In the Linux kernel, the following vulnerability has been resolved:
ubi: ubicreatevolume: Fix use-after-free when volume creation failed
There is an use-after-free problem for 'ebatbl' in ubicreate_volume()'s error handling path:
ubiebareplacetable(vol, ebatbl) vol->ebatbl = tbl outmapping: ubiebadestroytable(ebatbl) // Free 'ebatbl' outunlock: putdevice(&vol->dev) volrelease kfree(tbl->entries) // UAF
Fix it by removing redundant 'eba_tbl' releasing. Fetch a reproducer in [Link].
[
{
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@1174ab8ba36a48025b68b5ff1085000b1e510217",
"id": "CVE-2022-49388-00756fcc",
"deprecated": false,
"signature_version": "v1",
"target": {
"file": "drivers/mtd/ubi/vmt.c"
},
"signature_type": "Line",
"digest": {
"threshold": 0.9,
"line_hashes": [
"147866944009643688307198656940233824650",
"274720260499595690212016394403710496715",
"325789676298455435038649528430701287357",
"240326672968394975723886749639450539935"
]
}
},
{
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@25ff1e3a1351c0d936dd1ac2f9e58231ea1510c9",
"id": "CVE-2022-49388-0666f1b5",
"deprecated": false,
"signature_version": "v1",
"target": {
"function": "ubi_create_volume",
"file": "drivers/mtd/ubi/vmt.c"
},
"signature_type": "Function",
"digest": {
"length": 4564.0,
"function_hash": "99846569126460741002028373567957662706"
}
},
{
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@5ff2514e4fb55dcf3d88294686040ca73ea0c1a2",
"id": "CVE-2022-49388-4d7ae813",
"deprecated": false,
"signature_version": "v1",
"target": {
"function": "ubi_create_volume",
"file": "drivers/mtd/ubi/vmt.c"
},
"signature_type": "Function",
"digest": {
"length": 4709.0,
"function_hash": "317985512468432433642808775180206963011"
}
},
{
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@abb67043060f2bf4c03d7c3debb9ae980e2b6db3",
"id": "CVE-2022-49388-505a2919",
"deprecated": false,
"signature_version": "v1",
"target": {
"file": "drivers/mtd/ubi/vmt.c"
},
"signature_type": "Line",
"digest": {
"threshold": 0.9,
"line_hashes": [
"147866944009643688307198656940233824650",
"274720260499595690212016394403710496715",
"325789676298455435038649528430701287357",
"240326672968394975723886749639450539935"
]
}
},
{
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@25ff1e3a1351c0d936dd1ac2f9e58231ea1510c9",
"id": "CVE-2022-49388-5a066831",
"deprecated": false,
"signature_version": "v1",
"target": {
"file": "drivers/mtd/ubi/vmt.c"
},
"signature_type": "Line",
"digest": {
"threshold": 0.9,
"line_hashes": [
"147866944009643688307198656940233824650",
"274720260499595690212016394403710496715",
"325789676298455435038649528430701287357",
"240326672968394975723886749639450539935"
]
}
},
{
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@e27ecf325e51abd06aaefba57a6322a46fa4178b",
"id": "CVE-2022-49388-5e4c1d40",
"deprecated": false,
"signature_version": "v1",
"target": {
"file": "drivers/mtd/ubi/vmt.c"
},
"signature_type": "Line",
"digest": {
"threshold": 0.9,
"line_hashes": [
"147866944009643688307198656940233824650",
"274720260499595690212016394403710496715",
"325789676298455435038649528430701287357",
"240326672968394975723886749639450539935"
]
}
},
{
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@6d8d3f68cbecfd31925796f0fb668eb21ab06734",
"id": "CVE-2022-49388-7bc0fb9b",
"deprecated": false,
"signature_version": "v1",
"target": {
"function": "ubi_create_volume",
"file": "drivers/mtd/ubi/vmt.c"
},
"signature_type": "Function",
"digest": {
"length": 4709.0,
"function_hash": "317985512468432433642808775180206963011"
}
},
{
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@abb67043060f2bf4c03d7c3debb9ae980e2b6db3",
"id": "CVE-2022-49388-9d52f6d6",
