cve-2022-48796
Vulnerability from cvelistv5
Published
2024-07-16 11:43
Modified
2024-11-04 12:16
Severity ?
Summary
iommu: Fix potential use-after-free during probe
Impacted products
LinuxLinux
LinuxLinux
Show details on NVD website


{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-03T15:25:01.525Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/cb86e511e78e796de6947b8f3acca1b7c76fb2ff"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/65ab30f6a6952fa9ee13009862736cf8d110e6e5"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/f74fc4b5bd533ea3d30ce47cccb8ef8d21fda85a"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/b54240ad494300ff0994c4539a531727874381f4"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2022-48796",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-09-10T16:59:19.404709Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-09-11T17:34:14.954Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/iommu/iommu.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "cb86e511e78e",
              "status": "affected",
              "version": "1da177e4c3f4",
              "versionType": "git"
            },
            {
              "lessThan": "65ab30f6a695",
              "status": "affected",
              "version": "1da177e4c3f4",
              "versionType": "git"
            },
            {
              "lessThan": "f74fc4b5bd53",
              "status": "affected",
              "version": "1da177e4c3f4",
              "versionType": "git"
            },
            {
              "lessThan": "b54240ad4943",
              "status": "affected",
              "version": "1da177e4c3f4",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/iommu/iommu.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.101",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.24",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.16.*",
              "status": "unaffected",
              "version": "5.16.10",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "5.17",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\niommu: Fix potential use-after-free during probe\n\nKasan has reported the following use after free on dev-\u003eiommu.\nwhen a device probe fails and it is in process of freeing dev-\u003eiommu\nin dev_iommu_free function, a deferred_probe_work_func runs in parallel\nand tries to access dev-\u003eiommu-\u003efwspec in of_iommu_configure path thus\ncausing use after free.\n\nBUG: KASAN: use-after-free in of_iommu_configure+0xb4/0x4a4\nRead of size 8 at addr ffffff87a2f1acb8 by task kworker/u16:2/153\n\nWorkqueue: events_unbound deferred_probe_work_func\nCall trace:\n dump_backtrace+0x0/0x33c\n show_stack+0x18/0x24\n dump_stack_lvl+0x16c/0x1e0\n print_address_description+0x84/0x39c\n __kasan_report+0x184/0x308\n kasan_report+0x50/0x78\n __asan_load8+0xc0/0xc4\n of_iommu_configure+0xb4/0x4a4\n of_dma_configure_id+0x2fc/0x4d4\n platform_dma_configure+0x40/0x5c\n really_probe+0x1b4/0xb74\n driver_probe_device+0x11c/0x228\n __device_attach_driver+0x14c/0x304\n bus_for_each_drv+0x124/0x1b0\n __device_attach+0x25c/0x334\n device_initial_probe+0x24/0x34\n bus_probe_device+0x78/0x134\n deferred_probe_work_func+0x130/0x1a8\n process_one_work+0x4c8/0x970\n worker_thread+0x5c8/0xaec\n kthread+0x1f8/0x220\n ret_from_fork+0x10/0x18\n\nAllocated by task 1:\n ____kasan_kmalloc+0xd4/0x114\n __kasan_kmalloc+0x10/0x1c\n kmem_cache_alloc_trace+0xe4/0x3d4\n __iommu_probe_device+0x90/0x394\n probe_iommu_group+0x70/0x9c\n bus_for_each_dev+0x11c/0x19c\n bus_iommu_probe+0xb8/0x7d4\n bus_set_iommu+0xcc/0x13c\n arm_smmu_bus_init+0x44/0x130 [arm_smmu]\n arm_smmu_device_probe+0xb88/0xc54 [arm_smmu]\n platform_drv_probe+0xe4/0x13c\n