CVE-2022-48796

Source
https://nvd.nist.gov/vuln/detail/CVE-2022-48796
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2022-48796.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2022-48796
Downstream
Related
Published
2024-07-16T11:43:50Z
Modified
2025-10-14T20:31:44.049882Z
Summary
iommu: Fix potential use-after-free during probe
Details

In the Linux kernel, the following vulnerability has been resolved:

iommu: Fix potential use-after-free during probe

Kasan has reported the following use after free on dev->iommu. when a device probe fails and it is in process of freeing dev->iommu in deviommufree function, a deferredprobeworkfunc runs in parallel and tries to access dev->iommu->fwspec in ofiommu_configure path thus causing use after free.

BUG: KASAN: use-after-free in ofiommuconfigure+0xb4/0x4a4 Read of size 8 at addr ffffff87a2f1acb8 by task kworker/u16:2/153

Workqueue: eventsunbound deferredprobeworkfunc Call trace: dumpbacktrace+0x0/0x33c showstack+0x18/0x24 dumpstacklvl+0x16c/0x1e0 printaddressdescription+0x84/0x39c _kasanreport+0x184/0x308 kasanreport+0x50/0x78 _asanload8+0xc0/0xc4 ofiommuconfigure+0xb4/0x4a4 ofdmaconfigureid+0x2fc/0x4d4 platformdmaconfigure+0x40/0x5c reallyprobe+0x1b4/0xb74 driverprobedevice+0x11c/0x228 _deviceattachdriver+0x14c/0x304 busforeachdrv+0x124/0x1b0 _deviceattach+0x25c/0x334 deviceinitialprobe+0x24/0x34 busprobedevice+0x78/0x134 deferredprobeworkfunc+0x130/0x1a8 processonework+0x4c8/0x970 workerthread+0x5c8/0xaec kthread+0x1f8/0x220 retfrom_fork+0x10/0x18

Allocated by task 1: _kasankmalloc+0xd4/0x114 _kasankmalloc+0x10/0x1c kmemcachealloctrace+0xe4/0x3d4 _iommuprobedevice+0x90/0x394 probeiommugroup+0x70/0x9c busforeachdev+0x11c/0x19c busiommuprobe+0xb8/0x7d4 bussetiommu+0xcc/0x13c armsmmubusinit+0x44/0x130 [armsmmu] armsmmudeviceprobe+0xb88/0xc54 [armsmmu] platformdrvprobe+0xe4/0x13c reallyprobe+0x2c8/0xb74 driverprobedevice+0x11c/0x228 devicedriverattach+0xf0/0x16c _driverattach+0x80/0x320 busforeachdev+0x11c/0x19c driverattach+0x38/0x48 busadddriver+0x1dc/0x3a4 driverregister+0x18c/0x244 _platformdriverregister+0x88/0x9c initmodule+0x64/0xff4 [armsmmu] dooneinitcall+0x17c/0x2f0 doinitmodule+0xe8/0x378 loadmodule+0x3f80/0x4a40 _sesysfinitmodule+0x1a0/0x1e4 _arm64sysfinitmodule+0x44/0x58 el0svccommon+0x100/0x264 doel0svc+0x38/0xa4 el0svc+0x20/0x30 el0synchandler+0x68/0xac el0_sync+0x160/0x180

