Bug 2373478 (CVE-2022-50005) - CVE-2022-50005 kernel: nfc: pn533: Fix use-after-free bugs caused by pn532_cmd_timeout
Summary: CVE-2022-50005 kernel: nfc: pn533: Fix use-after-free bugs caused by pn532_cm...
Keywords:
Status: NEW
Alias: CVE-2022-50005
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Product Security DevOps Team
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2025-06-18 12:04 UTC by OSIDB Bzimport
Modified: 2025-06-20 10:08 UTC (History)
4 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments (Terms of Use)

Description OSIDB Bzimport 2025-06-18 12:04:47 UTC 
In the Linux kernel, the following vulnerability has been resolved:

nfc: pn533: Fix use-after-free bugs caused by pn532_cmd_timeout

When the pn532 uart device is detaching, the pn532_uart_remove()
is called. But there are no functions in pn532_uart_remove() that
could delete the cmd_timeout timer, which will cause use-after-free
bugs. The process is shown below:

    (thread 1)                  |        (thread 2)
                                |  pn532_uart_send_frame
pn532_uart_remove               |    mod_timer(&pn532->cmd_timeout,...)
  ...                           |    (wait a time)
  kfree(pn532) //FREE           |    pn532_cmd_timeout
                                |      pn532_uart_send_frame
                                |        pn532->... //USE

This patch adds del_timer_sync() in pn532_uart_remove() in order to
prevent the use-after-free bugs. What's more, the pn53x_unregister_nfc()
is well synchronized, it sets nfc_dev->shutting_down to true and there
are no syscalls could restart the cmd_timeout timer.
Comment 1 Avinash Hanwate 2025-06-20 01:12:48 UTC 
Upstream advisory:
https://lore.kernel.org/linux-cve-announce/2025061829-CVE-2022-50005-fd4b@gregkh/T
Note You need to log in before you can comment on or make changes to this bug.