really_probe+0x2c8/0xb74\n driver_probe_device+0x11c/0x228\n device_driver_attach+0xf0/0x16c\n __driver_attach+0x80/0x320\n bus_for_each_dev+0x11c/0x19c\n driver_attach+0x38/0x48\n bus_add_driver+0x1dc/0x3a4\n driver_register+0x18c/0x244\n __platform_driver_register+0x88/0x9c\n init_module+0x64/0xff4 [arm_smmu]\n do_one_initcall+0x17c/0x2f0\n do_init_module+0xe8/0x378\n load_module+0x3f80/0x4a40\n __se_sys_finit_module+0x1a0/0x1e4\n __arm64_sys_finit_module+0x44/0x58\n el0_svc_common+0x100/0x264\n do_el0_svc+0x38/0xa4\n el0_svc+0x20/0x30\n el0_sync_handler+0x68/0xac\n el0_sync+0x160/0x180\n\nFreed by task 1:\n kasan_set_track+0x4c/0x84\n kasan_set_free_info+0x28/0x4c\n ____kasan_slab_free+0x120/0x15c\n __kasan_slab_free+0x18/0x28\n slab_free_freelist_hook+0x204/0x2fc\n kfree+0xfc/0x3a4\n __iommu_probe_device+0x284/0x394\n probe_iommu_group+0x70/0x9c\n bus_for_each_dev+0x11c/0x19c\n bus_iommu_probe+0xb8/0x7d4\n bus_set_iommu+0xcc/0x13c\n arm_smmu_bus_init+0x44/0x130 [arm_smmu]\n arm_smmu_device_probe+0xb88/0xc54 [arm_smmu]\n platform_drv_probe+0xe4/0x13c\n really_probe+0x2c8/0xb74\n driver_probe_device+0x11c/0x228\n device_driver_attach+0xf0/0x16c\n __driver_attach+0x80/0x320\n bus_for_each_dev+0x11c/0x19c\n driver_attach+0x38/0x48\n bus_add_driver+0x1dc/0x3a4\n driver_register+0x18c/0x244\n __platform_driver_register+0x88/0x9c\n init_module+0x64/0xff4 [arm_smmu]\n do_one_initcall+0x17c/0x2f0\n do_init_module+0xe8/0x378\n load_module+0x3f80/0x4a40\n __se_sys_finit_module+0x1a0/0x1e4\n __arm64_sys_finit_module+0x44/0x58\n el0_svc_common+0x100/0x264\n do_el0_svc+0x38/0xa4\n el0_svc+0x20/0x30\n el0_sync_handler+0x68/0xac\n el0_sync+0x160/0x180\n\nFix this by setting dev-\u003eiommu to NULL first and\nthen freeing dev_iommu structure in dev_iommu_free\nfunction."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2024-11-04T12:16:43.901Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/cb86e511e78e796de6947b8f3acca1b7c76fb2ff"
        },
        {
          "url": "https://git.kernel.org/stable/c/65ab30f6a6952fa9ee13009862736cf8d110e6e5"
        },
        {
          "url": "https://git.kernel.org/stable/c/f74fc4b5bd533ea3d30ce47cccb8ef8d21fda85a"
        },
        {
          "url": "https://git.kernel.org/stable/c/b54240ad494300ff0994c4539a531727874381f4"
        }
      ],
      "title": "iommu: Fix potential use-after-free during probe",
      "x_generator": {
        "engine": "bippy-9e1c9544281a"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2022-48796",
    "datePublished": "2024-07-16T11:43:50.796Z",
    "dateReserved": "2024-07-16T11:38:08.895Z",
    "dateUpdated": "2024-11-04T12:16:43.901Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2022-48796\",\"sourceIdentifier\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"published\":\"2024-07-16T12:15:04.293\",\"lastModified\":\"2024-08-07T20:07:22.920\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"In the Linux kernel, the following vulnerability has been resolved:\\n\\niommu: Fix potential use-after-free during probe\\n\\nKasan has reported the following use after free on dev-\u003eiommu.\\nwhen a device probe fails and it is in process of freeing dev-\u003eiommu\\nin dev_iommu_free function, a deferred_probe_work_func runs in parallel\\nand tries to access dev-\u003eiommu-\u003efwspec in of_iommu_configure path thus\\ncausing use after free.