CVE-2022-48796

16.07.2024, 12:15

In the Linux kernel, the following vulnerability has been resolved:

iommu: Fix potential use-after-free during probe

Kasan has reported the following use after free on dev->iommu.
when a device probe fails and it is in process of freeing dev->iommu
in dev_iommu_free function, a deferred_probe_work_func runs in parallel
and tries to access dev->iommu->fwspec in of_iommu_configure path thus
causing use after free.

BUG: KASAN: use-after-free in of_iommu_configure+0xb4/0x4a4
Read of size 8 at addr ffffff87a2f1acb8 by task kworker/u16:2/153

Workqueue: events_unbound deferred_probe_work_func
Call trace:
 dump_backtrace+0x0/0x33c
 show_stack+0x18/0x24
 dump_stack_lvl+0x16c/0x1e0
 print_address_description+0x84/0x39c
 __kasan_report+0x184/0x308
 kasan_report+0x50/0x78
 __asan_load8+0xc0/0xc4
 of_iommu_configure+0xb4/0x4a4
 of_dma_configure_id+0x2fc/0x4d4
 platform_dma_configure+0x40/0x5c
 really_probe+0x1b4/0xb74
 driver_probe_device+0x11c/0x228
 __device_attach_driver+0x14c/0x304
 bus_for_each_drv+0x124/0x1b0
 __device_attach+0x25c/0x334
 device_initial_probe+0x24/0x34
 bus_probe_device+0x78/0x134
 deferred_probe_work_func+0x130/0x1a8
 process_one_work+0x4c8/0x970
 worker_thread+0x5c8/0xaec
 kthread+0x1f8/0x220
 ret_from_fork+0x10/0x18

Allocated by task 1:
 ____kasan_kmalloc+0xd4/0x114
 __kasan_kmalloc+0x10/0x1c
 kmem_cache_alloc_trace+0xe4/0x3d4
 __iommu_probe_device+0x90/0x394
 probe_iommu_group+0x70/0x9c
 bus_for_each_dev+0x11c/0x19c
 bus_iommu_probe+0xb8/0x7d4
 bus_set_iommu+0xcc/0x13c
 arm_smmu_bus_init+0x44/0x130 [arm_smmu]
 arm_smmu_device_probe+0xb88/0xc54 [arm_smmu]
 platform_drv_probe+0xe4/0x13c
 really_probe+0x2c8/0xb74
 driver_probe_device+0x11c/0x228
 device_driver_attach+0xf0/0x16c
 __driver_attach+0x80/0x320
 bus_for_each_dev+0x11c/0x19c
 driver_attach+0x38/0x48
 bus_add_driver+0x1dc/0x3a4
 driver_register+0x18c/0x244
 __platform_driver_register+0x88/0x9c
 init_module+0x64/0xff4 [arm_smmu]
 do_one_initcall+0x17c/0x2f0
 do_init_module+0xe8/0x378
 load_module+0x3f80/0x4a40
 __se_sys_finit_module+0x1a0/0x1e4
 __arm64_sys_finit_module+0x44/0x58
 el0_svc_common+0x100/0x264
 do_el0_svc+0x38/0xa4
 el0_svc+0x20/0x30
 el0_sync_handler+0x68/0xac
 el0_sync+0x160/0x180

Freed by task 1:
 kasan_set_track+0x4c/0x84
 kasan_set_free_info+0x28/0x4c
 ____kasan_slab_free+0x120/0x15c
 __kasan_slab_free+0x18/0x28
 slab_free_freelist_hook+0x204/0x2fc
 kfree+0xfc/0x3a4
 __iommu_probe_device+0x284/0x394
 probe_iommu_group+0x70/0x9c
 bus_for_each_dev+0x11c/0x19c
 bus_iommu_probe+0xb8/0x7d4
 bus_set_iommu+0xcc/0x13c
 arm_smmu_bus_init+0x44/0x130 [arm_smmu]
 arm_smmu_device_probe+0xb88/0xc54 [arm_smmu]
 platform_drv_probe+0xe4/0x13c
 really_probe+0x2c8/0xb74
 driver_probe_device+0x11c/0x228
 device_driver_attach+0xf0/0x16c
 __driver_attach+0x80/0x320
 bus_for_each_dev+0x11c/0x19c
 driver_attach+0x38/0x48
 bus_add_driver+0x1dc/0x3a4
 driver_register+0x18c/0x244
 __platform_driver_register+0x88/0x9c
 init_module+0x64/0xff4 [arm_smmu]
 do_one_initcall+0x17c/0x2f0
 do_init_module+0xe8/0x378
 load_module+0x3f80/0x4a40
 __se_sys_finit_module+0x1a0/0x1e4
 __arm64_sys_finit_module+0x44/0x58
 el0_svc_common+0x100/0x264
 do_el0_svc+0x38/0xa4
 el0_svc+0x20/0x30
 el0_sync_handler+0x68/0xac
 el0_sync+0x160/0x180

Fix this by setting dev->iommu to NULL first and
then freeing dev_iommu structure in dev_iommu_free
function.

