In the Linux kernel, the following vulnerability has been resolved:
can: peak_pci: peak_pci_remove(): fix UAF
When remove the module peek_pci, referencing chan again after releasing dev will cause UAF.
Fix this by releasing dev later.
The following log reveals it:
[ 35.961814 ] BUG: KASAN: use-after-free in peak_pci_remove+0x16f/0x270 [peak_pci] [ 35.963414 ] Read of size 8 at addr ffff888136998ee8 by task modprobe/5537 [ 35.965513 ] Call Trace: [ 35.965718 ] dump_stack_lvl+0xa8/0xd1 [ 35.966028 ] print_address_description+0x87/0x3b0 [ 35.966420 ] kasan_report+0x172/0x1c0 [ 35.966725 ] ? peak_pci_remove+0x16f/0x270 [peak_pci] [ 35.967137 ] ? trace_irq_enable_rcuidle+0x10/0x170 [ 35.967529 ] ? peak_pci_remove+0x16f/0x270 [peak_pci] [ 35.967945 ] __asan_report_load8_noabort+0x14/0x20 [ 35.968346 ] peak_pci_remove+0x16f/0x270 [peak_pci] [ 35.968752 ] pci_device_remove+0xa9/0x250
Referencing memory after it has been freed can cause a program to crash, use unexpected values, or execute code.
Name | Vendor | Start Version | End Version |
---|---|---|---|
Linux_kernel | Linux | 3.4 (including) | 4.4.290 (excluding) |
Linux_kernel | Linux | 4.5 (including) | 4.9.288 (excluding) |
Linux_kernel | Linux | 4.10 (including) | 4.14.253 (excluding) |
Linux_kernel | Linux | 4.15 (including) | 4.19.214 (excluding) |
Linux_kernel | Linux | 4.20 (including) | 5.4.156 (excluding) |
Linux_kernel | Linux | 5.5 (including) | 5.10.76 (excluding) |
Linux_kernel | Linux | 5.11 (including) | 5.14.15 (excluding) |
Linux_kernel | Linux | 5.15-rc1 (including) | 5.15-rc1 (including) |
Linux_kernel | Linux | 5.15-rc2 (including) | 5.15-rc2 (including) |
Linux_kernel | Linux | 5.15-rc3 (including) | 5.15-rc3 (including) |
Linux_kernel | Linux | 5.15-rc4 (including) | 5.15-rc4 (including) |
Linux_kernel | Linux | 5.15-rc5 (including) | 5.15-rc5 (including) |
Linux_kernel | Linux | 5.15-rc6 (including) | 5.15-rc6 (including) |
Red Hat Enterprise Linux 8 | RedHat | kernel-rt-0:4.18.0-553.8.1.rt7.349.el8_10 | * |
Red Hat Enterprise Linux 8 | RedHat | kernel-0:4.18.0-553.8.1.el8_10 | * |
Linux | Ubuntu | bionic | * |
Linux | Ubuntu | esm-infra-legacy/trusty | * |
Linux | Ubuntu | esm-infra/xenial | * |
Linux | Ubuntu | focal | * |
Linux | Ubuntu | trusty | * |
Linux | Ubuntu | trusty/esm | * |
Linux | Ubuntu | upstream | * |
Linux | Ubuntu | xenial | * |
Linux-allwinner-5.19 | Ubuntu | jammy | * |
Linux-allwinner-5.19 | Ubuntu | upstream | * |
Linux-aws | Ubuntu | bionic | * |
Linux-aws | Ubuntu | esm-infra-legacy/trusty | * |
Linux-aws | Ubuntu | esm-infra/xenial | * |
Linux-aws | Ubuntu | focal | * |
Linux-aws | Ubuntu | trusty | * |
Linux-aws | Ubuntu | trusty/esm | * |
Linux-aws | Ubuntu | upstream | * |
Linux-aws | Ubuntu | xenial | * |
Linux-aws-5.0 | Ubuntu | bionic | * |
Linux-aws-5.0 | Ubuntu | esm-infra/bionic | * |
Linux-aws-5.0 | Ubuntu | upstream | * |
Linux-aws-5.11 | Ubuntu | focal | * |
Linux-aws-5.11 | Ubuntu | upstream | * |
Linux-aws-5.13 | Ubuntu | focal | * |
Linux-aws-5.13 | Ubuntu | upstream | * |
