CVE-2022-49419
- Source
- https://nvd.nist.gov/vuln/detail/CVE-2022-49419
- Import Source
- https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2022-49419.json
- JSON Data
- https://api.osv.dev/v1/vulns/CVE-2022-49419
- Related
- Published
- 2025-02-26T07:01:18Z
- Modified
- 2025-03-24T19:57:48Z
- Downstream
- Summary
- [none]
- Details
-
In the Linux kernel, the following vulnerability has been resolved:
video: fbdev: vesafb: Fix a use-after-free due early fb_info cleanup
Commit b3c9a924aab6 ("fbdev: vesafb: Cleanup fbinfo in .fbdestroy rather than .remove") fixed a use-after-free error due the vesafb driver freeing the fbinfo in the .remove handler instead of doing it in .fbdestroy.
This can happen if the .fb_destroy callback is executed after the .remove callback, since the former tries to access a pointer freed by the latter.
But that change didn't take into account that another possible scenario is that .fb_destroy is called before the .remove callback. For example, if no process has the fbdev chardev opened by the time the driver is removed.
If that's the case, fbinfo will be freed when unregisterframebuffer() is called, making the fbinfo pointer accessed in vesafbremove() after that to no longer be valid.
To prevent that, move the expression containing the info->par to happen before the unregister_framebuffer() function call.
- References
-
- https://git.kernel.org/stable/c/0fac5f8fb1bc2fc4f8714bf5e743c9cc3f547c63
- https://git.kernel.org/stable/c/acde4003efc16480375543638484d8f13f2e99a3
- https://git.kernel.org/stable/c/d260cad015945d1f4bb9b028a096f648506106a2
- https://git.kernel.org/stable/c/f605f5558ecc175ec70016a3c15f007cb6386531
- https://security-tracker.debian.org/tracker/CVE-2022-49419
Affected packages
Debian:12 / linux
Package
- Name
- linux
- Purl
- pkg:deb/debian/linux?arch=source
Debian:13 / linux
Package
- Name
- linux
- Purl
- pkg:deb/debian/linux?arch=source