CVE-2022-49939

See a problem?
Please try reporting it to the source first.

Source

https://nvd.nist.gov/vuln/detail/CVE-2022-49939

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2022-49939.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2022-49939

Downstream

UBUNTU-CVE-2022-49939

Published

2025-06-18T11:15:20Z

Modified

2025-07-29T10:47:01.664636Z

Summary

[none]

Details

In the Linux kernel, the following vulnerability has been resolved:

binder: fix UAF of ref->proc caused by race condition

A transaction of type BINDERTYPEWEAKHANDLE can fail to increment the reference for a node. In this case, the target proc normally releases the failed reference upon close as expected. However, if the target is dying in parallel the call will race with binderdeferred_release(), so the target could have released all of its references by now leaving the cleanup of the new failed reference unhandled.

The transaction then ends and the target proc gets released making the ref->proc now a dangling pointer. Later on, ref->node is closed and we attempt to take spinlock(&ref->proc->innerlock), which leads to the use-after-free bug reported below. Let's fix this by cleaning up the failed reference on the spot instead of relying on the target to do so.

================================================================== BUG: KASAN: use-after-free in rawspin_lock+0xa8/0x150 Write of size 4 at addr ffff5ca207094238 by task kworker/1:0/590

CPU: 1 PID: 590 Comm: kworker/1:0 Not tainted 5.19.0-rc8 #10 Hardware name: linux,dummy-virt (DT) Workqueue: events binderdeferredfunc Call trace: dumpbacktrace.part.0+0x1d0/0x1e0 showstack+0x18/0x70 dumpstacklvl+0x68/0x84 printreport+0x2e4/0x61c kasanreport+0xa4/0x110 kasancheckrange+0xfc/0x1a4 _kasancheckwrite+0x3c/0x50 _rawspinlock+0xa8/0x150 binderdeferredfunc+0x5e0/0x9b0 processonework+0x38c/0x5f0 workerthread+0x9c/0x694 kthread+0x188/0x190 retfromfork+0x10/0x20

References

Affected packages

Debian:11 / linux

Package

Name: linux
Purl: pkg:deb/debian/linux?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

5.10.148-1

Affected versions

5.*

5.10.46-4

5.10.46-5

5.10.70-1~bpo10+1

5.10.70-1

5.10.84-1

5.10.92-1~bpo10+1

5.10.92-1

5.10.92-2

5.10.103-1~bpo10+1

5.10.103-1

5.10.106-1

5.10.113-1

5.10.120-1~bpo10+1

5.10.120-1

5.10.127-1

5.10.127-2~bpo10+1

5.10.127-2

5.10.136-1

5.10.140-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:12 / linux

Package

Name: linux
Purl: pkg:deb/debian/linux?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

5.19.11-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:13 / linux

Package

Name: linux
Purl: pkg:deb/debian/linux?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

5.19.11-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}