Linux-aws-5.15 | Ubuntu | upstream | * |
Linux-aws-5.19 | Ubuntu | jammy | * |
Linux-aws-5.19 | Ubuntu | upstream | * |
Linux-aws-5.3 | Ubuntu | bionic | * |
Linux-aws-5.3 | Ubuntu | esm-infra/bionic | * |
Linux-aws-5.3 | Ubuntu | upstream | * |
Linux-aws-5.4 | Ubuntu | bionic | * |
Linux-aws-5.4 | Ubuntu | upstream | * |
Linux-aws-5.8 | Ubuntu | focal | * |
Linux-aws-5.8 | Ubuntu | upstream | * |
Linux-aws-6.2 | Ubuntu | jammy | * |
Linux-aws-6.2 | Ubuntu | upstream | * |
Linux-aws-6.5 | Ubuntu | upstream | * |
Linux-aws-6.8 | Ubuntu | upstream | * |
Linux-aws-fips | Ubuntu | fips-updates/bionic | * |
Linux-aws-fips | Ubuntu | fips-updates/focal | * |
Linux-aws-fips | Ubuntu | fips/bionic | * |
Linux-aws-fips | Ubuntu | fips/focal | * |
Linux-aws-fips | Ubuntu | trusty | * |
Linux-aws-fips | Ubuntu | upstream | * |
Linux-aws-fips | Ubuntu | xenial | * |
Linux-aws-hwe | Ubuntu | esm-infra/xenial | * |
Linux-aws-hwe | Ubuntu | upstream | * |
Linux-aws-hwe | Ubuntu | xenial | * |
Linux-azure | Ubuntu | bionic | * |
Linux-azure | Ubuntu | esm-infra/bionic | * |
Linux-azure | Ubuntu | esm-infra/xenial | * |
Linux-azure | Ubuntu | focal | * |
Linux-azure | Ubuntu | trusty | * |
Linux-azure | Ubuntu | trusty/esm | * |
Linux-azure | Ubuntu | upstream | * |
Linux-azure | Ubuntu | xenial | * |
Linux-azure-4.15 | Ubuntu | bionic | * |
Linux-azure-4.15 | Ubuntu | upstream | * |
Linux-azure-5.11 | Ubuntu | focal | * |
Linux-azure-5.11 | Ubuntu | upstream | * |
Linux-azure-5.13 | Ubuntu | focal | * |
Linux-azure-5.13 | Ubuntu | upstream | * |
Linux-azure-5.15 | Ubuntu | upstream | * |
Linux-azure-5.19 | Ubuntu | jammy | * |
Linux-azure-5.19 | Ubuntu | upstream | * |
Linux-azure-5.3 | Ubuntu | bionic | * |
Linux-azure-5.3 | Ubuntu | esm-infra/bionic | * |
Linux-azure-5.3 | Ubuntu | upstream | * |
Linux-azure-5.4 | Ubuntu | bionic | * |
Linux-azure-5.4 | Ubuntu | upstream | * |
Linux-azure-5.8 | Ubuntu | focal | * |
Linux-azure-5.8 | Ubuntu | upstream | * |
Linux-azure-6.11 | Ubuntu | upstream | * |
Linux-azure-6.2 | Ubuntu | jammy | * |
Linux-azure-6.2 | Ubuntu | upstream | * |
Linux-azure-6.5 | Ubuntu | upstream | * |
Linux-azure-6.8 | Ubuntu | upstream | * |
Linux-azure-edge | Ubuntu | bionic | * |
Linux-azure-edge | Ubuntu | esm-infra/bionic | * |
Linux-azure-edge | Ubuntu | upstream | * |
Linux-azure-fde | Ubuntu | focal | * |
Linux-azure-fde | Ubuntu | upstream | * |
Linux-azure-fde-5.15 | Ubuntu | upstream | * |
Linux-azure-fde-5.19 | Ubuntu | jammy | * |
Linux-azure-fde-5.19 | Ubuntu | upstream | * |
Linux-azure-fde-6.2 | Ubuntu | jammy | * |
Linux-azure-fde-6.2 | Ubuntu | upstream | * |
Linux-azure-fips | Ubuntu | fips-updates/bionic | * |
Linux-azure-fips | Ubuntu | fips-updates/focal | * |
Linux-azure-fips | Ubuntu | fips/bionic | * |
Linux-azure-fips | Ubuntu | fips/focal | * |
Linux-azure-fips | Ubuntu | trusty | * |
Linux-azure-fips | Ubuntu | upstream | * |
Linux-azure-fips | Ubuntu | xenial | * |
Linux-azure-nvidia | Ubuntu | upstream | * |
