CVE-2022-49939

Source
https://nvd.nist.gov/vuln/detail/CVE-2022-49939
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2022-49939.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2022-49939
Downstream
Published
2025-06-18T11:15:20Z
Modified
2025-07-29T10:47:01.664636Z
Summary
[none]
Details

In the Linux kernel, the following vulnerability has been resolved:

binder: fix UAF of ref->proc caused by race condition

A transaction of type BINDERTYPEWEAKHANDLE can fail to increment the reference for a node. In this case, the target proc normally releases the failed reference upon close as expected. However, if the target is dying in parallel the call will race with binderdeferred_release(), so the target could have released all of its references by now leaving the cleanup of the new failed reference unhandled.

The transaction then ends and the target proc gets released making the ref->proc now a dangling pointer. Later on, ref->node is closed and we attempt to take spinlock(&ref->proc->innerlock), which leads to the use-after-free bug reported below. Let's fix this by cleaning up the failed reference on the spot instead of relying on the target to do so.

================================================================== BUG: KASAN: use-after-free in rawspin_lock+0xa8/0x150 Write of size 4 at addr ffff5ca207094238 by task kworker/1:0/590

CPU: 1 PID: 590 Comm: kworker/1:0 Not tainted 5.19.0-rc8 #10 Hardware name: linux,dummy-virt (DT) Workqueue: events binderdeferredfunc Call trace: dumpbacktrace.part.0+0x1d0/0x1e0 showstack+0x18/0x70 dumpstacklvl+0x68/0x84 printreport+0x2e4/0x61c kasanreport+0xa4/0x110 kasancheckrange+0xfc/0x1a4 _kasancheckwrite+0x3c/0x50 _rawspinlock+0xa8/0x150 binderdeferredfunc+0x5e0/0x9b0 processonework+0x38c/0x5f0 workerthread+0x9c/0x694 kthread+0x188/0x190 retfromfork+0x10/0x20

References

Affected packages

Debian:11 / linux

Package

Name
linux
Purl
pkg:deb/debian/linux?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
5.10.148-1

Affected versions

5.*

5.10.46-4
5.10.46-5
5.10.70-1~bpo10+1
5.10.70-1
5.10.84-1
5.10.92-1~bpo10+1
5.10.92-1
5.10.92-2
5.10.103-1~bpo10+1
5.10.103-1
5.10.106-1
5.10.113-1
5.10.120-1~bpo10+1
5.10.120-1
5.10.127-1
5.10.127-2~bpo10+1
5.10.127-2
5.10.136-1
5.10.140-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:12 / linux

Package

Name
linux
Purl
pkg:deb/debian/linux?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
5.19.11-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:13 / linux

Package

Name
linux
Purl
pkg:deb/debian/linux?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
5.19.11-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}