7.8
CVE-2022-49755
- EPSS 0.22%
- Veröffentlicht 27.03.2025 16:43:02
- Zuletzt bearbeitet 01.04.2025 15:40:57
- Quelle 416baaa9-dc9f-4396-8d5f-8c081f
- CVE-Watchlists
- Unerledigt
usb: gadget: f_fs: Prevent race during ffs_ep0_queue_wait
In the Linux kernel, the following vulnerability has been resolved: usb: gadget: f_fs: Prevent race during ffs_ep0_queue_wait While performing fast composition switch, there is a possibility that the process of ffs_ep0_write/ffs_ep0_read get into a race condition due to ep0req being freed up from functionfs_unbind. Consider the scenario that the ffs_ep0_write calls the ffs_ep0_queue_wait by taking a lock &ffs->ev.waitq.lock. However, the functionfs_unbind isn't bounded so it can go ahead and mark the ep0req to NULL, and since there is no NULL check in ffs_ep0_queue_wait we will end up in use-after-free. Fix this by making a serialized execution between the two functions using a mutex_lock(ffs->mutex).
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
Linux ≫ Linux Kernel Version >= 2.6.35 < 4.14.305
Linux ≫ Linux Kernel Version >= 4.15 < 4.19.272
Linux ≫ Linux Kernel Version >= 4.20 < 5.4.231
Linux ≫ Linux Kernel Version >= 5.5 < 5.10.166
Linux ≫ Linux Kernel Version >= 5.11 < 5.15.91
Linux ≫ Linux Kernel Version >= 5.16 < 6.1.9
Linux ≫ Linux Kernel Version6.2 Updaterc1
Linux ≫ Linux Kernel Version6.2 Updaterc2
Linux ≫ Linux Kernel Version6.2 Updaterc3
Linux ≫ Linux Kernel Version6.2 Updaterc4
VulnDex Vulnerability Enrichment
| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 0.22% | 0.124 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| 134c704f-9b21-4f2e-91b3-4a467353bcc0 | 7.8 | 1.8 | 5.9 |
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
|
CWE-416 Use After Free
The product reuses or references memory after it has been freed. At some point afterward, the memory may be allocated again and saved in another pointer, while the original pointer references a location somewhere within the new allocation. Any operations using the original pointer are no longer valid because the memory "belongs" to the code that operates on the new pointer.
https://git.kernel.org/stable/c/facf353c9e8d7885b686d9a4b173d4e0af6441d2
https://git.kernel.org/stable/c/e9036e951f93fb8d7b5e9d6e2c7f94a4da312ae4
https://git.kernel.org/stable/c/a8d40942df074f4ebcb9bd3413596d92f323b064
https://git.kernel.org/stable/c/6dd9ea05534f323668db94fcc2726c7a84547e78
https://git.kernel.org/stable/c/ae8e136bcaae96163b5821984de1036efc9abb1a
https://git.kernel.org/stable/c/6aee197b7fbcd61596a78b47d553f2f99111f217
https://git.kernel.org/stable/c/6a19da111057f69214b97c62fb0ac59023970850