In the Linux kernel, the following vulnerability has been resolved:
NFC: port100: fix use-after-free in port100sendcomplete
Syzbot reported UAF in port100sendcomplete(). The root case is in missing usbkillurb() calls on error handling path of ->probe function.
port100sendcomplete() accesses devm allocated memory which will be freed on probe failure. We should kill this urbs before returning an error from probe function to prevent reported use-after-free
Fail log:
BUG: KASAN: use-after-free in port100sendcomplete+0x16e/0x1a0 drivers/nfc/port100.c:935 Read of size 1 at addr ffff88801bb59540 by task ksoftirqd/2/26 ... Call Trace: <TASK> _dumpstack lib/dumpstack.c:88 [inline] dumpstacklvl+0xcd/0x134 lib/dumpstack.c:106 printaddressdescription.constprop.0.cold+0x8d/0x303 mm/kasan/report.c:255 _kasanreport mm/kasan/report.c:442 [inline] kasanreport.cold+0x83/0xdf mm/kasan/report.c:459 port100sendcomplete+0x16e/0x1a0 drivers/nfc/port100.c:935 _usbhcdgiveback_urb+0x2b0/0x5c0 drivers/usb/core/hcd.c:1670
...
Allocated by task 1255: kasansavestack+0x1e/0x40 mm/kasan/common.c:38 kasansettrack mm/kasan/common.c:45 [inline] setallocinfo mm/kasan/common.c:436 [inline] _kasankmalloc mm/kasan/common.c:515 [inline] kasankmalloc mm/kasan/common.c:474 [inline] _kasankmalloc+0xa6/0xd0 mm/kasan/common.c:524 allocdr drivers/base/devres.c:116 [inline] devmkmalloc+0x96/0x1d0 drivers/base/devres.c:823 devmkzalloc include/linux/device.h:209 [inline] port100_probe+0x8a/0x1320 drivers/nfc/port100.c:1502
Freed by task 1255: kasansavestack+0x1e/0x40 mm/kasan/common.c:38 kasansettrack+0x21/0x30 mm/kasan/common.c:45 kasansetfreeinfo+0x20/0x30 mm/kasan/generic.c:370 kasanslabfree mm/kasan/common.c:366 [inline] _kasanslabfree+0xff/0x140 mm/kasan/common.c:328 kasanslabfree include/linux/kasan.h:236 [inline] _cachefree mm/slab.c:3437 [inline] kfree+0xf8/0x2b0 mm/slab.c:3794 releasenodes+0x112/0x1a0 drivers/base/devres.c:501 devresreleaseall+0x114/0x190 drivers/base/devres.c:530 reallyprobe+0x626/0xcc0 drivers/base/dd.c:670
{ "vanir_signatures": [ { "signature_version": "v1", "target": { "function": "port100_probe", "file": "drivers/nfc/port100.c" }, "signature_type": "Function", "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@f80cfe2f26581f188429c12bd937eb905ad3ac7b", "deprecated": false, "digest": { "length": 2955.0, "function_hash": "273440978956857076430364407816006123991" }, "id": "CVE-2022-48857-15e90706" }, { "signature_version": "v1", "target": { "function": "port100_probe", "file": "drivers/nfc/port100.c" }, "signature_type": "Function", "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@2b1c85f56512d49e43bc53741fce2f508cd90029", "deprecated": false, "digest": { "length": 2955.0, "function_hash": "273440978956857076430364407816006123991" }, "id": "CVE-2022-48857-239e842c" }, { "signature_version": "v1", "target": { "file": "drivers/nfc/port100.c" }, "signature_type": "Line", "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@32e866ae5a7af590597ef4bcff8451bf96d5f980", "deprecated": false, "digest": { "line_hashes": [ "16461426479839705277117716419993305780", "104213228530234649437873063774061080960", "336550257817241398759859833125915795230", "6953156480032842498039356151568604804", "186145806575211454612537466872702770626" ], "threshold": 0.9 }, "id": "CVE-2022-48857-330d17c1" }, { "signature_version": "v1", "target": { "function": "port100_probe", "file": "drivers/nfc/port100.c" }, "signature_type": "Function", "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@32e866ae5a7af590597ef4bcff8451bf96d5f980", "deprecated": false, "digest": { "length": 2955.0, "function_hash": "273440978956857076430364407816006123991" }, "id": "CVE-2022-48857-332fa473" }, { "signature_version": "v1", "target": { "file": "drivers/nfc/port100.c" }, "signature_type": "Line", "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@205c4ec78e71cbf561794e6043da80e7bae6790f", "deprecated": false, "digest": { "line_hashes": [ "16461426479839705277117716419993305780", "104213228530234649437873063774061080960", "336550257817241398759859833125915795230", "6953156480032842498039356151568604804", "186145806575211454612537466872702770626" ], "threshold": 