Linux-bluefield | Ubuntu | focal | * |
Linux-bluefield | Ubuntu | upstream | * |
Linux-fips | Ubuntu | fips-updates/bionic | * |
Linux-fips | Ubuntu | fips-updates/focal | * |
Linux-fips | Ubuntu | fips-updates/xenial | * |
Linux-fips | Ubuntu | fips/bionic | * |
Linux-fips | Ubuntu | fips/focal | * |
Linux-fips | Ubuntu | fips/xenial | * |
Linux-fips | Ubuntu | upstream | * |
Linux-gcp | Ubuntu | bionic | * |
Linux-gcp | Ubuntu | esm-infra/bionic | * |
Linux-gcp | Ubuntu | esm-infra/xenial | * |
Linux-gcp | Ubuntu | focal | * |
Linux-gcp | Ubuntu | upstream | * |
Linux-gcp | Ubuntu | xenial | * |
Linux-gcp-4.15 | Ubuntu | bionic | * |
Linux-gcp-4.15 | Ubuntu | upstream | * |
Linux-gcp-5.11 | Ubuntu | focal | * |
Linux-gcp-5.11 | Ubuntu | upstream | * |
Linux-gcp-5.13 | Ubuntu | focal | * |
Linux-gcp-5.13 | Ubuntu | upstream | * |
Linux-gcp-5.15 | Ubuntu | upstream | * |
Linux-gcp-5.19 | Ubuntu | jammy | * |
Linux-gcp-5.19 | Ubuntu | upstream | * |
Linux-gcp-5.3 | Ubuntu | bionic | * |
Linux-gcp-5.3 | Ubuntu | esm-infra/bionic | * |
Linux-gcp-5.3 | Ubuntu | upstream | * |
Linux-gcp-5.4 | Ubuntu | bionic | * |
Linux-gcp-5.4 | Ubuntu | upstream | * |
Linux-gcp-5.8 | Ubuntu | focal | * |
Linux-gcp-5.8 | Ubuntu | upstream | * |
Linux-gcp-6.2 | Ubuntu | jammy | * |
Linux-gcp-6.2 | Ubuntu | upstream | * |
Linux-gcp-6.5 | Ubuntu | upstream | * |
Linux-gcp-6.8 | Ubuntu | upstream | * |
Linux-gcp-fips | Ubuntu | fips-updates/bionic | * |
Linux-gcp-fips | Ubuntu | fips-updates/focal | * |
Linux-gcp-fips | Ubuntu | fips/bionic | * |
Linux-gcp-fips | Ubuntu | fips/focal | * |
Linux-gcp-fips | Ubuntu | trusty | * |
Linux-gcp-fips | Ubuntu | upstream | * |
Linux-gcp-fips | Ubuntu | xenial | * |
Linux-gke | Ubuntu | focal | * |
Linux-gke | Ubuntu | upstream | * |
Linux-gke | Ubuntu | xenial | * |
Linux-gke-4.15 | Ubuntu | bionic | * |
Linux-gke-4.15 | Ubuntu | esm-infra/bionic | * |
Linux-gke-4.15 | Ubuntu | upstream | * |
Linux-gke-5.15 | Ubuntu | focal | * |
Linux-gke-5.15 | Ubuntu | upstream | * |
Linux-gke-5.4 | Ubuntu | bionic | * |
Linux-gke-5.4 | Ubuntu | esm-infra/bionic | * |
Linux-gke-5.4 | Ubuntu | upstream | * |
Linux-gkeop | Ubuntu | focal | * |
Linux-gkeop | Ubuntu | upstream | * |
Linux-gkeop-5.15 | Ubuntu | upstream | * |
Linux-gkeop-5.4 | Ubuntu | bionic | * |
Linux-gkeop-5.4 | Ubuntu | esm-infra/bionic | * |
Linux-gkeop-5.4 | Ubuntu | upstream | * |
Linux-hwe | Ubuntu | bionic | * |
Linux-hwe | Ubuntu | esm-infra/bionic | * |
Linux-hwe | Ubuntu | esm-infra/xenial | * |
Linux-hwe | Ubuntu | upstream | * |
Linux-hwe | Ubuntu | xenial | * |
Linux-hwe-5.11 | Ubuntu | focal | * |
Linux-hwe-5.11 | Ubuntu | upstream | * |
Linux-hwe-5.13 | Ubuntu | focal | * |
Linux-hwe-5.13 | Ubuntu | upstream | * |
Linux-hwe-5.15 | Ubuntu | upstream | * |
Linux-hwe-5.19 | Ubuntu | jammy | * |
Linux-hwe-5.19 | Ubuntu | upstream | * |
Linux-hwe-5.4 | Ubuntu | bionic | * |
Linux-hwe-5.4 | Ubuntu | upstream | * |
Linux-hwe-5.8 | Ubuntu | focal | * |
Linux-hwe-5.8 | Ubuntu | upstream | * |
