A concurrency use-after-free issue was discovered between reset_interrupt and floppy_end_request. The root cause is that after deallocating current_req in floppy_end_request, reset_interrupt still holds the freed current_req->error_count and accesses it concurrently. An attacker with a local account in a system that has a floppy disk in use, mounted and has errors may be able to write to memory after having been freed. By specially curating memory requests, the attacker could place a target memory structure in this location to be modified for abuse. References: https://www.openwall.com/lists/oss-security/2022/05/10/1
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2022-1652