CVSS3
Attack Vector
LOCAL
Attack Complexity
HIGH
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
AI Score
Confidence
Low
EPSS
Percentile
5.1%
In the Linux kernel, the following vulnerability has been resolved:
misc: fastrpc: Fix use-after-free race condition for maps
It is possible that in between calling fastrpc_map_get() until
map->fl->lock is taken in fastrpc_free_map(), another thread can call
fastrpc_map_lookup() and get a reference to a map that is about to be
deleted.
Rewrite fastrpc_map_get() to only increase the reference count of a map
if it’s non-zero. Propagate this to callers so they can know if a map is
about to be deleted.
Fixes this warning:
refcount_t: addition on 0; use-after-free.
WARNING: CPU: 5 PID: 10100 at lib/refcount.c:25 refcount_warn_saturate
…
Call trace:
refcount_warn_saturate
[fastrpc_map_get inlined]
[fastrpc_map_lookup inlined]
fastrpc_map_create
fastrpc_internal_invoke
fastrpc_device_ioctl
__arm64_sys_ioctl
invoke_syscall
Vendor | Product | Version | CPE |
---|---|---|---|
linux | linux_kernel | * | cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* |
linux | linux_kernel | 6.2 | cpe:2.3:o:linux:linux_kernel:6.2:rc1:*:*:*:*:*:* |
linux | linux_kernel | 6.2 | cpe:2.3:o:linux:linux_kernel:6.2:rc2:*:*:*:*:*:* |
linux | linux_kernel | 6.2 | cpe:2.3:o:linux:linux_kernel:6.2:rc3:*:*:*:*:*:* |
linux | linux_kernel | 6.2 | cpe:2.3:o:linux:linux_kernel:6.2:rc4:*:*:*:*:*:* |
[
{
"product": "Linux",
"vendor": "Linux",
"defaultStatus": "unaffected",
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"programFiles": [
"drivers/misc/fastrpc.c"
],
"versions": [
{
"version": "c68cfb718c8f",
"lessThan": "556dfdb226ce",
"status": "affected",
"versionType": "git"
},
{
"version": "c68cfb718c8f",
"lessThan": "b171d0d2cf1b",
"status": "affected",
"versionType": "git"
},
{
"version": "c68cfb718c8f",
"lessThan": "61a0890cb95a",
"status": "affected",
"versionType": "git"
},
{
"version": "c68cfb718c8f",
"lessThan": "079c78c68714",
"status": "affected",
"versionType": "git"
},
{
"version": "c68cfb718c8f",
"lessThan": "96b328d119ec",
"status": "affected",
"versionType": "git"
}
]
},
{
"product": "Linux",
"vendor": "Linux",
"defaultStatus": "affected",
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"programFiles": [
"drivers/misc/fastrpc.c"
],
"versions": [
{
"version": "5.1",
"status": "affected"
},
{
"version": "0",
"lessThan": "5.1",
"status": "unaffected",
"versionType": "custom"
},
{
"version": "5.4.230",
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"versionType": "custom"
},
{
"version": "5.10.165",
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"versionType": "custom"
},
{
"version": "5.15.90",
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"versionType": "custom"
},
{
"version": "6.1.8",
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"versionType": "custom"
},
{
"version": "6.2",
"lessThanOrEqual": "*",
"status": "unaffected",
"versionType": "original_commit_for_fix"
}
]
}
]
git.kernel.org/stable/c/079c78c68714f7d8d58e66c477b0243b31806907
git.kernel.org/stable/c/556dfdb226ce1e5231d8836159b23f8bb0395bf4
git.kernel.org/stable/c/61a0890cb95afec5c8a2f4a879de2b6220984ef1
git.kernel.org/stable/c/96b328d119eca7563c1edcc4e1039a62e6370ecb
git.kernel.org/stable/c/b171d0d2cf1b8387c72c8d325c5d5746fa271e39