Rapid7 Vulnerability & Exploit Database

Ubuntu: (Multiple Advisories) (CVE-2022-48838): Linux kernel vulnerabilities

Free InsightVM Trial No Credit Card Necessary
2024 Attack Intel Report Latest research by Rapid7 Labs
Back to Search

Ubuntu: (Multiple Advisories) (CVE-2022-48838): Linux kernel vulnerabilities

Severity
4
CVSS
(AV:L/AC:M/Au:N/C:P/I:P/A:P)
Published
07/16/2024
Created
09/28/2024
Added
09/27/2024
Modified
09/27/2024

Description

In the Linux kernel, the following vulnerability has been resolved: usb: gadget: Fix use-after-free bug by not setting udc->dev.driver The syzbot fuzzer found a use-after-free bug: BUG: KASAN: use-after-free in dev_uevent+0x712/0x780 drivers/base/core.c:2320 Read of size 8 at addr ffff88802b934098 by task udevd/3689 CPU: 2 PID: 3689 Comm: udevd Not tainted 5.17.0-rc4-syzkaller-00229-g4f12b742eb2b #0 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.14.0-2 04/01/2014 Call Trace: <TASK> __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0xcd/0x134 lib/dump_stack.c:106 print_address_description.constprop.0.cold+0x8d/0x303 mm/kasan/report.c:255 __kasan_report mm/kasan/report.c:442 [inline] kasan_report.cold+0x83/0xdf mm/kasan/report.c:459 dev_uevent+0x712/0x780 drivers/base/core.c:2320 uevent_show+0x1b8/0x380 drivers/base/core.c:2391 dev_attr_show+0x4b/0x90 drivers/base/core.c:2094 Although the bug manifested in the driver core, the real cause was a race with the gadget core. dev_uevent() does: if (dev->driver) add_uevent_var(env, "DRIVER=%s", dev->driver->name); and between the test and the dereference of dev->driver, the gadget core sets dev->driver to NULL. The race wouldn't occur if the gadget core registered its devices on a real bus, using the standard synchronization techniques of the driver core. However, it's not necessary to make such a large change in order to fix this bug; all we need to do is make sure that udc->dev.driver is always NULL. In fact, there is no reason for udc->dev.driver ever to be set to anything, let alone to the value it currently gets: the address of the gadget's driver. After all, a gadget driver only knows how to manage a gadget, not how to manage a UDC. This patch simply removes the statements in the gadget core that touch udc->dev.driver.

Solution(s)

  • ubuntu-upgrade-linux-image-4-4-0-1136-aws
  • ubuntu-upgrade-linux-image-4-4-0-1137-kvm
  • ubuntu-upgrade-linux-image-4-4-0-1174-aws
  • ubuntu-upgrade-linux-image-4-4-0-259-generic
  • ubuntu-upgrade-linux-image-4-4-0-259-lowlatency
  • ubuntu-upgrade-linux-image-aws
  • ubuntu-upgrade-linux-image-generic
  • ubuntu-upgrade-linux-image-generic-lts-utopic
  • ubuntu-upgrade-linux-image-generic-lts-vivid
  • ubuntu-upgrade-linux-image-generic-lts-wily
  • ubuntu-upgrade-linux-image-generic-lts-xenial
  • ubuntu-upgrade-linux-image-kvm
  • ubuntu-upgrade-linux-image-lowlatency
  • ubuntu-upgrade-linux-image-lowlatency-lts-utopic
  • ubuntu-upgrade-linux-image-lowlatency-lts-vivid
  • ubuntu-upgrade-linux-image-lowlatency-lts-wily
  • ubuntu-upgrade-linux-image-lowlatency-lts-xenial
  • ubuntu-upgrade-linux-image-virtual
  • ubuntu-upgrade-linux-image-virtual-lts-utopic
  • ubuntu-upgrade-linux-image-virtual-lts-vivid
  • ubuntu-upgrade-linux-image-virtual-lts-wily
  • ubuntu-upgrade-linux-image-virtual-lts-xenial

With Rapid7 live dashboards, I have a clear view of all the assets on my network, which ones can be exploited, and what I need to do in order to reduce the risk in my environment in real-time. No other tool gives us that kind of value and insight.

– Scott Cheney, Manager of Information Security, Sierra View Medical Center

;