CVE-2022-48869

MEDIUM EPSS 14.0%
Published Aug 21, 20241y ago · Modified Jun 17, 20262w ago
4.7 CVSS 3.1
Medium
Find Similar
Published Aug 21, 2024 1y ago
Last Modified Jun 17, 2026 2w ago

Description

In the Linux kernel, the following vulnerability has been resolved: USB: gadgetfs: Fix race between mounting and unmounting The syzbot fuzzer and Gerald Lee have identified a use-after-free bug in the gadgetfs driver, involving processes concurrently mounting and unmounting the gadgetfs filesystem. In particular, gadgetfs_fill_super() can race with gadgetfs_kill_sb(), causing the latter to deallocate the_device while the former is using it. The output from KASAN says, in part: BUG: KASAN: use-after-free in instrument_atomic_read_write include/linux/instrumented.h:102 [inline] BUG: KASAN: use-after-free in atomic_fetch_sub_release include/linux/atomic/atomic-instrumented.h:176 [inline] BUG: KASAN: use-after-free in __refcount_sub_and_test include/linux/refcount.h:272 [inline] BUG: KASAN: use-after-free in __refcount_dec_and_test include/linux/refcount.h:315 [inline] BUG: KASAN: use-after-free in refcount_dec_and_test include/linux/refcount.h:333 [inline] BUG: KASAN: use-after-free in put_dev drivers/usb/gadget/legacy/inode.c:159 [inline] BUG: KASAN: use-after-free in gadgetfs_kill_sb+0x33/0x100 drivers/usb/gadget/legacy/inode.c:2086 Write of size 4 at addr ffff8880276d7840 by task syz-executor126/18689 CPU: 0 PID: 18689 Comm: syz-executor126 Not tainted 6.1.0-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022 Call Trace: <TASK> ... atomic_fetch_sub_release include/linux/atomic/atomic-instrumented.h:176 [inline] __refcount_sub_and_test include/linux/refcount.h:272 [inline] __refcount_dec_and_test include/linux/refcount.h:315 [inline] refcount_dec_and_test include/linux/refcount.h:333 [inline] put_dev drivers/usb/gadget/legacy/inode.c:159 [inline] gadgetfs_kill_sb+0x33/0x100 drivers/usb/gadget/legacy/inode.c:2086 deactivate_locked_super+0xa7/0xf0 fs/super.c:332 vfs_get_super fs/super.c:1190 [inline] get_tree_single+0xd0/0x160 fs/super.c:1207 vfs_get_tree+0x88/0x270 fs/super.c:1531 vfs_fsconfig_locked fs/fsopen.c:232 [inline] The simplest solution is to ensure that gadgetfs_fill_super() and gadgetfs_kill_sb() are serialized by making them both acquire a new mutex.

CVSS Details

Base Score
4.7
Exploitability
1.0
Impact
3.6
Vector string
CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H
Attack Vector Local
Attack Complexity High
Privileges Required Low
User Interaction None
Scope Unchanged
Confidentiality None
Integrity None
Availability High

Threat Intelligence

EPSS Exploit Probability
14.0% percentile
Exploit & Patch Status
No Known Exploit
Patch Available

Weaknesses 1

CWE-416 Use After Free Memory Safety

Affected Products 4

VendorProductVersionRange
linuxlinux_kernel*≥5.3  –  <5.4.230
linuxlinux_kernel*≥5.5  –  <5.10.165
linuxlinux_kernel*≥5.11  –  <5.15.90
linuxlinux_kernel*≥5.16  –  <6.1.8

References 5

  • git.kernel.org https://git.kernel.org/stable/c/616fd34d017000ecf9097368b13d8a266f4920b3
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/856e4b5e53f21edbd15d275dde62228dd94fb2b4
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/9a39f4626b361ee7aa10fd990401c37ec3b466ae
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/a2e075f40122d8daf587db126c562a67abd69cf9
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/d18dcfe9860e842f394e37ba01ca9440ab2178f4
    Patch

Remediation

  • git.kernel.org https://git.kernel.org/stable/c/616fd34d017000ecf9097368b13d8a266f4920b3
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/856e4b5e53f21edbd15d275dde62228dd94fb2b4
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/9a39f4626b361ee7aa10fd990401c37ec3b466ae
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/a2e075f40122d8daf587db126c562a67abd69cf9
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/d18dcfe9860e842f394e37ba01ca9440ab2178f4
    Patch