Linux-hwe-6.11 | Ubuntu | upstream | * |
Linux-hwe-6.2 | Ubuntu | jammy | * |
Linux-hwe-6.2 | Ubuntu | upstream | * |
Linux-hwe-6.5 | Ubuntu | upstream | * |
Linux-hwe-6.8 | Ubuntu | upstream | * |
Linux-hwe-edge | Ubuntu | bionic | * |
Linux-hwe-edge | Ubuntu | esm-infra/bionic | * |
Linux-hwe-edge | Ubuntu | esm-infra/xenial | * |
Linux-hwe-edge | Ubuntu | upstream | * |
Linux-hwe-edge | Ubuntu | xenial | * |
Linux-ibm | Ubuntu | focal | * |
Linux-ibm | Ubuntu | mantic | * |
Linux-ibm | Ubuntu | upstream | * |
Linux-ibm-5.15 | Ubuntu | upstream | * |
Linux-ibm-5.4 | Ubuntu | upstream | * |
Linux-intel | Ubuntu | upstream | * |
Linux-intel-5.13 | Ubuntu | focal | * |
Linux-intel-5.13 | Ubuntu | upstream | * |
Linux-intel-iot-realtime | Ubuntu | upstream | * |
Linux-intel-iotg | Ubuntu | upstream | * |
Linux-intel-iotg-5.15 | Ubuntu | upstream | * |
Linux-iot | Ubuntu | upstream | * |
Linux-kvm | Ubuntu | bionic | * |
Linux-kvm | Ubuntu | esm-infra/xenial | * |
Linux-kvm | Ubuntu | focal | * |
Linux-kvm | Ubuntu | upstream | * |
Linux-kvm | Ubuntu | xenial | * |
Linux-laptop | Ubuntu | upstream | * |
Linux-lowlatency | Ubuntu | upstream | * |
Linux-lowlatency-hwe-5.15 | Ubuntu | upstream | * |
Linux-lowlatency-hwe-5.19 | Ubuntu | jammy | * |
Linux-lowlatency-hwe-5.19 | Ubuntu | upstream | * |
Linux-lowlatency-hwe-6.11 | Ubuntu | upstream | * |
Linux-lowlatency-hwe-6.2 | Ubuntu | jammy | * |
Linux-lowlatency-hwe-6.2 | Ubuntu | upstream | * |
Linux-lowlatency-hwe-6.5 | Ubuntu | upstream | * |
Linux-lowlatency-hwe-6.8 | Ubuntu | upstream | * |
Linux-lts-xenial | Ubuntu | esm-infra-legacy/trusty | * |
Linux-lts-xenial | Ubuntu | trusty | * |
Linux-lts-xenial | Ubuntu | trusty/esm | * |
Linux-lts-xenial | Ubuntu | upstream | * |
Linux-nvidia | Ubuntu | upstream | * |
Linux-nvidia-6.2 | Ubuntu | jammy | * |
Linux-nvidia-6.2 | Ubuntu | upstream | * |
Linux-nvidia-6.5 | Ubuntu | upstream | * |
Linux-nvidia-6.8 | Ubuntu | upstream | * |
Linux-nvidia-lowlatency | Ubuntu | upstream | * |
Linux-nvidia-tegra | Ubuntu | upstream | * |
Linux-nvidia-tegra-igx | Ubuntu | upstream | * |
Linux-oem | Ubuntu | bionic | * |
Linux-oem | Ubuntu | esm-infra/bionic | * |
Linux-oem | Ubuntu | upstream | * |
Linux-oem | Ubuntu | xenial | * |
Linux-oem-5.10 | Ubuntu | focal | * |
Linux-oem-5.10 | Ubuntu | upstream | * |
Linux-oem-5.13 | Ubuntu | focal | * |
Linux-oem-5.13 | Ubuntu | upstream | * |
Linux-oem-5.14 | Ubuntu | focal | * |
Linux-oem-5.14 | Ubuntu | upstream | * |
Linux-oem-5.17 | Ubuntu | jammy | * |
Linux-oem-5.17 | Ubuntu | upstream | * |
Linux-oem-5.6 | Ubuntu | focal | * |
Linux-oem-5.6 | Ubuntu | upstream | * |
Linux-oem-6.0 | Ubuntu | jammy | * |
Linux-oem-6.0 | Ubuntu | upstream | * |
Linux-oem-6.1 | Ubuntu | jammy | * |
Linux-oem-6.1 | Ubuntu | upstream | * |
Linux-oem-6.11 | Ubuntu | upstream | * |
Linux-oem-6.5 | Ubuntu | upstream | * |
Linux-oem-6.8 | Ubuntu | upstream | * |
Linux-oracle | Ubuntu | bionic | * |
Linux-oracle | Ubuntu | esm-infra/xenial | * |
Linux-oracle | Ubuntu | focal | * |
