CVE Vulnerabilities

CVE-2022-48954

Use After Free

Published: Oct 21, 2024 | Modified: Oct 24, 2024
CVSS 3.x
7.8
HIGH
Source:
NVD
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CVSS 2.x
RedHat/V2
RedHat/V3
7.8 MODERATE
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Ubuntu
MEDIUM

In the Linux kernel, the following vulnerability has been resolved:

s390/qeth: fix use-after-free in hsci

KASAN found that addr was dereferenced after br2dev_event_work was freed.

================================================================== BUG: KASAN: use-after-free in qeth_l2_br2dev_worker+0x5ba/0x6b0 Read of size 1 at addr 00000000fdcea440 by task kworker/u760:4/540 CPU: 17 PID: 540 Comm: kworker/u760:4 Tainted: G E 6.1.0-20221128.rc7.git1.5aa3bed4ce83.300.fc36.s390x+kasan #1 Hardware name: IBM 8561 T01 703 (LPAR) Workqueue: 0.0.8000_event qeth_l2_br2dev_worker Call Trace: [<000000016944d4ce>] dump_stack_lvl+0xc6/0xf8 [<000000016942cd9c>] print_address_description.constprop.0+0x34/0x2a0 [<000000016942d118>] print_report+0x110/0x1f8 [<0000000167a7bd04>] kasan_report+0xfc/0x128 [<000000016938d79a>] qeth_l2_br2dev_worker+0x5ba/0x6b0 [<00000001673edd1e>] process_one_work+0x76e/0x1128 [<00000001673ee85c>] worker_thread+0x184/0x1098 [<000000016740718a>] kthread+0x26a/0x310 [<00000001672c606a>] __ret_from_fork+0x8a/0xe8 [<00000001694711da>] ret_from_fork+0xa/0x40 Allocated by task 108338: kasan_save_stack+0x40/0x68 kasan_set_track+0x36/0x48 __kasan_kmalloc+0xa0/0xc0 qeth_l2_switchdev_event+0x25a/0x738 atomic_notifier_call_chain+0x9c/0xf8 br_switchdev_fdb_notify+0xf4/0x110 fdb_notify+0x122/0x180 fdb_add_entry.constprop.0.isra.0+0x312/0x558 br_fdb_add+0x59e/0x858 rtnl_fdb_add+0x58a/0x928 rtnetlink_rcv_msg+0x5f8/0x8d8 netlink_rcv_skb+0x1f2/0x408 netlink_unicast+0x570/0x790 netlink_sendmsg+0x752/0xbe0 sock_sendmsg+0xca/0x110 ____sys_sendmsg+0x510/0x6a8 ___sys_sendmsg+0x12a/0x180 __sys_sendmsg+0xe6/0x168 __do_sys_socketcall+0x3c8/0x468 do_syscall+0x22c/0x328 __do_syscall+0x94/0xf0 system_call+0x82/0xb0 Freed by task 540: kasan_save_stack+0x40/0x68 kasan_set_track+0x36/0x48 kasan_save_free_info+0x4c/0x68 ____kasan_slab_free+0x14e/0x1a8 __kasan_slab_free+0x24/0x30 __kmem_cache_free+0x168/0x338 qeth_l2_br2dev_worker+0x154/0x6b0 process_one_work+0x76e/0x1128 worker_thread+0x184/0x1098 kthread+0x26a/0x310 __ret_from_fork+0x8a/0xe8 ret_from_fork+0xa/0x40 Last potentially related work creation: kasan_save_stack+0x40/0x68 __kasan_record_aux_stack+0xbe/0xd0 insert_work+0x56/0x2e8 __queue_work+0x4ce/0xd10 queue_work_on+0xf4/0x100 qeth_l2_switchdev_event+0x520/0x738 atomic_notifier_call_chain+0x9c/0xf8 br_switchdev_fdb_notify+0xf4/0x110 fdb_notify+0x122/0x180 fdb_add_entry.constprop.0.isra.0+0x312/0x558 br_fdb_add+0x59e/0x858 rtnl_fdb_add+0x58a/0x928 rtnetlink_rcv_msg+0x5f8/0x8d8 netlink_rcv_skb+0x1f2/0x408 netlink_unicast+0x570/0x790 netlink_sendmsg+0x752/0xbe0 sock_sendmsg+0xca/0x110 ____sys_sendmsg+0x510/0x6a8 ___sys_sendmsg+0x12a/0x180 __sys_sendmsg+0xe6/0x168 __do_sys_socketcall+0x3c8/0x468 do_syscall+0x22c/0x328 __do_syscall+0x94/0xf0 system_call+0x82/0xb0 Second to last potentially related work creation: kasan_save_stack+0x40/0x68 __kasan_record_aux_stack+0xbe/0xd0 kvfree_call_rcu+0xb2/0x760 kernfs_unlink_open_file+0x348/0x430 kernfs_fop_release+0xc2/0x320 __fput+0x1ae/0x768 task_work_run+0x1bc/0x298 exit_to_user_mode_prepare+0x1a0/0x1a8 __do_syscall+0x94/0xf0 system_call+0x82/0xb0 The buggy address belongs to the object at 00000000fdcea400 which belongs to the cache kmalloc-96 of size 96 The buggy address is located 64 bytes inside of 96-byte region [00000000fdcea400, 00000000fdcea460) The buggy address belongs to the physical page: page:000000005a9c26e8 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0xfdcea flags: 0x3ffff00000000200(slab|node=0|zone=1|lastcpupid=0x1ffff) raw: 3ffff00000000200 0000000000000000 0000000100000122 000000008008cc00 raw: 0000000000000000 0020004100000000 ffffffff00000001 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: 00000000fdcea300: fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc 00000000fdcea380: fb fb fb fb fb fb f —truncated—

