7.8

CVE-2022-49755

usb: gadget: f_fs: Prevent race during ffs_ep0_queue_wait

In the Linux kernel, the following vulnerability has been resolved:

usb: gadget: f_fs: Prevent race during ffs_ep0_queue_wait

While performing fast composition switch, there is a possibility that the
process of ffs_ep0_write/ffs_ep0_read get into a race condition
due to ep0req being freed up from functionfs_unbind.

Consider the scenario that the ffs_ep0_write calls the ffs_ep0_queue_wait
by taking a lock &ffs->ev.waitq.lock. However, the functionfs_unbind isn't
bounded so it can go ahead and mark the ep0req to NULL, and since there
is no NULL check in ffs_ep0_queue_wait we will end up in use-after-free.

Fix this by making a serialized execution between the two functions using
a mutex_lock(ffs->mutex).
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
LinuxLinux Kernel Version >= 2.6.35 < 4.14.305
LinuxLinux Kernel Version >= 4.15 < 4.19.272
LinuxLinux Kernel Version >= 4.20 < 5.4.231
LinuxLinux Kernel Version >= 5.5 < 5.10.166
LinuxLinux Kernel Version >= 5.11 < 5.15.91
LinuxLinux Kernel Version >= 5.16 < 6.1.9
LinuxLinux Kernel Version6.2 Updaterc1
LinuxLinux Kernel Version6.2 Updaterc2
LinuxLinux Kernel Version6.2 Updaterc3
LinuxLinux Kernel Version6.2 Updaterc4
VulnDex Vulnerability Enrichment
Diese Information steht angemeldeten Benutzern zur Verfügung. Login Login
Zu dieser CVE wurde keine Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 0.22% 0.124
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
134c704f-9b21-4f2e-91b3-4a467353bcc0 7.8 1.8 5.9
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CWE-416 Use After Free

The product reuses or references memory after it has been freed. At some point afterward, the memory may be allocated again and saved in another pointer, while the original pointer references a location somewhere within the new allocation. Any operations using the original pointer are no longer valid because the memory "belongs" to the code that operates on the new pointer.

https://git.kernel.org/stable/c/facf353c9e8d7885b686d9a4b173d4e0af6441d2
Patch
https://git.kernel.org/stable/c/e9036e951f93fb8d7b5e9d6e2c7f94a4da312ae4
Patch
https://git.kernel.org/stable/c/a8d40942df074f4ebcb9bd3413596d92f323b064
Patch
https://git.kernel.org/stable/c/6dd9ea05534f323668db94fcc2726c7a84547e78
Patch
https://git.kernel.org/stable/c/ae8e136bcaae96163b5821984de1036efc9abb1a
Patch
https://git.kernel.org/stable/c/6aee197b7fbcd61596a78b47d553f2f99111f217
Patch
https://git.kernel.org/stable/c/6a19da111057f69214b97c62fb0ac59023970850
Patch