2298160 – (CVE-2022-48821) CVE-2022-48821 kernel: misc: fastrpc: avoid double fput() on failed usercopy

Bug 2298160 (CVE-2022-48821) - CVE-2022-48821 kernel: misc: fastrpc: avoid double fput() on failed usercopy

Summary: CVE-2022-48821 kernel: misc: fastrpc: avoid double fput() on failed usercopy

Keywords:
Status:	NEW
Alias:	CVE-2022-48821
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	low
Severity:	low
Target Milestone:	---
Assignee:	Product Security DevOps Team
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2024-07-16 12:48 UTC by OSIDB Bzimport
Modified:	2024-07-30 16:46 UTC (History)
CC List:	4 users (show)
Fixed In Version:	kernel 5.4.180, kernel 5.10.101, kernel 5.15.24, kernel 5.16.10, kernel 5.17
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Description OSIDB Bzimport 2024-07-16 12:48:16 UTC

In the Linux kernel, the following vulnerability has been resolved:

misc: fastrpc: avoid double fput() on failed usercopy

If the copy back to userland fails for the FASTRPC_IOCTL_ALLOC_DMA_BUFF
ioctl(), we shouldn't assume that 'buf->dmabuf' is still valid. In fact,
dma_buf_fd() called fd_install() before, i.e. "consumed" one reference,
leaving us with none.

Calling dma_buf_put() will therefore put a reference we no longer own,
leading to a valid file descritor table entry for an already released
'file' object which is a straight use-after-free.

Simply avoid calling dma_buf_put() and rely on the process exit code to
do the necessary cleanup, if needed, i.e. if the file descriptor is
still valid.

Note You need to log in before you can comment on or make changes to this bug.