Weakness

Referencing memory after it has been freed can cause a program to crash, use unexpected values, or execute code.

Affected Software

Name Vendor Start Version End Version
Linux_kernel Linux 5.15 (including) 5.15.83 (excluding)
Linux_kernel Linux 5.16 (including) 6.0.13 (excluding)
Linux_kernel Linux 6.1-rc1 (including) 6.1-rc1 (including)
Linux_kernel Linux 6.1-rc2 (including) 6.1-rc2 (including)
Linux_kernel Linux 6.1-rc3 (including) 6.1-rc3 (including)
Linux_kernel Linux 6.1-rc4 (including) 6.1-rc4 (including)
Linux_kernel Linux 6.1-rc5 (including) 6.1-rc5 (including)
Linux_kernel Linux 6.1-rc6 (including) 6.1-rc6 (including)
Linux_kernel Linux 6.1-rc7 (including) 6.1-rc7 (including)
Linux_kernel Linux 6.1-rc8 (including) 6.1-rc8 (including)
Linux Ubuntu jammy *
Linux Ubuntu upstream *
Linux-allwinner-5.19 Ubuntu jammy *
Linux-allwinner-5.19 Ubuntu upstream *
Linux-aws Ubuntu jammy *
Linux-aws Ubuntu upstream *
Linux-aws-5.0 Ubuntu bionic *
Linux-aws-5.0 Ubuntu esm-infra/bionic *
Linux-aws-5.0 Ubuntu upstream *
Linux-aws-5.11 Ubuntu focal *
Linux-aws-5.11 Ubuntu upstream *
Linux-aws-5.13 Ubuntu focal *
Linux-aws-5.13 Ubuntu upstream *
Linux-aws-5.15 Ubuntu focal *
Linux-aws-5.15 Ubuntu upstream *
Linux-aws-5.19 Ubuntu jammy *
Linux-aws-5.19 Ubuntu upstream *
Linux-aws-5.3 Ubuntu bionic *
Linux-aws-5.3 Ubuntu esm-infra/bionic *
Linux-aws-5.3 Ubuntu upstream *
Linux-aws-5.4 Ubuntu upstream *
Linux-aws-5.8 Ubuntu focal *
Linux-aws-5.8 Ubuntu upstream *
Linux-aws-6.2 Ubuntu jammy *
Linux-aws-6.2 Ubuntu upstream *
Linux-aws-6.5 Ubuntu jammy *
Linux-aws-6.5 Ubuntu upstream *
Linux-aws-6.8 Ubuntu upstream *
Linux-aws-fips Ubuntu trusty *
Linux-aws-fips Ubuntu upstream *
Linux-aws-fips Ubuntu xenial *
Linux-aws-hwe Ubuntu upstream *
Linux-azure Ubuntu bionic *
Linux-azure Ubuntu esm-infra/bionic *
Linux-azure Ubuntu jammy *
Linux-azure Ubuntu upstream *
Linux-azure-4.15 Ubuntu upstream *
Linux-azure-5.11 Ubuntu focal *
Linux-azure-5.11 Ubuntu upstream *
Linux-azure-5.13 Ubuntu focal *
Linux-azure-5.13 Ubuntu upstream *
Linux-azure-5.15 Ubuntu focal *
Linux-azure-5.15 Ubuntu upstream *
Linux-azure-5.19 Ubuntu jammy *
Linux-azure-5.19 Ubuntu upstream *
Linux-azure-5.3 Ubuntu bionic *
Linux-azure-5.3 Ubuntu esm-infra/bionic *
Linux-azure-5.3 Ubuntu upstream *
Linux-azure-5.4 Ubuntu upstream *
Linux-azure-5.8 Ubuntu focal *
Linux-azure-5.8 Ubuntu upstream *
Linux-azure-6.2 Ubuntu jammy *
Linux-azure-6.2 Ubuntu upstream *
Linux-azure-6.5 Ubuntu jammy *
Linux-azure-6.5 Ubuntu upstream *
