Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
cvelistLinuxCVELIST:CVE-2022-48867
HistoryAug 21, 2024 - 6:09 a.m.

CVE-2022-48867 dmaengine: idxd: Prevent use after free on completion memory

2024-08-2106:09:57
Linux
www.cve.org
4
linux kernel
cve-2022-48867
dmaengine
idxd
use after free
vulnerability
memory
completion
fix
page fault
driver unload
descriptor
address
flush
interrupt.

EPSS

0

Percentile

9.5%

JSON

In the Linux kernel, the following vulnerability has been resolved:

dmaengine: idxd: Prevent use after free on completion memory

On driver unload any pending descriptors are flushed at the
time the interrupt is freed:
idxd_dmaengine_drv_remove() ->
drv_disable_wq() ->
idxd_wq_free_irq() ->
idxd_flush_pending_descs().

If there are any descriptors present that need to be flushed this
flow triggers a “not present” page fault as below:

BUG: unable to handle page fault for address: ff391c97c70c9040
#PF: supervisor read access in kernel mode
#PF: error_code(0x0000) - not-present page

The address that triggers the fault is the address of the
descriptor that was freed moments earlier via:
drv_disable_wq()->idxd_wq_free_resources()

Fix the use after free by freeing the descriptors after any possible
usage. This is done after idxd_wq_reset() to ensure that the memory
remains accessible during possible completion writes by the device.

CNA Affected

[
  {
    "product": "Linux",
    "vendor": "Linux",
    "defaultStatus": "unaffected",
    "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
    "programFiles": [
      "drivers/dma/idxd/device.c"
    ],
    "versions": [
      {
        "version": "63c14ae6c161",
        "lessThan": "b9e8e3fcfec6",
        "status": "affected",
        "versionType": "git"
      },
      {
        "version": "63c14ae6c161",
        "lessThan": "1beeec45f9ac",
        "status": "affected",
        "versionType": "git"
      }
    ]
  },
  {
    "product": "Linux",
    "vendor": "Linux",
    "defaultStatus": "affected",
    "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
    "programFiles": [
      "drivers/dma/idxd/device.c"
    ],
    "versions": [
      {
        "version": "5.19",
        "status": "affected"
      },
      {
        "version": "0",
        "lessThan": "5.19",
        "status": "unaffected",
        "versionType": "custom"
      },
      {
        "version": "6.1.8",
        "lessThanOrEqual": "6.1.*",
        "status": "unaffected",
        "versionType": "custom"
      },
      {
        "version": "6.2",
        "lessThanOrEqual": "*",
        "status": "unaffected",
        "versionType": "original_commit_for_fix"
      }
    ]
  }
]

Related

nvd 1
vulnrichment 1
ubuntucve 1
debiancve 1
redhatcve 1
cve 1
osv 1
nvd
nvd
CVE-2022-48867
2024-08-21 07:15:03
vulnrichment
vulnrichment
CVE-2022-48867 dmaengine: idxd: Prevent use after free on completion memory
2024-08-21 06:09:57
ubuntucve
ubuntucve
CVE-2022-48867
2024-08-21 00:00:00
debiancve
debiancve
CVE-2022-48867
2024-08-21 07:15:03
redhatcve
redhatcve
CVE-2022-48867
2024-08-21 19:09:44
cve
cve
CVE-2022-48867
2024-08-21 07:15:03
osv
osv
CVE-2022-48867
2024-08-21 07:15:03

EPSS

0

Percentile

9.5%

JSON
Related for CVELIST:CVE-2022-48867
nvd1vulnrichment1ubuntucve1debiancve1redhatcve1cve1osv1