Freed by task 1: kasansettrack+0x4c/0x84 kasansetfreeinfo+0x28/0x4c __kasanslabfree+0x120/0x15c _kasanslabfree+0x18/0x28 slabfreefreelisthook+0x204/0x2fc kfree+0xfc/0x3a4 _iommuprobedevice+0x284/0x394 probeiommugroup+0x70/0x9c busforeachdev+0x11c/0x19c busiommuprobe+0xb8/0x7d4 bussetiommu+0xcc/0x13c armsmmubusinit+0x44/0x130 [armsmmu] armsmmudeviceprobe+0xb88/0xc54 [armsmmu] platformdrvprobe+0xe4/0x13c reallyprobe+0x2c8/0xb74 driverprobedevice+0x11c/0x228 devicedriverattach+0xf0/0x16c _driverattach+0x80/0x320 busforeachdev+0x11c/0x19c driverattach+0x38/0x48 busadddriver+0x1dc/0x3a4 driverregister+0x18c/0x244 _platformdriverregister+0x88/0x9c initmodule+0x64/0xff4 [armsmmu] dooneinitcall+0x17c/0x2f0 doinitmodule+0xe8/0x378 loadmodule+0x3f80/0x4a40 _sesysfinitmodule+0x1a0/0x1e4 _arm64sysfinitmodule+0x44/0x58 el0svccommon+0x100/0x264 doel0svc+0x38/0xa4 el0svc+0x20/0x30 el0synchandler+0x68/0xac el0_sync+0x160/0x180

Fix this by setting dev->iommu to NULL first and then freeing deviommu structure in deviommu_free function.

References

Affected packages

Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git

Affected ranges

Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
0c830e6b32826311fc2b9ea1f4679be0f4ef0933
Fixed
cb86e511e78e796de6947b8f3acca1b7c76fb2ff
Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
0c830e6b32826311fc2b9ea1f4679be0f4ef0933
Fixed
65ab30f6a6952fa9ee13009862736cf8d110e6e5
Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
0c830e6b32826311fc2b9ea1f4679be0f4ef0933
Fixed
f74fc4b5bd533ea3d30ce47cccb8ef8d21fda85a
Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
0c830e6b32826311fc2b9ea1f4679be0f4ef0933
Fixed
b54240ad494300ff0994c4539a531727874381f4