Linux-azure-6.8 Ubuntu upstream *
Linux-azure-edge Ubuntu bionic *
Linux-azure-edge Ubuntu esm-infra/bionic *
Linux-azure-edge Ubuntu upstream *
Linux-azure-fde Ubuntu focal *
Linux-azure-fde Ubuntu jammy *
Linux-azure-fde Ubuntu upstream *
Linux-azure-fde-5.15 Ubuntu focal *
Linux-azure-fde-5.15 Ubuntu upstream *
Linux-azure-fde-5.19 Ubuntu jammy *
Linux-azure-fde-5.19 Ubuntu upstream *
Linux-azure-fde-6.2 Ubuntu jammy *
Linux-azure-fde-6.2 Ubuntu upstream *
Linux-azure-fips Ubuntu trusty *
Linux-azure-fips Ubuntu upstream *
Linux-azure-fips Ubuntu xenial *
Linux-bluefield Ubuntu bluefield/jammy *
Linux-bluefield Ubuntu upstream *
Linux-fips Ubuntu upstream *
Linux-gcp Ubuntu bionic *
Linux-gcp Ubuntu esm-infra/bionic *
Linux-gcp Ubuntu jammy *
Linux-gcp Ubuntu upstream *
Linux-gcp-4.15 Ubuntu upstream *
Linux-gcp-5.11 Ubuntu focal *
Linux-gcp-5.11 Ubuntu upstream *
Linux-gcp-5.13 Ubuntu focal *
Linux-gcp-5.13 Ubuntu upstream *
Linux-gcp-5.15 Ubuntu focal *
Linux-gcp-5.15 Ubuntu upstream *
Linux-gcp-5.19 Ubuntu jammy *
Linux-gcp-5.19 Ubuntu upstream *
Linux-gcp-5.3 Ubuntu bionic *
Linux-gcp-5.3 Ubuntu esm-infra/bionic *
Linux-gcp-5.3 Ubuntu upstream *
Linux-gcp-5.4 Ubuntu upstream *
Linux-gcp-5.8 Ubuntu focal *
Linux-gcp-5.8 Ubuntu upstream *
Linux-gcp-6.2 Ubuntu jammy *
Linux-gcp-6.2 Ubuntu upstream *
Linux-gcp-6.5 Ubuntu jammy *
Linux-gcp-6.5 Ubuntu upstream *
Linux-gcp-6.8 Ubuntu upstream *
Linux-gcp-fips Ubuntu trusty *
Linux-gcp-fips Ubuntu upstream *
Linux-gcp-fips Ubuntu xenial *
Linux-gke Ubuntu focal *
Linux-gke Ubuntu jammy *
Linux-gke Ubuntu upstream *
Linux-gke Ubuntu xenial *
Linux-gke-4.15 Ubuntu bionic *
Linux-gke-4.15 Ubuntu esm-infra/bionic *
Linux-gke-4.15 Ubuntu upstream *
Linux-gke-5.15 Ubuntu focal *
Linux-gke-5.15 Ubuntu upstream *
Linux-gke-5.4 Ubuntu bionic *
Linux-gke-5.4 Ubuntu esm-infra/bionic *
Linux-gke-5.4 Ubuntu upstream *
Linux-gkeop Ubuntu jammy *
Linux-gkeop Ubuntu upstream *
Linux-gkeop-5.15 Ubuntu focal *
Linux-gkeop-5.15 Ubuntu upstream *
Linux-gkeop-5.4 Ubuntu bionic *
Linux-gkeop-5.4 Ubuntu esm-infra/bionic *
Linux-gkeop-5.4 Ubuntu upstream *
Linux-hwe Ubuntu bionic *
Linux-hwe Ubuntu esm-infra/bionic *
Linux-hwe Ubuntu upstream *
Linux-hwe-5.11 Ubuntu focal *
Linux-hwe-5.11 Ubuntu upstream *
Linux-hwe-5.13 Ubuntu focal *
Linux-hwe-5.13 Ubuntu upstream *
Linux-hwe-5.15 Ubuntu focal *
Linux-hwe-5.15 Ubuntu upstream *
Linux-hwe-5.19 Ubuntu jammy *
Linux-hwe-5.19 Ubuntu upstream *
Linux-hwe-5.4 Ubuntu upstream *
Linux-hwe-5.8 Ubuntu focal *
