Attacker Value

Unknown

(0 users assessed)

Exploitability

Unknown

(0 users assessed)

User Interaction

CVE-2022-48822

Disclosure Date: July 16, 2024 •

CVE-2022-48822 CVSS v3 Base Score: 7.8

MITRE ATT&CK

Add MITRE ATT&CK tactics and techniques that apply to this CVE.

Description

In the Linux kernel, the following vulnerability has been resolved:

usb: f_fs: Fix use-after-free for epfile

Consider a case where ffs_func_eps_disable is called from
ffs_func_disable as part of composition switch and at the
same time ffs_epfile_release get called from userspace.
ffs_epfile_release will free up the read buffer and call
ffs_data_closed which in turn destroys ffs->epfiles and
mark it as NULL. While this was happening the driver has
already initialized the local epfile in ffs_func_eps_disable
which is now freed and waiting to acquire the spinlock. Once
spinlock is acquired the driver proceeds with the stale value
of epfile and tries to free the already freed read buffer
causing use-after-free.

Following is the illustration of the race:

  CPU1                                  CPU2

ffs_func_eps_disable
epfiles (local copy)

				ffs_epfile_release
				ffs_data_closed
				if (last file closed)
				ffs_data_reset
				ffs_data_clear
				ffs_epfiles_destroy

spin_lock
dereference epfiles

Fix this races by taking epfiles local copy & assigning it under
spinlock and if epfiles(local) is null then update it in ffs->epfiles
then finally destroy it.
Extending the scope further from the race, protecting the ep related
structures, and concurrent accesses.

Add Assessment

No one has assessed this topic. Be the first to add your voice to the community.

CVSS V3 Severity and Metrics

Data provided by the National Vulnerability Database (NVD)

Base Score:

7.8 High

Impact Score:

5.9

Exploitability Score:

1.8

Vector:

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Attack Vector (AV):

Local

Attack Complexity (AC):

Low

Privileges Required (PR):

Low

User Interaction (UI):

None

Scope (S):

Unchanged

Confidentiality (C):

High

Integrity (I):

High

Availability (A):

High

Vendors

linux

Products

linux kernel

References

Canonical

CVE-2022-48822 (https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-48822)

Miscellaneous

https://git.kernel.org/stable/c/32048f4be071f9a6966744243f1786f45bb22dc2

https://git.kernel.org/stable/c/cfe5f6fd335d882bcc829a1c8a7d462a455c626e

https://git.kernel.org/stable/c/c9fc422c9a43e3d58d246334a71f3390401781dc

https://git.kernel.org/stable/c/0042178a69eb77a979e36a50dcce9794a3140ef8

https://git.kernel.org/stable/c/72a8aee863af099d4434314c4536d6c9a61dcf3c

https://git.kernel.org/stable/c/3e078b18753669615301d946297bafd69294ad2c

https://git.kernel.org/stable/c/ebe2b1add1055b903e2acd86b290a85297edc0b3

Rapid7

Unknown

CVE-2022-48822

Unknown

Unknown

None

Low

Local

CVE-2022-48822

Description

Add Assessment

CVSS V3 Severity and Metrics

General Information

Vendors

Products

References

Canonical

Miscellaneous

Additional Info

Technical Analysis

Unknown

CVE-2022-48822

Unknown

Unknown

None

Low

Local

CVE-2022-48822

Description

Add Assessment

CVSS V3 Severity and Metrics

General Information

Vendors

Products

References

Canonical

Miscellaneous

Additional Info

Technical Analysis

Quick Cookie Notification