CVE-2022-48872

misc: fastrpc: Fix use-after-free race condition for maps

Severity Score

"-"

*CVSS v-

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

Track

*SSVC

Descriptions

In the Linux kernel, the following vulnerability has been resolved:

misc: fastrpc: Fix use-after-free race condition for maps

It is possible that in between calling fastrpc_map_get() until
map->fl->lock is taken in fastrpc_free_map(), another thread can call
fastrpc_map_lookup() and get a reference to a map that is about to be
deleted.

Rewrite fastrpc_map_get() to only increase the reference count of a map
if it's non-zero. Propagate this to callers so they can know if a map is
about to be deleted.

Fixes this warning:
refcount_t: addition on 0; use-after-free.
WARNING: CPU: 5 PID: 10100 at lib/refcount.c:25 refcount_warn_saturate
...
Call trace:
refcount_warn_saturate
[fastrpc_map_get inlined]
[fastrpc_map_lookup inlined]
fastrpc_map_create
fastrpc_internal_invoke
fastrpc_device_ioctl
__arm64_sys_ioctl
invoke_syscall

*Credits: N/A

CVSS Scores

Attack Vector

Attack Complexity

Privileges Required

User Interaction

Scope

Confidentiality

Integrity

Availability

* Common Vulnerability Scoring System

SSVC

Decision:Track

Exploitation

None

Automatable

Tech. Impact

Partial

* Organization's Worst-case Scenario

Timeline

2024-07-16 CVE Reserved
2024-08-21 CVE Published
2024-09-07 EPSS Updated
2024-11-04 CVE Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CAPEC

References (6)

URL	Tag	Source
https://git.kernel.org/stable/c/c68cfb718c8f97b7f7a50ed66be5feb42d0c8988	Vuln. Introduced

URL	Date	SRC

URL	Date	SRC
https://git.kernel.org/stable/c/556dfdb226ce1e5231d8836159b23f8bb0395bf4	2023-01-24
https://git.kernel.org/stable/c/b171d0d2cf1b8387c72c8d325c5d5746fa271e39	2023-01-24
https://git.kernel.org/stable/c/61a0890cb95afec5c8a2f4a879de2b6220984ef1	2023-01-24
https://git.kernel.org/stable/c/079c78c68714f7d8d58e66c477b0243b31806907	2023-01-24
https://git.kernel.org/stable/c/96b328d119eca7563c1edcc4e1039a62e6370ecb	2023-01-20

URL	Date	SRC

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 5.1 < 5.4.230 Search vendor "Linux" for product "Linux Kernel" and version " >= 5.1 < 5.4.230"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 5.1 < 5.10.165 Search vendor "Linux" for product "Linux Kernel" and version " >= 5.1 < 5.10.165"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 5.1 < 5.15.90 Search vendor "Linux" for product "Linux Kernel" and version " >= 5.1 < 5.15.90"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 5.1 < 6.1.8 Search vendor "Linux" for product "Linux Kernel" and version " >= 5.1 < 6.1.8"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 5.1 < 6.2 Search vendor "Linux" for product "Linux Kernel" and version " >= 5.1 < 6.2"		en		Affected