CVE-2022-48872 misc: fastrpc: Fix use-after-free race condition for maps

2024-08-2106:10:02

Linux

www.cve.org

linux kernel

fix

use-after-free

race condition

fastrpc maps

EPSS

Percentile

5.1%

JSON

In the Linux kernel, the following vulnerability has been resolved:

misc: fastrpc: Fix use-after-free race condition for maps

It is possible that in between calling fastrpc_map_get() until
map->fl->lock is taken in fastrpc_free_map(), another thread can call
fastrpc_map_lookup() and get a reference to a map that is about to be
deleted.

Rewrite fastrpc_map_get() to only increase the reference count of a map
if it’s non-zero. Propagate this to callers so they can know if a map is
about to be deleted.

Fixes this warning:
refcount_t: addition on 0; use-after-free.
WARNING: CPU: 5 PID: 10100 at lib/refcount.c:25 refcount_warn_saturate
…
Call trace:
refcount_warn_saturate
[fastrpc_map_get inlined]
[fastrpc_map_lookup inlined]
fastrpc_map_create
fastrpc_internal_invoke
fastrpc_device_ioctl
__arm64_sys_ioctl
invoke_syscall

CNA Affected

[
  {
    "product": "Linux",
    "vendor": "Linux",
    "defaultStatus": "unaffected",
    "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
    "programFiles": [
      "drivers/misc/fastrpc.c"
    ],
    "versions": [
      {
        "version": "c68cfb718c8f",
        "lessThan": "556dfdb226ce",
        "status": "affected",
        "versionType": "git"
      },
      {
        "version": "c68cfb718c8f",
        "lessThan": "b171d0d2cf1b",
        "status": "affected",
        "versionType": "git"
      },
      {
        "version": "c68cfb718c8f",
        "lessThan": "61a0890cb95a",
        "status": "affected",
        "versionType": "git"
      },
      {
        "version": "c68cfb718c8f",
        "lessThan": "079c78c68714",
        "status": "affected",
        "versionType": "git"
      },
      {
        "version": "c68cfb718c8f",
        "lessThan": "96b328d119ec",
        "status": "affected",
        "versionType": "git"
      }
    ]
  },
  {
    "product": "Linux",
    "vendor": "Linux",
    "defaultStatus": "affected",
    "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
    "programFiles": [
      "drivers/misc/fastrpc.c"
    ],
    "versions": [
      {
        "version": "5.1",
        "status": "affected"
      },
      {
        "version": "0",
        "lessThan": "5.1",
        "status": "unaffected",
        "versionType": "custom"
      },
      {
        "version": "5.4.230",
        "lessThanOrEqual": "5.4.*",
        "status": "unaffected",
        "versionType": "custom"
      },
      {
        "version": "5.10.165",
        "lessThanOrEqual": "5.10.*",
        "status": "unaffected",
        "versionType": "custom"
      },
      {
        "version": "5.15.90",
        "lessThanOrEqual": "5.15.*",
        "status": "unaffected",
        "versionType": "custom"
      },
      {
        "version": "6.1.8",
        "lessThanOrEqual": "6.1.*",
        "status": "unaffected",
        "versionType": "custom"
      },
      {
        "version": "6.2",
        "lessThanOrEqual": "*",
        "status": "unaffected",
        "versionType": "original_commit_for_fix"
      }
    ]
  }
]