected
LinuxLinux6.1.8 <= 6.1.*unaffected
LinuxLinux6.2 <= *unaffected

Weaknesses

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

References