Bug 2044561 (CVE-2022-0487)

Summary: CVE-2022-0487 kernel: use after free in moxart_remove
Product: [Other] Security Response Reporter: Pedro Sampaio <psampaio>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED NOTABUG QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: acaringi, adscvr, airlied, alciregi, allarkin, bhu, brdeoliv, bskeggs, carnil, chwhite, crwood, dhoward, dvlasenk, fhrbata, fpacheco, hdegoede, hkrzesin, jarod, jarodwilson, jburrell, jeremy, jfaracco, jforbes, jglisse, jlelli, joe.lawrence, jonathan, josef, jshortt, jstancek, jwboyer, kcarcia, kernel-maint, kernel-mgr, lgoncalv, linville, lzampier, masami256, mchehab, nmurray, ptalbert, qzhao, rkeshri, rvrbovsk, scweaver, security-response-team, sgrubb, steved, vkumar, walters, williams
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: kernel 5.17 rc4 Doc Type: If docs needed, set a value
Doc Text:
A use-after-free vulnerability was found in the Linux kernel’s moxart_remove function in drivers/mmc/host/moxart-mmc.c. This flaw allows a local attacker with a user privilege to create issues with confidentiality.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2022-03-20 20:31:37 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2049380, 2049381, 2061791    
Bug Blocks: 2044562, 2050368    

Description Pedro Sampaio 2022-01-24 18:33:06 UTC 
A use-after-free vulnerability was found in rtsx_usb_ms_drv_remove in drivers/memstick/host/rtsx_usb_ms.c in memstick in the Linux kernel. In this flaw, a local attacker with a user privilege may impact system Confidentiality.

References:

https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=42933c8aa14be1caa9eda41f65cde8a3a95d3e39
https://lore.kernel.org/all/20220114075934.302464-1-gregkh@linuxfoundation.org/
https://bugzilla.suse.com/show_bug.cgi?id=1194516
Comment 6 juneau 2022-02-03 13:41:56 UTC 
Marking OSDv4 affected/delegated/low. Affected code exists but local attack vector presents minimal risk.
Comment 8 Steve Grubb 2022-02-21 16:57:46 UTC 
Is blocking memstick.ko the workaround until a fixed module is released?
Comment 9 Salvatore Bonaccorso 2022-03-08 15:47:11 UTC 
Is there a reason that the CVE was changed to be for the memstick driver instead of the moxart one? The original description mentioned the moxart one, cf. https://bugzilla.redhat.com/show_comment_activity.cgi?id=2044561&comment_id=15874861 . The SuSE bugzilla where this orginates from is as well about the UAF in moxart. Any comments on this? The reason I ask is that several have tracked this CVE for the moxart issue fixed by https://git.kernel.org/linus/bd2db32e7c3e35bd4d9b8bbff689434a50893546 (https://bugzilla.suse.com/show_bug.cgi?id=1194516)
Comment 13 Rohit Keshri 2022-03-20 18:22:13 UTC 
In reply to comment #9:
> Is there a reason that the CVE was changed to be for the memstick driver
> instead of the moxart one? The original description mentioned the moxart
> one, cf.
> https://bugzilla.redhat.com/show_comment_activity.
> cgi?id=2044561&comment_id=15874861 . The SuSE bugzilla where this orginates
> from is as well about the UAF in moxart. Any comments on this? The reason I
> ask is that several have tracked this CVE for the moxart issue fixed by
> https://git.kernel.org/linus/bd2db32e7c3e35bd4d9b8bbff689434a50893546
> (https://bugzilla.suse.com/show_bug.cgi?id=1194516)

Thank you carnil for correcting me. It was a mistake, I wrongly pointed a different patch to this flaw, a correction was done.
Comment 14 Product Security DevOps Team 2022-03-20 20:31:33 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2022-0487