Linux-oracle | Ubuntu | upstream | * |
Linux-oracle | Ubuntu | xenial | * |
Linux-oracle-5.0 | Ubuntu | bionic | * |
Linux-oracle-5.0 | Ubuntu | esm-infra/bionic | * |
Linux-oracle-5.0 | Ubuntu | upstream | * |
Linux-oracle-5.11 | Ubuntu | focal | * |
Linux-oracle-5.11 | Ubuntu | upstream | * |
Linux-oracle-5.13 | Ubuntu | focal | * |
Linux-oracle-5.13 | Ubuntu | upstream | * |
Linux-oracle-5.15 | Ubuntu | upstream | * |
Linux-oracle-5.3 | Ubuntu | bionic | * |
Linux-oracle-5.3 | Ubuntu | esm-infra/bionic | * |
Linux-oracle-5.3 | Ubuntu | upstream | * |
Linux-oracle-5.4 | Ubuntu | bionic | * |
Linux-oracle-5.4 | Ubuntu | upstream | * |
Linux-oracle-5.8 | Ubuntu | focal | * |
Linux-oracle-5.8 | Ubuntu | upstream | * |
Linux-oracle-6.5 | Ubuntu | upstream | * |
Linux-oracle-6.8 | Ubuntu | upstream | * |
Linux-raspi | Ubuntu | focal | * |
Linux-raspi | Ubuntu | upstream | * |
Linux-raspi-5.4 | Ubuntu | bionic | * |
Linux-raspi-5.4 | Ubuntu | upstream | * |
Linux-raspi-realtime | Ubuntu | upstream | * |
Linux-raspi2 | Ubuntu | bionic | * |
Linux-raspi2 | Ubuntu | focal | * |
Linux-raspi2 | Ubuntu | upstream | * |
Linux-raspi2 | Ubuntu | xenial | * |
Linux-realtime | Ubuntu | jammy | * |
Linux-realtime | Ubuntu | upstream | * |
Linux-riscv | Ubuntu | focal | * |
Linux-riscv | Ubuntu | jammy | * |
Linux-riscv | Ubuntu | upstream | * |
Linux-riscv-5.11 | Ubuntu | focal | * |
Linux-riscv-5.11 | Ubuntu | upstream | * |
Linux-riscv-5.15 | Ubuntu | upstream | * |
Linux-riscv-5.19 | Ubuntu | jammy | * |
Linux-riscv-5.19 | Ubuntu | upstream | * |
Linux-riscv-5.8 | Ubuntu | focal | * |
Linux-riscv-5.8 | Ubuntu | upstream | * |
Linux-riscv-6.5 | Ubuntu | upstream | * |
Linux-riscv-6.8 | Ubuntu | upstream | * |
Linux-starfive | Ubuntu | upstream | * |
Linux-starfive-5.19 | Ubuntu | jammy | * |
Linux-starfive-5.19 | Ubuntu | upstream | * |
Linux-starfive-6.2 | Ubuntu | jammy | * |
Linux-starfive-6.2 | Ubuntu | upstream | * |
Linux-starfive-6.5 | Ubuntu | upstream | * |
Linux-xilinx-zynqmp | Ubuntu | upstream | * |
The use of previously-freed memory can have any number of adverse consequences, ranging from the corruption of valid data to the execution of arbitrary code, depending on the instantiation and timing of the flaw. The simplest way data corruption may occur involves the system’s reuse of the freed memory. Use-after-free errors have two common and sometimes overlapping causes:
In this scenario, the memory in question is allocated to another pointer validly at some point after it has been freed. The original pointer to the freed memory is used again and points to somewhere within the new allocation. As the data is changed, it corrupts the validly used memory; this induces undefined behavior in the process. If the newly allocated data happens to hold a class, in C++ for example, various function pointers may be scattered within the heap data. If one of these function pointers is overwritten with an address to valid shellcode, execution of arbitrary code can be achieved.