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	NIST	7.8 HIGH	LOCAL	LOW	LOW	CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Linux	CNA	---				---
CVE	ADP	---				---
CISA-ADP	ADP	---				---

Base Score

CVSS 3.x

EPSS Score

Percentile: 11%

Vendor	Product	Version
linux	linux_kernel	5.7 ≤ 𝑥 < 5.10.101
linux	linux_kernel	5.11 ≤ 𝑥 < 5.15.24
linux	linux_kernel	5.16 ≤ 𝑥 < 5.16.10
linux	linux_kernel	5.17:rc1
linux	linux_kernel	5.17:rc2

𝑥

= Vulnerable software versions

Debian Releases

Debian Product

Codename

linux

bullseye	5.10.223-1 fixed
bullseye (security)	5.10.226-1 fixed
bookworm	6.1.106-3 fixed
bookworm (security)	6.1.112-1 fixed
sid	6.11.5-1 fixed
trixie	6.11.5-1 fixed

Ubuntu Releases

Ubuntu Product

Codename

linux

noble	not-affected
jammy	not-affected
focal	not-affected
bionic	not-affected
xenial	not-affected
trusty	not-affected

linux-allwinner-5.19

noble	dne
jammy	ignored
focal	dne

linux-aws

noble	not-affected
jammy	not-affected
focal	not-affected
bionic	not-affected
xenial	not-affected
trusty	not-affected

linux-aws-5.0

noble	dne
jammy	dne
focal	dne
bionic	ignored

linux-aws-5.11

noble	dne
jammy	dne
focal	ignored

linux-aws-5.13

noble	dne
jammy	dne
focal	ignored

linux-aws-5.15

noble	dne
jammy	dne
focal	not-affected

linux-aws-5.19

noble	dne
jammy	ignored
focal	dne

linux-aws-5.3

noble	dne
jammy	dne
focal	dne
bionic	ignored

linux-aws-5.4

noble	dne
jammy	dne
focal	dne
bionic	not-affected

linux-aws-5.8

noble	dne
jammy	dne
focal	ignored

linux-aws-6.2

noble	dne
jammy	ignored
focal	dne

linux-aws-6.5

noble	dne
jammy	not-affected
focal	dne

linux-aws-fips

noble	dne
jammy	dne
focal	dne

linux-aws-hwe

noble	dne
jammy	dne
focal	dne
xenial	not-affected

linux-azure

noble	not-affected
jammy	not-affected
focal	not-affected
bionic	ignored
xenial	not-affected
trusty	not-affected

linux-azure-4.15

noble	dne
jammy	dne
focal	dne
bionic	not-affected

linux-azure-5.11

noble	dne
jammy	dne
focal	ignored

linux-azure-5.13

noble	dne
jammy	dne
focal	ignored

linux-azure-5.15

noble	dne
jammy	dne
focal	not-affected

linux-azure-5.19

noble	dne
jammy	ignored
focal	dne

linux-azure-5.3

noble	dne
jammy	dne
focal	dne
bionic	ignored

linux-azure-5.4

noble	dne
jammy	dne
focal	dne
bionic	not-affected

linux-azure-5.8

noble	dne
jammy	dne
focal	ignored

linux-azure-6.2

noble	dne
jammy	ignored
focal	dne

linux-azure-6.5

noble	dne
jammy	not-affected
focal	dne

linux-azure-edge

noble	dne
jammy	dne
focal	dne
bionic	ignored

linux-azure-fde

noble	dne
jammy	not-affected
focal	ignored

linux-azure-fde-5.15

noble	dne
jammy	dne
focal	not-affected

linux-azure-fde-5.19

noble	dne
jammy	ignored
focal	dne

linux-azure-fde-6.2

noble	dne
jammy	ignored
focal	dne

linux-azure-fips

noble	dne
jammy	dne
focal	dne

linux-bluefield

noble	dne
jammy	dne
focal	not-affected

linux-fips

noble	dne
jammy	dne
focal	dne

linux-gcp

noble	not-affected
jammy	not-affected
focal	not-affected
bionic	ignored
xenial	not-affected