0.9 }, "id": "CVE-2022-48857-4984e2b7" }, { "signature_version": "v1", "target": { "file": "drivers/nfc/port100.c" }, "signature_type": "Line", "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@f80cfe2f26581f188429c12bd937eb905ad3ac7b", "deprecated": false, "digest": { "line_hashes": [ "16461426479839705277117716419993305780", "104213228530234649437873063774061080960", "336550257817241398759859833125915795230", "6953156480032842498039356151568604804", "186145806575211454612537466872702770626" ], "threshold": 0.9 }, "id": "CVE-2022-48857-6a833940" }, { "signature_version": "v1", "target": { "file": "drivers/nfc/port100.c" }, "signature_type": "Line", "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@2b1c85f56512d49e43bc53741fce2f508cd90029", "deprecated": false, "digest": { "line_hashes": [ "16461426479839705277117716419993305780", "104213228530234649437873063774061080960", "336550257817241398759859833125915795230", "6953156480032842498039356151568604804", "186145806575211454612537466872702770626" ], "threshold": 0.9 }, "id": "CVE-2022-48857-7e65fcd4" }, { "signature_version": "v1", "target": { "file": "drivers/nfc/port100.c" }, "signature_type": "Line", "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@b1db33d4e54bc35d8db96ce143ea0ef92e23d58e", "deprecated": false, "digest": { "line_hashes": [ "16461426479839705277117716419993305780", "104213228530234649437873063774061080960", "336550257817241398759859833125915795230", "6953156480032842498039356151568604804", "186145806575211454612537466872702770626" ], "threshold": 0.9 }, "id": "CVE-2022-48857-865f1dd6" }, { "signature_version": "v1", "target": { "function": "port100_probe", "file": "drivers/nfc/port100.c" }, "signature_type": "Function", "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@cd2a5c0da0d1ddf11d1f84e9c9b1949f50f6e161", "deprecated": false, "digest": { "length": 2955.0, "function_hash": "273440978956857076430364407816006123991" }, "id": "CVE-2022-48857-aa163471" }, { "signature_version": "v1", "target": { "function": "port100_probe", "file": "drivers/nfc/port100.c" }, "signature_type": "Function", "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@205c4ec78e71cbf561794e6043da80e7bae6790f", "deprecated": false, "digest": { "length": 2902.0, "function_hash": "37694972194684333624903244831889679952" }, "id": "CVE-2022-48857-c6058fc2" }, { "signature_version": "v1", "target": { "file": "drivers/nfc/port100.c" }, "signature_type": "Line", "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@0e721b8f2ee5e11376dd55363f9ccb539d754b8a", "deprecated": false, "digest": { "line_hashes": [ "16461426479839705277117716419993305780", "104213228530234649437873063774061080960", "336550257817241398759859833125915795230", "6953156480032842498039356151568604804", "186145806575211454612537466872702770626" ], "threshold": 0.9 }, "id": "CVE-2022-48857-d677d68e" }, { "signature_version": "v1", "target": { "function": "port100_probe", "file": "drivers/nfc/port100.c" }, "signature_type": "Function", "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@b1db33d4e54bc35d8db96ce143ea0ef92e23d58e", "deprecated": false, "digest": { "length": 2955.0, "function_hash": "273440978956857076430364407816006123991" }, "id": "CVE-2022-48857-da08daed" }, { "signature_version": "v1", "target": { "file": "drivers/nfc/port100.c" }, "signature_type": "Line", "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@cd2a5c0da0d1ddf11d1f84e9c9b1949f50f6e161", "deprecated": false, "digest": { "line_hashes": [ "16461426479839705277117716419993305780", "104213228530234649437873063774061080960", "336550257817241398759859833125915795230", "6953156480032842498039356151568604804", "186145806575211454612537466872702770626" ], "threshold": 0.9 }, "id": "CVE-2022-48857-e2b82778" }, { "signature_version": "v1", "target": { "function": "port100_probe", "file": "drivers/nfc/port100.c" }, "signature_type": "Function", "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@0e721b8f2ee5e11376dd55363f9ccb539d754b8a", "deprecated": false, "digest": { "length": 2955.0, "function_hash": "273440978956857076430364407816006123991" }, "id": "CVE-2022-48857-e84c0243" } ] }