CVE-2022-50256

EPSS 0.02%
Veröffentlicht 15.09.2025 14:02:39
Zuletzt bearbeitet 25.11.2025 16:52:25
Quelle 416baaa9-dc9f-4396-8d5f-8c081f
CVE-Watchlists
Login
Unerledigt
Login

In the Linux kernel, the following vulnerability has been resolved:

drm/meson: remove drm bridges at aggregate driver unbind time

drm bridges added by meson_encoder_hdmi_init and meson_encoder_cvbs_init
were not manually removed at module unload time, which caused dangling
references to freed memory to remain linked in the global bridge_list.

When loading the driver modules back in, the same functions would again
call drm_bridge_add, and when traversing the global bridge_list, would
end up peeking into freed memory.

Once again KASAN revealed the problem:

[  +0.000095] =============================================================
[  +0.000008] BUG: KASAN: use-after-free in __list_add_valid+0x9c/0x120
[  +0.000018] Read of size 8 at addr ffff00003da291f0 by task modprobe/2483

[  +0.000018] CPU: 3 PID: 2483 Comm: modprobe Tainted: G         C O      5.19.0-rc6-lrmbkasan+ #1
[  +0.000011] Hardware name: Hardkernel ODROID-N2Plus (DT)
[  +0.000008] Call trace:
[  +0.000006]  dump_backtrace+0x1ec/0x280
[  +0.000012]  show_stack+0x24/0x80
[  +0.000008]  dump_stack_lvl+0x98/0xd4
[  +0.000011]  print_address_description.constprop.0+0x80/0x520
[  +0.000011]  print_report+0x128/0x260
[  +0.000008]  kasan_report+0xb8/0xfc
[  +0.000008]  __asan_report_load8_noabort+0x3c/0x50
[  +0.000009]  __list_add_valid+0x9c/0x120
[  +0.000009]  drm_bridge_add+0x6c/0x104 [drm]
[  +0.000165]  dw_hdmi_probe+0x1900/0x2360 [dw_hdmi]
[  +0.000022]  meson_dw_hdmi_bind+0x520/0x814 [meson_dw_hdmi]
[  +0.000014]  component_bind+0x174/0x520
[  +0.000012]  component_bind_all+0x1a8/0x38c
[  +0.000010]  meson_drv_bind_master+0x5e8/0xb74 [meson_drm]
[  +0.000032]  meson_drv_bind+0x20/0x2c [meson_drm]
[  +0.000027]  try_to_bring_up_aggregate_device+0x19c/0x390
[  +0.000010]  component_master_add_with_match+0x1c8/0x284
[  +0.000009]  meson_drv_probe+0x274/0x280 [meson_drm]
[  +0.000026]  platform_probe+0xd0/0x220
[  +0.000009]  really_probe+0x3ac/0xa80
[  +0.000009]  __driver_probe_device+0x1f8/0x400
[  +0.000009]  driver_probe_device+0x68/0x1b0
[  +0.000009]  __driver_attach+0x20c/0x480
[  +0.000008]  bus_for_each_dev+0x114/0x1b0
[  +0.000009]  driver_attach+0x48/0x64
[  +0.000008]  bus_add_driver+0x390/0x564
[  +0.000009]  driver_register+0x1a8/0x3e4
[  +0.000009]  __platform_driver_register+0x6c/0x94
[  +0.000008]  meson_drm_platform_driver_init+0x3c/0x1000 [meson_drm]
[  +0.000027]  do_one_initcall+0xc4/0x2b0
[  +0.000011]  do_init_module+0x154/0x570
[  +0.000011]  load_module+0x1a78/0x1ea4
[  +0.000008]  __do_sys_init_module+0x184/0x1cc
[  +0.000009]  __arm64_sys_init_module+0x78/0xb0
[  +0.000009]  invoke_syscall+0x74/0x260
[  +0.000009]  el0_svc_common.constprop.0+0xcc/0x260
[  +0.000008]  do_el0_svc+0x50/0x70
[  +0.000007]  el0_svc+0x68/0x1a0
[  +0.000012]  el0t_64_sync_handler+0x11c/0x150
[  +0.000008]  el0t_64_sync+0x18c/0x190

[  +0.000016] Allocated by task 879:
[  +0.000008]  kasan_save_stack+0x2c/0x5c
[  +0.000011]  __kasan_kmalloc+0x90/0xd0
[  +0.000007]  __kmalloc+0x278/0x4a0
[  +0.000011]  mpi_resize+0x13c/0x1d0
[  +0.000011]  mpi_powm+0xd24/0x1570
[  +0.000009]  rsa_enc+0x1a4/0x30c
[  +0.000009]  pkcs1pad_verify+0x3f0/0x580
[  +0.000009]  public_key_verify_signature+0x7a8/0xba4
[  +0.000010]  public_key_verify_signature_2+0x40/0x60
[  +0.000008]  verify_signature+0xb4/0x114
[  +0.000008]  pkcs7_validate_trust_one.constprop.0+0x3b8/0x574
[  +0.000009]  pkcs7_validate_trust+0xb8/0x15c
[  +0.000008]  verify_pkcs7_message_sig+0xec/0x1b0
[  +0.000012]  verify_pkcs7_signature+0x78/0xac
[  +0.000007]  mod_verify_sig+0x110/0x190
[  +0.000009]  module_sig_check+0x114/0x1e0
[  +0.000009]  load_module+0xa0/0x1ea4
[  +0.000008]  __do_sys_init_module+0x184/0x1cc
[  +0.000008]  __arm64_sys_init_module+0x78/0xb0
[  +0.000008]  invoke_syscall+0x74/0x260
[  +0.000009]  el0_svc_common.constprop.0+0x1a8/0x260
[  +0.000008]  do_el0_svc+0x50/0x70
[  +0.000007]  el0_svc+0x68/0x1a0
[  +0.000009]  el0t_64_sync_handler+0x11c/0x150
[  +0.000009]  el0t_64
---truncated---

Betroffene Produkte Warnungen 0 Metriken 2 CWE 1 Referenzen 6

Verknüpft mit AI von unstrukturierten Daten zu bestehenden CPE der NVD

Diese Information steht angemeldeten Benutzern zur Verfügung.

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Linux ≫ Linux Kernel Version >= 4.10 < 5.19.17

Linux ≫ Linux Kernel Version >= 6.0 < 6.0.3

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.02%	0.033

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	7.8	1.8	5.9	CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE-416 Use After Free

The product reuses or references memory after it has been freed. At some point afterward, the memory may be allocated again and saved in another pointer, while the original pointer references a location somewhere within the new allocation. Any operations using the original pointer are no longer valid because the memory "belongs" to the code that operates on the new pointer.

https://git.kernel.org/stable/c/de2b6ebe0cb7746b5b6b35d79e150d934392b958

Patch

https://git.kernel.org/stable/c/fc1fd114dde3d2623ac37676df3d74ffeedb0da8

Patch

https://git.kernel.org/stable/c/09847723c12fc2753749cec3939a02ee92dac468

Patch

https://nvd.nist.gov/vuln/detail/CVE-2022-50256

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2022-50256

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2022-50256

EUVD