DEBIAN-CVE-2022-48869

See a problem?
Please try reporting it to the source first.
Source
https://security-tracker.debian.org/tracker/CVE-2022-48869
Import Source
https://storage.googleapis.com/debian-osv/debian-cve-osv/DEBIAN-CVE-2022-48869.json
JSON Data
https://api.osv.dev/v1/vulns/DEBIAN-CVE-2022-48869
Upstream
Published
2024-08-21T07:15:04Z
Modified
2025-09-30T05:17:26.263138Z
Severity
  • 4.7 (Medium) CVSS_V3 - CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H CVSS Calculator
Summary
[none]
Details

In the Linux kernel, the following vulnerability has been resolved: USB: gadgetfs: Fix race between mounting and unmounting The syzbot fuzzer and Gerald Lee have identified a use-after-free bug in the gadgetfs driver, involving processes concurrently mounting and unmounting the gadgetfs filesystem. In particular, gadgetfsfillsuper() can race with gadgetfskillsb(), causing the latter to deallocate thedevice while the former is using it. The output from KASAN says, in part: BUG: KASAN: use-after-free in instrumentatomicreadwrite include/linux/instrumented.h:102 [inline] BUG: KASAN: use-after-free in atomicfetchsubrelease include/linux/atomic/atomic-instrumented.h:176 [inline] BUG: KASAN: use-after-free in _refcountsubandtest include/linux/refcount.h:272 [inline] BUG: KASAN: use-after-free in _refcountdecandtest include/linux/refcount.h:315 [inline] BUG: KASAN: use-after-free in refcountdecandtest include/linux/refcount.h:333 [inline] BUG: KASAN: use-after-free in putdev drivers/usb/gadget/legacy/inode.c:159 [inline] BUG: KASAN: use-after-free in gadgetfskillsb+0x33/0x100 drivers/usb/gadget/legacy/inode.c:2086 Write of size 4 at addr ffff8880276d7840 by task syz-executor126/18689 CPU: 0 PID: 18689 Comm: syz-executor126 Not tainted 6.1.0-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022 Call Trace: <TASK> ... atomicfetchsubrelease include/linux/atomic/atomic-instrumented.h:176 [inline] _refcountsubandtest include/linux/refcount.h:272 [inline] _refcountdecandtest include/linux/refcount.h:315 [inline] refcountdecandtest include/linux/refcount.h:333 [inline] putdev drivers/usb/gadget/legacy/inode.c:159 [inline] gadgetfskillsb+0x33/0x100 drivers/usb/gadget/legacy/inode.c:2086 deactivatelockedsuper+0xa7/0xf0 fs/super.c:332 vfsgetsuper fs/super.c:1190 [inline] gettreesingle+0xd0/0x160 fs/super.c:1207 vfsgettree+0x88/0x270 fs/super.c:1531 vfsfsconfiglocked fs/fsopen.c:232 [inline] The simplest solution is to ensure that gadgetfsfillsuper() and gadgetfskillsb() are serialized by making them both acquire a new mutex.

References

Affected packages

Debian:11 / linux

Package

Name
linux
Purl
pkg:deb/debian/linux?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
5.10.178-1

Affected versions

5.*

5.10.46-4
5.10.46-5
5.10.70-1~bpo10+1
5.10.70-1
5.10.84-1
5.10.92-1~bpo10+1
5.10.92-1
5.10.92-2
5.10.103-1~bpo10+1
5.10.103-1
5.10.106-1
5.10.113-1
5.10.120-1~bpo10+1
5.10.120-1
5.10.127-1
5.10.127-2~bpo10+1
5.10.127-2
5.10.136-1
5.10.140-1
5.10.148-1
5.10.149-1
5.10.149-2
5.10.158-1
5.10.158-2
5.10.162-1

Ecosystem specific 

{
    "urgency": "not yet assigned"
}

Debian:12 / linux

Package

Name
linux
Purl
pkg:deb/debian/linux?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
6.1.8-1

Ecosystem specific 

{
    "urgency": "not yet assigned"
}

Debian:13 / linux

Package

Name
linux
Purl
pkg:deb/debian/linux?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
6.1.8-1

Ecosystem specific 

{
    "urgency": "not yet assigned"
}

Debian:14 / linux

Package

Name
linux
Purl
pkg:deb/debian/linux?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
6.1.8-1

Ecosystem specific 

{
    "urgency": "not yet assigned"
}