CVE-2022-50745

Summary

In the Linux kernel, the following vulnerability has been resolved:

staging: media: tegra-video: fix device_node use after free

At probe time this code path is followed:

  • tegra_csi_init
    • tegra_csi_channels_alloc
      • for_each_child_of_node(node, channel) – iterates over channels
        • automatically gets 'channel'
          • tegra_csi_channel_alloc()
            • saves into chan->of_node a pointer to the channel OF node
        • automatically gets and puts 'channel'
        • now the node saved in chan->of_node has refcount 0, can disappear
    • tegra_csi_channels_init
      • iterates over channels
        • tegra_csi_channel_init – uses chan->of_node

After that, chan->of_node keeps storing the node until the device is removed.

of_node_get() the node and of_node_put() it during teardown to avoid any risk.

Affected Software

VendorProductVersion RangeStatus
LinuxLinux1ebaeb09830f36c1111b72a95420814225bd761c < 5451efb2ca30f3c42b9efb8327ce35b62870dbd3affected
LinuxLinux1ebaeb09830f36c1111b72a95420814225bd761c < ce50c612458091d926ccb05d7db11d9f93532db2affected
LinuxLinux1ebaeb09830f36c1111b72a95420814225bd761c < 6512c9498fcb97e7c760e3ef86b2272f2c0f765faffected
LinuxLinux1ebaeb09830f36c1111b72a95420814225bd761c < 0fd003d3c708c80350a815eaf37b8e1114b976cfaffected
LinuxLinux1ebaeb09830f36c1111b72a95420814225bd761c < c4d344163c3a7f90712525f931a6c016bbb35e18affected
LinuxLinux5.10affected
LinuxLinux0 < 5.10unaffected
LinuxLinux5.10.163 <= 5.10.*unaffected
LinuxLinux5.15.87 <= 5.15.*unaffected
LinuxLinux6.0.18 <= 6.0.*unaffected
LinuxLinux6.1.4 <= 6.1.*unaffected
LinuxLinux6.2 <= *unaffected

Weaknesses

References