CVE-2022-48857
- Source
- https://nvd.nist.gov/vuln/detail/CVE-2022-48857
- Import Source
- https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2022-48857.json
- JSON Data
- https://api.osv.dev/v1/vulns/CVE-2022-48857
- Downstream
- Related
- Published
- 2024-07-16T13:15:12Z
- Modified
- 2025-08-09T19:01:26Z
- Severity
-
- 5.5 (Medium) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVSS Calculator
- Summary
- [none]
- Details
-
In the Linux kernel, the following vulnerability has been resolved:
NFC: port100: fix use-after-free in port100sendcomplete
Syzbot reported UAF in port100sendcomplete(). The root case is in missing usbkillurb() calls on error handling path of ->probe function.
port100sendcomplete() accesses devm allocated memory which will be freed on probe failure. We should kill this urbs before returning an error from probe function to prevent reported use-after-free
Fail log:
BUG: KASAN: use-after-free in port100sendcomplete+0x16e/0x1a0 drivers/nfc/port100.c:935 Read of size 1 at addr ffff88801bb59540 by task ksoftirqd/2/26 ... Call Trace: <TASK> _dumpstack lib/dumpstack.c:88 [inline] dumpstacklvl+0xcd/0x134 lib/dumpstack.c:106 printaddressdescription.constprop.0.cold+0x8d/0x303 mm/kasan/report.c:255 _kasanreport mm/kasan/report.c:442 [inline] kasanreport.cold+0x83/0xdf mm/kasan/report.c:459 port100sendcomplete+0x16e/0x1a0 drivers/nfc/port100.c:935 _usbhcdgiveback_urb+0x2b0/0x5c0 drivers/usb/core/hcd.c:1670
...
Allocated by task 1255: kasansavestack+0x1e/0x40 mm/kasan/common.c:38 kasansettrack mm/kasan/common.c:45 [inline] setallocinfo mm/kasan/common.c:436 [inline] _kasankmalloc mm/kasan/common.c:515 [inline] kasankmalloc mm/kasan/common.c:474 [inline] _kasankmalloc+0xa6/0xd0 mm/kasan/common.c:524 allocdr drivers/base/devres.c:116 [inline] devmkmalloc+0x96/0x1d0 drivers/base/devres.c:823 devmkzalloc include/linux/device.h:209 [inline] port100_probe+0x8a/0x1320 drivers/nfc/port100.c:1502
Freed by task 1255: kasansavestack+0x1e/0x40 mm/kasan/common.c:38 kasansettrack+0x21/0x30 mm/kasan/common.c:45 kasansetfreeinfo+0x20/0x30 mm/kasan/generic.c:370 kasanslabfree mm/kasan/common.c:366 [inline] _kasanslabfree+0xff/0x140 mm/kasan/common.c:328 kasanslabfree include/linux/kasan.h:236 [inline] _cachefree mm/slab.c:3437 [inline] kfree+0xf8/0x2b0 mm/slab.c:3794 releasenodes+0x112/0x1a0 drivers/base/devres.c:501 devresreleaseall+0x114/0x190 drivers/base/devres.c:530 reallyprobe+0x626/0xcc0 drivers/base/dd.c:670
- References
-
- https://git.kernel.org/stable/c/0e721b8f2ee5e11376dd55363f9ccb539d754b8a
- https://git.kernel.org/stable/c/205c4ec78e71cbf561794e6043da80e7bae6790f
- https://git.kernel.org/stable/c/2b1c85f56512d49e43bc53741fce2f508cd90029
- https://git.kernel.org/stable/c/32e866ae5a7af590597ef4bcff8451bf96d5f980
- https://git.kernel.org/stable/c/7194737e1be8fdc89d2a9382bd2f371f7ee2eda8
- https://git.kernel.org/stable/c/b1db33d4e54bc35d8db96ce143ea0ef92e23d58e
- https://git.kernel.org/stable/c/cd2a5c0da0d1ddf11d1f84e9c9b1949f50f6e161
- https://git.kernel.org/stable/c/f80cfe2f26581f188429c12bd937eb905ad3ac7b