Linux-hwe-5.8 Ubuntu upstream *
Linux-hwe-6.2 Ubuntu jammy *
Linux-hwe-6.2 Ubuntu upstream *
Linux-hwe-6.5 Ubuntu jammy *
Linux-hwe-6.5 Ubuntu upstream *
Linux-hwe-6.8 Ubuntu upstream *
Linux-hwe-edge Ubuntu esm-infra/bionic *
Linux-hwe-edge Ubuntu esm-infra/xenial *
Linux-hwe-edge Ubuntu upstream *
Linux-hwe-edge Ubuntu xenial *
Linux-ibm Ubuntu jammy *
Linux-ibm Ubuntu upstream *
Linux-ibm-5.15 Ubuntu upstream *
Linux-ibm-5.4 Ubuntu upstream *
Linux-intel Ubuntu upstream *
Linux-intel-5.13 Ubuntu focal *
Linux-intel-5.13 Ubuntu upstream *
Linux-intel-iot-realtime Ubuntu realtime/jammy *
Linux-intel-iot-realtime Ubuntu upstream *
Linux-intel-iotg Ubuntu jammy *
Linux-intel-iotg Ubuntu upstream *
Linux-intel-iotg-5.15 Ubuntu focal *
Linux-intel-iotg-5.15 Ubuntu upstream *
Linux-iot Ubuntu upstream *
Linux-kvm Ubuntu jammy *
Linux-kvm Ubuntu upstream *
Linux-lowlatency Ubuntu jammy *
Linux-lowlatency Ubuntu upstream *
Linux-lowlatency-hwe-5.15 Ubuntu focal *
Linux-lowlatency-hwe-5.15 Ubuntu upstream *
Linux-lowlatency-hwe-5.19 Ubuntu jammy *
Linux-lowlatency-hwe-5.19 Ubuntu upstream *
Linux-lowlatency-hwe-6.2 Ubuntu jammy *
Linux-lowlatency-hwe-6.2 Ubuntu upstream *
Linux-lowlatency-hwe-6.5 Ubuntu jammy *
Linux-lowlatency-hwe-6.5 Ubuntu upstream *
Linux-lowlatency-hwe-6.8 Ubuntu upstream *
Linux-lts-xenial Ubuntu upstream *
Linux-nvidia Ubuntu jammy *
Linux-nvidia Ubuntu upstream *
Linux-nvidia-6.2 Ubuntu jammy *
Linux-nvidia-6.2 Ubuntu upstream *
Linux-nvidia-6.5 Ubuntu jammy *
Linux-nvidia-6.5 Ubuntu upstream *
Linux-nvidia-6.8 Ubuntu upstream *
Linux-nvidia-lowlatency Ubuntu upstream *
Linux-oem Ubuntu bionic *
Linux-oem Ubuntu esm-infra/bionic *
Linux-oem Ubuntu upstream *
Linux-oem Ubuntu xenial *
Linux-oem-5.10 Ubuntu focal *
Linux-oem-5.10 Ubuntu upstream *
Linux-oem-5.13 Ubuntu focal *
Linux-oem-5.13 Ubuntu upstream *
Linux-oem-5.14 Ubuntu focal *
Linux-oem-5.14 Ubuntu upstream *
Linux-oem-5.17 Ubuntu jammy *
Linux-oem-5.17 Ubuntu upstream *
Linux-oem-5.6 Ubuntu focal *
Linux-oem-5.6 Ubuntu upstream *
Linux-oem-6.0 Ubuntu jammy *
Linux-oem-6.0 Ubuntu upstream *
Linux-oem-6.1 Ubuntu jammy *
Linux-oem-6.1 Ubuntu upstream *
Linux-oem-6.11 Ubuntu upstream *
Linux-oem-6.5 Ubuntu jammy *
Linux-oem-6.5 Ubuntu upstream *
Linux-oem-6.8 Ubuntu upstream *
Linux-oracle Ubuntu jammy *
Linux-oracle Ubuntu upstream *
Linux-oracle-5.0 Ubuntu bionic *
Linux-oracle-5.0 Ubuntu esm-infra/bionic *
Linux-oracle-5.0 Ubuntu upstream *
Linux-oracle-5.11 Ubuntu focal *
Linux-oracle-5.11 Ubuntu upstream *