Affected versions

v5.*

v5.10
v5.10-rc1
v5.10-rc2
v5.10-rc3
v5.10-rc4
v5.10-rc5
v5.10-rc6
v5.10-rc7
v5.10.1
v5.10.10
v5.10.100
v5.10.11
v5.10.12
v5.10.13
v5.10.14
v5.10.15
v5.10.16
v5.10.17
v5.10.18
v5.10.19
v5.10.2
v5.10.20
v5.10.21
v5.10.22
v5.10.23
v5.10.24
v5.10.25
v5.10.26
v5.10.27
v5.10.28
v5.10.29
v5.10.3
v5.10.30
v5.10.31
v5.10.32
v5.10.33
v5.10.34
v5.10.35
v5.10.36
v5.10.37
v5.10.38
v5.10.39
v5.10.4
v5.10.40
v5.10.41
v5.10.42
v5.10.43
v5.10.44
v5.10.45
v5.10.46
v5.10.47
v5.10.48
v5.10.49
v5.10.5
v5.10.50
v5.10.51
v5.10.52
v5.10.53
v5.10.54
v5.10.55
v5.10.56
v5.10.57
v5.10.58
v5.10.59
v5.10.6
v5.10.60
v5.10.61
v5.10.62
v5.10.63
v5.10.64
v5.10.65
v5.10.66
v5.10.67
v5.10.68
v5.10.69
v5.10.7
v5.10.70
v5.10.71
v5.10.72
v5.10.73
v5.10.74
v5.10.75
v5.10.76
v5.10.77
v5.10.78
v5.10.79
v5.10.8
v5.10.80
v5.10.81
v5.10.82
v5.10.83
v5.10.84
v5.10.85
v5.10.86
v5.10.87
v5.10.88
v5.10.89
v5.10.9
v5.10.90
v5.10.91
v5.10.92
v5.10.93
v5.10.94
v5.10.95
v5.10.96
v5.10.97
v5.10.98
v5.10.99
v5.11
v5.11-rc1
v5.11-rc2
v5.11-rc3
v5.11-rc4
v5.11-rc5
v5.11-rc6
v5.11-rc7
v5.12
v5.12-rc1
v5.12-rc1-dontuse
v5.12-rc2
v5.12-rc3
v5.12-rc4
v5.12-rc5
v5.12-rc6
v5.12-rc7
v5.12-rc8
v5.13
v5.13-rc1
v5.13-rc2
v5.13-rc3
v5.13-rc4
v5.13-rc5
v5.13-rc6
v5.13-rc7
v5.14
v5.14-rc1
v5.14-rc2
v5.14-rc3
v5.14-rc4
v5.14-rc5
v5.14-rc6
v5.14-rc7
v5.15
v5.15-rc1
v5.15-rc2
v5.15-rc3
v5.15-rc4
v5.15-rc5
v5.15-rc6
v5.15-rc7
v5.15.1
v5.15.10
v5.15.11
v5.15.12
v5.15.13
v5.15.14
v5.15.15
v5.15.16
v5.15.17
v5.15.18
v5.15.19
v5.15.2
v5.15.20
v5.15.21
v5.15.22
v5.15.23
v5.15.3
v5.15.4
v5.15.5
v5.15.6
v5.15.7
v5.15.8
v5.15.9
v5.16
v5.16-rc1
v5.16-rc2
v5.16-rc3
v5.16-rc4
v5.16-rc5
v5.16-rc6
v5.16-rc7
v5.16-rc8
v5.16.1
v5.16.2
v5.16.3
v5.16.4
v5.16.5
v5.16.6
v5.16.7
v5.16.8
v5.16.9
v5.17-rc1
v5.17-rc2
v5.2
v5.2-rc3
v5.2-rc4
v5.2-rc5
v5.2-rc6
v5.2-rc7
v5.3
v5.3-rc1
v5.3-rc2
v5.3-rc3
v5.3-rc4
v5.3-rc5
v5.3-rc6
v5.3-rc7
v5.3-rc8
v5.4
v5.4-rc1
v5.4-rc2
v5.4-rc3
v5.4-rc4
v5.4-rc5
v5.4-rc6
v5.4-rc7
v5.4-rc8
v5.5
v5.5-rc1
v5.5-rc2
v5.5-rc3
v5.5-rc4
v5.5-rc5
v5.5-rc6
v5.5-rc7
v5.6
v5.6-rc1
v5.6-rc2
v5.6-rc3
v5.6-rc4
v5.6-rc5
v5.6-rc6
v5.6-rc7
v5.7
v5.7-rc1
v5.7-rc2
v5.7-rc3
v5.7-rc4
v5.7-rc5
v5.7-rc6
v5.7-rc7
v5.8
v5.8-rc1
v5.8-rc2
v5.8-rc3
v5.8-rc4
v5.8-rc5
v5.8-rc6
v5.8-rc7
v5.9
v5.9-rc1
v5.9-rc2
v5.9-rc3
v5.9-rc4
v5.9-rc5
v5.9-rc6
v5.9-rc7
v5.9-rc8