linux-gcp-4.15

noble	dne
jammy	dne
focal	dne
bionic	not-affected

linux-gcp-5.11

noble	dne
jammy	dne
focal	ignored

linux-gcp-5.13

noble	dne
jammy	dne
focal	ignored

linux-gcp-5.15

noble	dne
jammy	dne
focal	not-affected

linux-gcp-5.19

noble	dne
jammy	ignored
focal	dne

linux-gcp-5.3

noble	dne
jammy	dne
focal	dne
bionic	ignored

linux-gcp-5.4

noble	dne
jammy	dne
focal	dne
bionic	not-affected

linux-gcp-5.8

noble	dne
jammy	dne
focal	ignored

linux-gcp-6.2

noble	dne
jammy	ignored
focal	dne

linux-gcp-6.5

noble	dne
jammy	not-affected
focal	dne

linux-gcp-fips

noble	dne
jammy	dne
focal	dne

linux-gke

noble	not-affected
jammy	not-affected
focal	ignored

linux-gke-4.15

noble	dne
jammy	dne
focal	dne
bionic	ignored

linux-gke-5.15

noble	dne
jammy	dne
focal	ignored

linux-gke-5.4

noble	dne
jammy	dne
focal	dne
bionic	ignored

linux-gkeop

noble	dne
jammy	not-affected
focal	not-affected

linux-gkeop-5.15

noble	dne
jammy	dne
focal	not-affected

linux-gkeop-5.4

noble	dne
jammy	dne
focal	dne
bionic	ignored

linux-hwe

noble	dne
jammy	dne
focal	dne
bionic	ignored
xenial	not-affected

linux-hwe-5.11

noble	dne
jammy	dne
focal	ignored

linux-hwe-5.13

noble	dne
jammy	dne
focal	ignored

linux-hwe-5.15

noble	dne
jammy	dne
focal	not-affected

linux-hwe-5.19

noble	dne
jammy	ignored
focal	dne

linux-hwe-5.4

noble	dne
jammy	dne
focal	dne
bionic	not-affected

linux-hwe-5.8

noble	dne
jammy	dne
focal	ignored

linux-hwe-6.2

noble	dne
jammy	ignored
focal	dne

linux-hwe-6.5

noble	dne
jammy	ignored
focal	dne

linux-hwe-6.8

noble	dne
jammy	not-affected
focal	dne
bionic	dne
xenial	dne
trusty	dne

linux-hwe-edge

noble	dne
jammy	dne
focal	dne
bionic	ignored
xenial	ignored

linux-ibm

noble	not-affected
jammy	not-affected
focal	not-affected

linux-ibm-5.15

noble	dne
jammy	dne
focal	not-affected

linux-ibm-5.4

noble	dne
jammy	dne
focal	dne
bionic	not-affected

linux-intel

noble	not-affected
jammy	dne
focal	dne

linux-intel-5.13

noble	dne
jammy	dne
focal	ignored

linux-intel-iot-realtime

noble	dne
jammy	dne
focal	dne
bionic	dne
xenial	dne
trusty	dne

linux-intel-iotg

noble	dne
jammy	not-affected
focal	dne

linux-intel-iotg-5.15

noble	dne
jammy	dne
focal	Fixed 5.15.0-1008.11~20.04.1 released

linux-iot

noble	dne
jammy	dne
focal	not-affected

linux-kvm

noble	dne
jammy	not-affected
focal	not-affected
bionic	not-affected
xenial	not-affected

