Bug 2298205 (CVE-2022-48861) - CVE-2022-48861 kernel: vdpa: fix use-after-free on vp_vdpa_remove
Summary: CVE-2022-48861 kernel: vdpa: fix use-after-free on vp_vdpa_remove
Keywords:
Status: NEW
Alias: CVE-2022-48861
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Product Security DevOps Team
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2024-07-16 13:33 UTC by OSIDB Bzimport
Modified: 2024-09-22 23:29 UTC (History)
4 users (show)

Fixed In Version: kernel 5.15.29, kernel 5.16.15, kernel 5.17
Doc Type: If docs needed, set a value
Doc Text:
A vulnerability was found in the Linux kernel's vdpa driver in the vp_vdpa_remove function, which leads to a use-after-free condition, when the vp_vdpa driver is unbound, freeing the vp_vdpa structure before it is accessed again, resulting in dereferencing a freed memory area.
Clone Of:
Environment:
Last Closed:
Embargoed:


Attachments (Terms of Use)

Description OSIDB Bzimport 2024-07-16 13:33:57 UTC
In the Linux kernel, the following vulnerability has been resolved:

vdpa: fix use-after-free on vp_vdpa_remove

When vp_vdpa driver is unbind, vp_vdpa is freed in vdpa_unregister_device
and then vp_vdpa->mdev.pci_dev is dereferenced in vp_modern_remove,
triggering use-after-free.

Call Trace of unbinding driver free vp_vdpa :
do_syscall_64
  vfs_write
    kernfs_fop_write_iter
      device_release_driver_internal
        pci_device_remove
          vp_vdpa_remove
            vdpa_unregister_device
              kobject_release
                device_release
                  kfree

Call Trace of dereference vp_vdpa->mdev.pci_dev:
vp_modern_remove
  pci_release_selected_regions
    pci_release_region
      pci_resource_len
        pci_resource_end
          (dev)->resource[(bar)].end


Note You need to log in before you can comment on or make changes to this bug.