Database specific

{
    "vanir_signatures": [
        {
            "signature_version": "v1",
            "target": {
                "function": "dev_iommu_free",
                "file": "drivers/iommu/iommu.c"
            },
            "signature_type": "Function",
            "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@f74fc4b5bd533ea3d30ce47cccb8ef8d21fda85a",
            "deprecated": false,
            "digest": {
                "length": 118.0,
                "function_hash": "68634230065651369700061296780248730066"
            },
            "id": "CVE-2022-48796-2438fb35"
        },
        {
            "signature_version": "v1",
            "target": {
                "file": "drivers/iommu/iommu.c"
            },
            "signature_type": "Line",
            "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@b54240ad494300ff0994c4539a531727874381f4",
            "deprecated": false,
            "digest": {
                "line_hashes": [
                    "32453457839613201805407846508292315400",
                    "160549941671193600191625754255392948128",
                    "85989348195125489763066040506672129535",
                    "13100374184158849658590201102144954526",
                    "11439630602235846401309099829973828818",
                    "169309030048841643935213625924023760733"
                ],
                "threshold": 0.9
            },
            "id": "CVE-2022-48796-247cb6fb"
        },
        {
            "signature_version": "v1",
            "target": {
                "function": "dev_iommu_free",
                "file": "drivers/iommu/iommu.c"
            },
            "signature_type": "Function",
            "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@cb86e511e78e796de6947b8f3acca1b7c76fb2ff",
            "deprecated": false,
            "digest": {
                "length": 118.0,
                "function_hash": "68634230065651369700061296780248730066"
            },
            "id": "CVE-2022-48796-26a1650b"
        },
        {
            "signature_version": "v1",
            "target": {
                "file": "drivers/iommu/iommu.c"
            },
            "signature_type": "Line",
            "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@65ab30f6a6952fa9ee13009862736cf8d110e6e5",
            "deprecated": false,
            "digest": {
                "line_hashes": [
                    "32453457839613201805407846508292315400",
                    "160549941671193600191625754255392948128",
                    "85989348195125489763066040506672129535",
                    "13100374184158849658590201102144954526",
                    "11439630602235846401309099829973828818",
                    "169309030048841643935213625924023760733"
                ],
                "threshold": 0.9
            },
            "id": "CVE-2022-48796-449e1a06"
        },
        {
            "signature_version": "v1",
            "target": {
                "file": "drivers/iommu/iommu.c"
            },
            "signature_type": "Line",
            "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@f74fc4b5bd533ea3d30ce47cccb8ef8d21fda85a",
            "deprecated": false,
            "digest": {
                "line_hashes": [
                    "32453457839613201805407846508292315400",
                    "160549941671193600191625754255392948128",
                    "85989348195125489763066040506672129535",
                    "13100374184158849658590201102144954526",
                    "11439630602235846401309099829973828818",
                    "169309030048841643935213625924023760733"
                ],
                "threshold": 0.9
            },
            "id": "CVE-2022-48796-552900ed"
        },
        {
            "signature_version": "v1",
            "target": {
                "file": "drivers/iommu/iommu.c"
            },
            "signature_type": "Line",
            "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@cb86e511e78e796de6947b8f3acca1b7c76fb2ff",
            "deprecated": false,
            "digest": {
                "line_hashes": [
                    "32453457839613201805407846508292315400",
                    "160549941671193600191625754255392948128",
                    "85989348195125489763066040506672129535",
                    "13100374184158849658590201102144954526",
                    "11439630602235846401309099829973828818",
                    "169309030048841643935213625924023760733"
                ],
                "threshold": 0.9
            },
            "id": "CVE-2022-48796-6c576a20"
        },
        {
            "signature_version": "v1",
            "target": {
                "function": "dev_iommu_free",
                "file": "drivers/iommu/iommu.c"
            },
            "signature_type": "Function",
            "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@b54240ad494300ff0994c4539a531727874381f4",
            "deprecated": false,
            "digest": {
                "length": 118.0,
                "function_hash": "68634230065651369700061296780248730066"
            },
            "id": "CVE-2022-48796-bce2900a"
        },
        {
            "signature_version": "v1",
            "target": {
                "function": "dev_iommu_free",
                "file": "drivers/iommu/iommu.c"
            },
            "signature_type": "Function",
            "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@65ab30f6a6952fa9ee13009862736cf8d110e6e5",
            "deprecated": false,
            "digest": {
                "length": 118.0,
                "function_hash": "68634230065651369700061296780248730066"
            },
            "id": "CVE-2022-48796-ca90dfea"
        }
    ]
}

Linux / Kernel

Package

Name
Kernel

Affected ranges

Type
ECOSYSTEM
Events
Introduced
5.3.0
Fixed
5.10.101
Type
ECOSYSTEM
Events
Introduced
5.11.0
Fixed
5.15.24
Type
ECOSYSTEM
Events
Introduced
5.16.0
Fixed
5.16.10