linux-lowlatency

noble	not-affected
jammy	not-affected
focal	dne

linux-lowlatency-hwe-5.15

noble	dne
jammy	dne
focal	not-affected

linux-lowlatency-hwe-5.19

noble	dne
jammy	ignored
focal	dne

linux-lowlatency-hwe-6.2

noble	dne
jammy	ignored
focal	dne

linux-lowlatency-hwe-6.5

noble	dne
jammy	ignored
focal	dne

linux-lowlatency-hwe-6.8

noble	dne
jammy	not-affected
focal	dne
bionic	dne
xenial	dne
trusty	dne

linux-lts-xenial

noble	dne
jammy	dne
focal	dne
trusty	not-affected

linux-nvidia

noble	not-affected
jammy	not-affected
focal	dne

linux-nvidia-6.2

noble	dne
jammy	ignored
focal	dne

linux-nvidia-6.5

noble	dne
jammy	not-affected
focal	dne

linux-nvidia-6.8

noble	dne
jammy	not-affected
focal	dne
bionic	dne
xenial	dne
trusty	dne

linux-nvidia-lowlatency

noble	not-affected
jammy	dne
focal	dne
bionic	dne
xenial	dne
trusty	dne

linux-oem

noble	dne
jammy	dne
focal	dne
bionic	ignored

linux-oem-5.10

noble	dne
jammy	dne
focal	ignored

linux-oem-5.13

noble	dne
jammy	dne
focal	ignored

linux-oem-5.14

noble	dne
jammy	dne
focal	ignored

linux-oem-5.17

noble	dne
jammy	ignored
focal	dne

linux-oem-5.6

noble	dne
jammy	dne
focal	ignored

linux-oem-6.0

noble	dne
jammy	ignored
focal	dne

linux-oem-6.1

noble	dne
jammy	ignored
focal	dne

linux-oem-6.5

noble	dne
jammy	not-affected
focal	dne

linux-oem-6.8

noble	not-affected
jammy	dne
focal	dne

linux-oracle

noble	not-affected
jammy	not-affected
focal	not-affected
bionic	not-affected
xenial	not-affected

linux-oracle-5.0

noble	dne
jammy	dne
focal	dne
bionic	ignored

linux-oracle-5.11

noble	dne
jammy	dne
focal	ignored

linux-oracle-5.13

noble	dne
jammy	dne
focal	ignored

linux-oracle-5.15

noble	dne
jammy	dne
focal	not-affected

linux-oracle-5.3

noble	dne
jammy	dne
focal	dne
bionic	ignored

linux-oracle-5.4

noble	dne
jammy	dne
focal	dne
bionic	not-affected

linux-oracle-5.8

noble	dne
jammy	dne
focal	ignored

linux-oracle-6.5

noble	dne
jammy	not-affected
focal	dne

linux-raspi

noble	not-affected
jammy	not-affected
focal	not-affected

linux-raspi-5.4

noble	dne
jammy	dne
focal	dne
bionic	not-affected

linux-raspi-realtime

noble	dne
jammy	dne
focal	dne
bionic	dne
xenial	dne
trusty	dne

linux-raspi2

noble	dne
jammy	dne
focal	ignored

linux-realtime

noble	dne
jammy	ignored
focal	dne
bionic	dne
xenial	dne
trusty	dne

linux-riscv

noble	not-affected
jammy	ignored
focal	ignored

linux-riscv-5.11

noble	dne
jammy	dne
focal	ignored

linux-riscv-5.15

noble	dne
jammy	dne
focal	not-affected

linux-riscv-5.19

noble	dne
jammy	ignored
focal	dne

linux-riscv-5.8

noble	dne
jammy	dne
focal	ignored

linux-riscv-6.5

noble	dne
jammy	ignored
focal	dne

linux-riscv-6.8

noble	dne
jammy	not-affected
focal	dne
bionic	dne
xenial	dne
trusty	dne

linux-starfive-5.19

noble	dne
jammy	ignored
focal	dne

linux-starfive-6.2

noble	dne
jammy	ignored
focal	dne

linux-starfive-6.5

noble	dne
jammy	not-affected
focal	dne

linux-xilinx-zynqmp

noble	dne
jammy	not-affected
focal	not-affected

Common Weakness Enumeration

CWE-416 - Use After Free
Referencing memory after it has been freed can cause a program to crash, use unexpected values, or execute code.

References

https://git.kernel.org/stable/c/65ab30f6a6952fa9ee13009862736cf8d110e6e5

https://git.kernel.org/stable/c/b54240ad494300ff0994c4539a531727874381f4

https://git.kernel.org/stable/c/cb86e511e78e796de6947b8f3acca1b7c76fb2ff

https://git.kernel.org/stable/c/f74fc4b5bd533ea3d30ce47cccb8ef8d21fda85a

https://git.kernel.org/stable/c/65ab30f6a6952fa9ee13009862736cf8d110e6e5

https://git.kernel.org/stable/c/b54240ad494300ff0994c4539a531727874381f4

https://git.kernel.org/stable/c/cb86e511e78e796de6947b8f3acca1b7c76fb2ff

https://git.kernel.org/stable/c/f74fc4b5bd533ea3d30ce47cccb8ef8d21fda85a