CVE-2022-48771

drm/vmwgfx: Fix stale file descriptors on failed usercopy

Severity Score

"-"

*CVSS v-

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

Track

*SSVC

Descriptions

In the Linux kernel, the following vulnerability has been resolved:

drm/vmwgfx: Fix stale file descriptors on failed usercopy

A failing usercopy of the fence_rep object will lead to a stale entry in
the file descriptor table as put_unused_fd() won't release it. This
enables userland to refer to a dangling 'file' object through that still
valid file descriptor, leading to all kinds of use-after-free
exploitation scenarios.

Fix this by deferring the call to fd_install() until after the usercopy
has succeeded.

*Credits: N/A

CVSS Scores

Attack Vector

Attack Complexity

Privileges Required

User Interaction

Scope

Confidentiality

Integrity

Availability

* Common Vulnerability Scoring System

SSVC

Decision:Track

Exploitation

None

Automatable

Tech. Impact

Partial

* Organization's Worst-case Scenario

Timeline

2024-06-20 CVE Reserved
2024-06-20 CVE Published
2024-06-21 EPSS Updated
2024-09-11 CVE Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CAPEC

References (8)

URL	Tag	Source
https://git.kernel.org/stable/c/c906965dee22d5e95d0651759ba107b420212a9f	Vuln. Introduced

URL	Date	SRC

URL	Date	SRC
https://git.kernel.org/stable/c/e8d092a62449dcfc73517ca43963d2b8f44d0516	2022-01-29
https://git.kernel.org/stable/c/0008a0c78fc33a84e2212a7c04e6b21a36ca6f4d	2022-01-29
https://git.kernel.org/stable/c/84b1259fe36ae0915f3d6ddcea6377779de48b82	2022-01-29
https://git.kernel.org/stable/c/ae2b20f27732fe92055d9e7b350abc5cdf3e2414	2022-01-29
https://git.kernel.org/stable/c/6066977961fc6f437bc064f628cf9b0e4571c56c	2022-01-29
https://git.kernel.org/stable/c/1d833b27fb708d6fdf5de9f6b3a8be4bd4321565	2022-01-29
https://git.kernel.org/stable/c/a0f90c8815706981c483a652a6aefca51a5e191c	2022-01-27

URL	Date	SRC

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 4.14 < 4.14.264 Search vendor "Linux" for product "Linux Kernel" and version " >= 4.14 < 4.14.264"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 4.14 < 4.19.227 Search vendor "Linux" for product "Linux Kernel" and version " >= 4.14 < 4.19.227"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 4.14 < 5.4.175 Search vendor "Linux" for product "Linux Kernel" and version " >= 4.14 < 5.4.175"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 4.14 < 5.10.95 Search vendor "Linux" for product "Linux Kernel" and version " >= 4.14 < 5.10.95"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 4.14 < 5.15.18 Search vendor "Linux" for product "Linux Kernel" and version " >= 4.14 < 5.15.18"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 4.14 < 5.16.4 Search vendor "Linux" for product "Linux Kernel" and version " >= 4.14 < 5.16.4"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 4.14 < 5.17 Search vendor "Linux" for product "Linux Kernel" and version " >= 4.14 < 5.17"		en		Affected