"deprecated": false,
"signature_version": "v1",
"target": {
"function": "ubi_create_volume",
"file": "drivers/mtd/ubi/vmt.c"
},
"signature_type": "Function",
"digest": {
"length": 4709.0,
"function_hash": "317985512468432433642808775180206963011"
}
},
{
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@6d8d3f68cbecfd31925796f0fb668eb21ab06734",
"id": "CVE-2022-49388-c47ebbe4",
"deprecated": false,
"signature_version": "v1",
"target": {
"file": "drivers/mtd/ubi/vmt.c"
},
"signature_type": "Line",
"digest": {
"threshold": 0.9,
"line_hashes": [
"147866944009643688307198656940233824650",
"274720260499595690212016394403710496715",
"325789676298455435038649528430701287357",
"240326672968394975723886749639450539935"
]
}
},
{
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@1174ab8ba36a48025b68b5ff1085000b1e510217",
"id": "CVE-2022-49388-c5b6a1a3",
"deprecated": false,
"signature_version": "v1",
"target": {
"function": "ubi_create_volume",
"file": "drivers/mtd/ubi/vmt.c"
},
"signature_type": "Function",
"digest": {
"length": 4709.0,
"function_hash": "317985512468432433642808775180206963011"
}
},
{
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@8302620aeb940f386817321d272b12411ae7d39f",
"id": "CVE-2022-49388-c666eb77",
"deprecated": false,
"signature_version": "v1",
"target": {
"function": "ubi_create_volume",
"file": "drivers/mtd/ubi/vmt.c"
},
"signature_type": "Function",
"digest": {
"length": 4709.0,
"function_hash": "317985512468432433642808775180206963011"
}
},
{
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@e27ecf325e51abd06aaefba57a6322a46fa4178b",
"id": "CVE-2022-49388-d16c39ca",
"deprecated": false,
"signature_version": "v1",
"target": {
"function": "ubi_create_volume",
"file": "drivers/mtd/ubi/vmt.c"
},
"signature_type": "Function",
"digest": {
"length": 4709.0,
"function_hash": "317985512468432433642808775180206963011"
}
},
{
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@8302620aeb940f386817321d272b12411ae7d39f",
"id": "CVE-2022-49388-d3389ac9",
"deprecated": false,
"signature_version": "v1",
"target": {
"file": "drivers/mtd/ubi/vmt.c"
},
"signature_type": "Line",
"digest": {
"threshold": 0.9,
"line_hashes": [
"147866944009643688307198656940233824650",
"274720260499595690212016394403710496715",
"325789676298455435038649528430701287357",
"240326672968394975723886749639450539935"
]
}
},
{
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@5ff2514e4fb55dcf3d88294686040ca73ea0c1a2",
"id": "CVE-2022-49388-e7875fff",
"deprecated": false,
"signature_version": "v1",
"target": {
"file": "drivers/mtd/ubi/vmt.c"
},
"signature_type": "Line",
"digest": {
"threshold": 0.9,
"line_hashes": [
"147866944009643688307198656940233824650",
"274720260499595690212016394403710496715",
"325789676298455435038649528430701287357",
"240326672968394975723886749639450539935"
]
}
},
{
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@8c03a1c21d72210f81cb369cc528e3fde4b45411",
"id": "CVE-2022-49388-ecb8ff8b",
"deprecated": false,
"signature_version": "v1",
"target": {
"function": "ubi_create_volume",
"file": "drivers/mtd/ubi/vmt.c"
},
"signature_type": "Function",
"digest": {
"length": 4709.0,
"function_hash": "317985512468432433642808775180206963011"
}
},
{
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@8c03a1c21d72210f81cb369cc528e3fde4b45411",
"id": "CVE-2022-49388-fec43726",
"deprecated": false,
"signature_version": "v1",
"target": {
"file": "drivers/mtd/ubi/vmt.c"
},
"signature_type": "Line",
"digest": {
"threshold": 0.9,
"line_hashes": [
"147866944009643688307198656940233824650",
"274720260499595690212016394403710496715",
"325789676298455435038649528430701287357",
"240326672968394975723886749639450539935"
]
}
}
]