Bug 2150953 (CVE-2022-3565) - CVE-2022-3565 kernel: use-after-free in l1oip timer handlers
Summary: CVE-2022-3565 kernel: use-after-free in l1oip timer handlers
Keywords:
Status: NEW
Alias: CVE-2022-3565
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Nobody
QA Contact:
URL:
Whiteboard:
Depends On: 2162419 2162420 2162421 2162422 2150954
Blocks: 2150724
TreeView+ depends on / blocked
 
Reported: 2022-12-05 17:30 UTC by Guilherme de Almeida Suckevicz
Modified: 2023-07-07 08:31 UTC (History)
36 users (show)

Fixed In Version: kernel 6.1-rc1
Doc Type: If docs needed, set a value
Doc Text:
A use-after-free flaw was found in the Linux kernel’s ISDN over IP tunnel functionality in how a local user triggers the release_card() function called from l1oip_cleanup(). This flaw allows a local user to crash or potentially escalate their privileges on the system.
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments (Terms of Use)

Description Guilherme de Almeida Suckevicz 2022-12-05 17:30:35 UTC 
A vulnerability has been found in Linux Kernel. Affected by this issue is the function del_timer of the file drivers/isdn/mISDN/l1oip_core.c of the ISDN (for the ISDN over IP tunnel). The manipulation leads to use after free. It is recommended to apply a patch to fix this issue. The identifier of this vulnerability is VDB-211088.

Reference:
https://vuldb.com/?id.211088

Upstream patch:
https://git.kernel.org/pub/scm/linux/kernel/git/bluetooth/bluetooth-next.git/commit/?id=2568a7e0832ee30b0a351016d03062ab4e0e0a3f
Comment 1 Guilherme de Almeida Suckevicz 2022-12-05 17:30:59 UTC 
Created kernel tracking bugs for this issue:

Affects: fedora-all [bug 2150954]
Comment 2 Justin M. Forbes 2022-12-08 15:39:44 UTC 
While ISDN is disabled in Fedora kernels, a patch for this was included in 6.0.3 for users who might be building their own kernels.
Note You need to log in before you can comment on or make changes to this bug.