\\n\\nBUG: KASAN: use-after-free in of_iommu_configure+0xb4/0x4a4\\nRead of size 8 at addr ffffff87a2f1acb8 by task kworker/u16:2/153\\n\\nWorkqueue: events_unbound deferred_probe_work_func\\nCall trace:\\n dump_backtrace+0x0/0x33c\\n show_stack+0x18/0x24\\n dump_stack_lvl+0x16c/0x1e0\\n print_address_description+0x84/0x39c\\n __kasan_report+0x184/0x308\\n kasan_report+0x50/0x78\\n __asan_load8+0xc0/0xc4\\n of_iommu_configure+0xb4/0x4a4\\n of_dma_configure_id+0x2fc/0x4d4\\n platform_dma_configure+0x40/0x5c\\n really_probe+0x1b4/0xb74\\n driver_probe_device+0x11c/0x228\\n __device_attach_driver+0x14c/0x304\\n bus_for_each_drv+0x124/0x1b0\\n __device_attach+0x25c/0x334\\n device_initial_probe+0x24/0x34\\n bus_probe_device+0x78/0x134\\n deferred_probe_work_func+0x130/0x1a8\\n process_one_work+0x4c8/0x970\\n worker_thread+0x5c8/0xaec\\n kthread+0x1f8/0x220\\n ret_from_fork+0x10/0x18\\n\\nAllocated by task 1:\\n ____kasan_kmalloc+0xd4/0x114\\n __kasan_kmalloc+0x10/0x1c\\n kmem_cache_alloc_trace+0xe4/0x3d4\\n __iommu_probe_device+0x90/0x394\\n probe_iommu_group+0x70/0x9c\\n bus_for_each_dev+0x11c/0x19c\\n bus_iommu_probe+0xb8/0x7d4\\n bus_set_iommu+0xcc/0x13c\\n arm_smmu_bus_init+0x44/0x130 [arm_smmu]\\n arm_smmu_device_probe+0xb88/0xc54 [arm_smmu]\\n platform_drv_probe+0xe4/0x13c\\n really_probe+0x2c8/0xb74\\n driver_probe_device+0x11c/0x228\\n device_driver_attach+0xf0/0x16c\\n __driver_attach+0x80/0x320\\n bus_for_each_dev+0x11c/0x19c\\n driver_attach+0x38/0x48\\n bus_add_driver+0x1dc/0x3a4\\n driver_register+0x18c/0x244\\n __platform_driver_register+0x88/0x9c\\n init_module+0x64/0xff4 [arm_smmu]\\n do_one_initcall+0x17c/0x2f0\\n do_init_module+0xe8/0x378\\n load_module+0x3f80/0x4a40\\n __se_sys_finit_module+0x1a0/0x1e4\\n __arm64_sys_finit_module+0x44/0x58\\n el0_svc_common+0x100/0x264\\n do_el0_svc+0x38/0xa4\\n el0_svc+0x20/0x30\\n el0_sync_handler+0x68/0xac\\n el0_sync+0x160/0x180\\n\\nFreed by task 1:\\n kasan_set_track+0x4c/0x84\\n kasan_set_free_info+0x28/0x4c\\n ____kasan_slab_free+0x120/0x15c\\n __kasan_slab_free+0x18/0x28\\n slab_free_freelist_hook+0x204/0x2fc\\n kfree+0xfc/0x3a4\\n __iommu_probe_device+0x284/0x394\\n probe_iommu_group+0x70/0x9c\\n bus_for_each_dev+0x11c/0x19c\\n bus_iommu_probe+0xb8/0x7d4\\n bus_set_iommu+0xcc/0x13c\\n arm_smmu_bus_init+0x44/0x130 [arm_smmu]\\n arm_smmu_device_probe+0xb88/0xc54 [arm_smmu]\\n platform_drv_probe+0xe4/0x13c\\n really_probe+0x2c8/0xb74\\n driver_probe_device+0x11c/0x228\\n device_driver_attach+0xf0/0x16c\\n __driver_attach+0x80/0x320\\n bus_for_each_dev+0x11c/0x19c\\n driver_attach+0x38/0x48\\n bus_add_driver+0x1dc/0x3a4\\n driver_register+0x18c/0x244\\n __platform_driver_register+0x88/0x9c\\n init_module+0x64/0xff4 [arm_smmu]\\n do_one_initcall+0x17c/0x2f0\\n do_init_module+0xe8/0x378\\n load_module+0x3f80/0x4a40\\n __se_sys_finit_module+0x1a0/0x1e4\\n __arm64_sys_finit_module+0x44/0x58\\n el0_svc_common+0x100/0x264\\n do_el0_svc+0x38/0xa4\\n el0_svc+0x20/0x30\\n el0_sync_handler+0x68/0xac\\n el0_sync+0x160/0x180\\n\\nFix this by setting dev-\u003eiommu to NULL first and\\nthen freeing dev_iommu structure in dev_iommu_free\\nfunction.\"},{\"lang\":\"es\",\"value\":\"En el kernel de Linux, se resolvi\u00f3 la siguiente vulnerabilidad: iommu: corrige el posible use-after-free durante la prueba Kasan ha informado el siguiente use-after-free en dev-\u0026gt;iommu. cuando falla la sonda de un dispositivo y est\u00e1 en proceso de liberar dev-\u0026gt;iommu en la funci\u00f3n dev_iommu_free, una deferred_probe_work_func se ejecuta en paralelo e intenta acceder a dev-\u0026gt;iommu-\u0026gt;fwspec en la ruta of_iommu_configure, lo que provoca el use-after-free. ERROR: KASAN: use-after-free en of_iommu_configure+0xb4/0x4a4 Lectura de tama\u00f1o 8 en la direcci\u00f3n ffffff87a2f1acb8 por tarea kworker/u16:2/153 Cola de trabajo: events_unbound deferred_probe_work_func Seguimiento de llamadas: dump_backtrace+0x0/0x33c show_stack+0x18/0x24 dump_stack_ nivel+ 0x16c/0x1e0 print_address_description+0x84/0x39c __kasan_report+0x184/0x308 