Linux-oracle-5.13 Ubuntu focal *
Linux-oracle-5.13 Ubuntu upstream *
Linux-oracle-5.15 Ubuntu focal *
Linux-oracle-5.15 Ubuntu upstream *
Linux-oracle-5.3 Ubuntu bionic *
Linux-oracle-5.3 Ubuntu esm-infra/bionic *
Linux-oracle-5.3 Ubuntu upstream *
Linux-oracle-5.4 Ubuntu upstream *
Linux-oracle-5.8 Ubuntu focal *
Linux-oracle-5.8 Ubuntu upstream *
Linux-oracle-6.5 Ubuntu jammy *
Linux-oracle-6.5 Ubuntu upstream *
Linux-oracle-6.8 Ubuntu upstream *
Linux-raspi Ubuntu jammy *
Linux-raspi Ubuntu upstream *
Linux-raspi-5.4 Ubuntu upstream *
Linux-raspi-realtime Ubuntu upstream *
Linux-raspi2 Ubuntu bionic *
Linux-raspi2 Ubuntu focal *
Linux-raspi2 Ubuntu upstream *
Linux-raspi2 Ubuntu xenial *
Linux-realtime Ubuntu jammy *
Linux-realtime Ubuntu realtime/jammy *
Linux-realtime Ubuntu upstream *
Linux-riscv Ubuntu focal *
Linux-riscv Ubuntu jammy *
Linux-riscv Ubuntu upstream *
Linux-riscv-5.11 Ubuntu focal *
Linux-riscv-5.11 Ubuntu upstream *
Linux-riscv-5.15 Ubuntu focal *
Linux-riscv-5.15 Ubuntu upstream *
Linux-riscv-5.19 Ubuntu jammy *
Linux-riscv-5.19 Ubuntu upstream *
Linux-riscv-5.8 Ubuntu focal *
Linux-riscv-5.8 Ubuntu upstream *
Linux-riscv-6.5 Ubuntu jammy *
Linux-riscv-6.5 Ubuntu upstream *
Linux-riscv-6.8 Ubuntu upstream *
Linux-starfive-5.19 Ubuntu jammy *
Linux-starfive-5.19 Ubuntu upstream *
Linux-starfive-6.2 Ubuntu jammy *
Linux-starfive-6.2 Ubuntu upstream *
Linux-starfive-6.5 Ubuntu jammy *
Linux-starfive-6.5 Ubuntu upstream *
Linux-xilinx-zynqmp Ubuntu upstream *

Extended Description

The use of previously-freed memory can have any number of adverse consequences, ranging from the corruption of valid data to the execution of arbitrary code, depending on the instantiation and timing of the flaw. The simplest way data corruption may occur involves the system’s reuse of the freed memory. Use-after-free errors have two common and sometimes overlapping causes:

In this scenario, the memory in question is allocated to another pointer validly at some point after it has been freed. The original pointer to the freed memory is used again and points to somewhere within the new allocation. As the data is changed, it corrupts the validly used memory; this induces undefined behavior in the process. If the newly allocated data happens to hold a class, in C++ for example, various function pointers may be scattered within the heap data. If one of these function pointers is overwritten with an address to valid shellcode, execution of arbitrary code can be achieved.

Potential Mitigations

References