kasan_report+0x50/0x78 __asan_load8+0xc0/0xc4 of_iommu_configure+0xb4/0x4a4 of_dma_configure_id+0x2fc/0x4d4 platform_ dma_configure+0x40/0x5c very_probe+0x1b4/0xb74 driver_probe_device+0x11c/0x228 __device_attach_driver+ 6 970 work_thread+0x5c8/0xaec kthread+0x1f8/0x220 ret_from_fork+0x10/0x18 Asignado por tarea 1: ____kasan_kmalloc+0xd4/0x114 __kasan_kmalloc+0x10/0x1c kmem_cache_alloc_trace+0xe4/0x3d4 __iommu_probe_device+0x90/0x394 probe_iommu_group+0x70/0x9c bus_for_each_dev+0x11c/0x19c bus_ iommu_probe+0xb8/0x7d4 bus_set_iommu+0xcc/0x13c arm_smmu_bus_init+0x44/0x130 [arm_smmu ] arm_smmu_device_probe+0xb88/0xc54 [arm_smmu] platform_drv_probe+0xe4/0x13c very_probe+0x2c8/0xb74 driver_probe_device+0x11c/0x228 dispositivo_driver_attach+0xf0/0x16c __driver_attach+0x80/0x320 _for_each_dev+0x11c/0x19c driver_attach+0x38/0x48 bus_add_driver+0x1dc/0x3a4 driver_register +0x18c/0x244 __platform_driver_register+0x88/0x9c init_module+0x64/0xff4 [arm_smmu] do_one_initcall+0x17c/0x2f0 do_init_module+0xe8/0x378 load_module+0x3f80/0x4a40 __se_sys_finit_module+ 0x1a0/0x1e4 __arm64_sys_finit_module+0x44/0x58 el0_svc_common+0x100/0x264 do_el0_svc+0x38 /0xa4 el0_svc+0x20/0x30 el0_sync_handler+0x68/0xac el0_sync+0x160/0x180 Liberado por la tarea 1: kasan_set_track+0x4c/0x84 kasan_set_free_info+0x28/0x4c ____kasan_slab_free+0x120/0x15c 0x18/0x28 slab_free_freelist_hook+0x204/0x2fc kfree+0xfc /0x3a4 __iommu_probe_device+0x284/0x394 probe_iommu_group+0x70/0x9c bus_for_each_dev+0x11c/0x19c bus_iommu_probe+0xb8/0x7d4 bus_set_iommu+0xcc/0x13c arm_smmu_bus_init+0x44/0x130 [arm_smmu] arm_smmu_device_probe+0xb88/0xc54 [arm_smmu] platform_drv_probe+0xe4/0x13c realmente_probe+ 0x2c8/0xb74 driver_probe_device+0x11c/0x228 dispositivo_driver_attach+0xf0/0x16c __driver_attach+0x80/0x320 bus_for_each_dev+0x11c/0x19c driver_attach+0x38/0x48 bus_add_driver+0x1dc/0x3a4 ister+0x18c/0x244 __platform_driver_register+0x88/0x9c init_module+0x64/0xff4 [arm_smmu ] do_one_initcall+0x17c/0x2f0 do_init_module+0xe8/0x378 load_module+0x3f80/0x4a40 __se_sys_finit_module+0x1a0/0x1e4 __arm64_sys_finit_module+0x44/0x58 el0_svc_common+0x100/ 0x264 do_el0_svc+0x38/0xa4 el0_svc+0x20/0x30 el0_sync_handler+0x68/0xac el0_sync+0x160/ 0x180 Solucione este problema configurando dev-\u0026gt;iommu en NULL primero y luego liberando la estructura dev_iommu en la funci\u00f3n dev_iommu_free.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\",\"attackVector\":\"LOCAL\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\",\"baseScore\":7.8,\"baseSeverity\":\"HIGH\"},\"exploitabilityScore\":1.8,\"impactScore\":5.9}]},\"weaknesses\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-416\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"5.10.101\",\"matchCriteriaId\":\"F37E3FA0-7A8B-4AAF-9748-96E34396B25B\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"5.11\",\"versionEndExcluding\":\"5.15.24\",\"matchCriteriaId\":\"866451F0-299E-416C-B0B8-AE6B33E62CCA\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"5.16\",\"versionEndExcluding\":\"5.16.10\",\"matchCriteriaId\":\"679523BA-1392-404B-AB85-F5A5408B1ECC\"}]}]}],\"references\":[{\"url\":\"https://git.kernel.org/stable/c/65ab30f6a6952fa9ee13009862736cf8d110e6e5\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/b54240ad494300ff0994c4539a531727874381f4\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/cb86e511e78e796de6947b8f3acca1b7c76fb2ff\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/f74fc4b5bd533ea3d30ce47cccb8ef8d21fda85a\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]}]}}"
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.


Loading...

Loading...

Loading...
  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.