CVE-2022-49223

In the Linux kernel, the following vulnerability has been resolved: cxl/port: Hold port reference until decoder release KASAN + DEBUG_KOBJECT_RELEASE reports a potential use-after-free in cxl_decoder_release() where it goes to reference its parent, a cxl_port, to free its id back to port->decoder_ida. BUG: KASAN: use-after-free in to_cxl_port+0x18/0x90 [cxl_core] Read of size 8 at addr ffff888119270908 by task kworker/35:2/379 CPU: 35 PID: 379 Comm: kworker/35:2 Tainted: G OE 5.17.0-rc2+ #198 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 0.0.0 02/06/2015 Workqueue: events kobject_delayed_cleanup Call Trace: <TASK> dump_stack_lvl+0x59/0x73 print_address_description.constprop.0+0x1f/0x150 ? to_cxl_port+0x18/0x90 [cxl_core] kasan_report.cold+0x83/0xdf ? to_cxl_port+0x18/0x90 [cxl_core] to_cxl_port+0x18/0x90 [cxl_core] cxl_decoder_release+0x2a/0x60 [cxl_core] device_release+0x5f/0x100 kobject_cleanup+0x80/0x1c0 The device core only guarantees parent lifetime until all children are unregistered. If a child needs a parent to complete its ->release() callback that child needs to hold a reference to extend the lifetime of the parent.

CVSS v3 7.8 HIGH

7.8^/10

CVSS v3 : HIGH

Vector :

Exploitability : 1.8 / Impact : 5.9

Attack Vector LOCAL

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://git.kernel.org/stable/c/49f2dab77a5e1354f5da6ccdc9346a8212697be2	Patch
https://git.kernel.org/stable/c/518bb96367123062b48b0a9842f2864249b565f6	Patch
https://git.kernel.org/stable/c/74be98774dfbc5b8b795db726bd772e735d2edd4	Patch
https://git.kernel.org/stable/c/b0022ca445d5fc4d0c89d15dcd0f855977b22c1d	Patch

Configurations

Configuration 1 (hide)

OR	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::

History

No history.

Information

Published : 2025-02-26 07:00

Updated : 2025-03-25 15:07

NVD link : CVE-2022-49223

Mitre link : CVE-2022-49223

CVE.ORG link : CVE-2022-49223

JSON object : View

Products Affected

linux

linux_kernel

CWE

CWE-416

Use After Free

{"id": "CVE-2022-49223", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.8, "attackVector": "LOCAL", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 1.8}]}, "published": "2025-02-26T07:00:59.363", "references": [{"url": "https://git.kernel.org/stable/c/49f2dab77a5e1354f5da6ccdc9346a8212697be2", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/518bb96367123062b48b0a9842f2864249b565f6", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/74be98774dfbc5b8b795db726bd772e735d2edd4", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/b0022ca445d5fc4d0c89d15dcd0f855977b22c1d", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Secondary", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "description": [{"lang": "en", "value": "CWE-416"}]}], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ncxl/port: Hold port reference until decoder release\n\nKASAN + DEBUG_KOBJECT_RELEASE reports a potential use-after-free in\ncxl_decoder_release() where it goes to reference its parent, a cxl_port,\nto free its id back to port->decoder_ida.\n\n BUG: KASAN: use-after-free in to_cxl_port+0x18/0x90 [cxl_core]\n Read of size 8 at addr ffff888119270908 by task kworker/35:2/379\n\n CPU: 35 PID: 379 Comm: kworker/35:2 Tainted: G OE 5.17.0-rc2+ #198\n Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 0.0.0 02/06/2015\n Workqueue: events kobject_delayed_cleanup\n Call Trace:\n <TASK>\n dump_stack_lvl+0x59/0x73\n print_address_description.constprop.0+0x1f/0x150\n ? to_cxl_port+0x18/0x90 [cxl_core]\n kasan_report.cold+0x83/0xdf\n ? to_cxl_port+0x18/0x90 [cxl_core]\n to_cxl_port+0x18/0x90 [cxl_core]\n cxl_decoder_release+0x2a/0x60 [cxl_core]\n device_release+0x5f/0x100\n kobject_cleanup+0x80/0x1c0\n\nThe device core only guarantees parent lifetime until all children are\nunregistered. If a child needs a parent to complete its ->release()\ncallback that child needs to hold a reference to extend the lifetime of\nthe parent."}, {"lang": "es", "value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: cxl/port: Mantener la referencia del puerto hasta la liberaci\u00f3n del decodificador KASAN + DEBUG_KOBJECT_RELEASE informa un posible use-after-free en cxl_decoder_release() donde va a referenciar a su padre, un cxl_port, para liberar su id a port->decoder_ida. ERROR: KASAN: use-after-free en to_cxl_port+0x18/0x90 [cxl_core] Lectura de tama\u00f1o 8 en la direcci\u00f3n ffff888119270908 por la tarea kworker/35:2/379 CPU: 35 PID: 379 Comm: kworker/35:2 Contaminado: G OE 5.17.0-rc2+ #198 Nombre del hardware: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 0.0.0 02/06/2015 Cola de trabajo: eventos kobject_delayed_cleanup Rastreo de llamadas: dump_stack_lvl+0x59/0x73 print_address_description.constprop.0+0x1f/0x150 ? to_cxl_port+0x18/0x90 [cxl_core] kasan_report.cold+0x83/0xdf ? to_cxl_port+0x18/0x90 [cxl_core] to_cxl_port+0x18/0x90 [cxl_core] cxl_decoder_release+0x2a/0x60 [cxl_core] device_release+0x5f/0x100 kobject_cleanup+0x80/0x1c0 El n\u00facleo del dispositivo solo garantiza la duraci\u00f3n del elemento primario hasta que se anule el registro de todos los elementos secundarios. Si un elemento secundario necesita un elemento primario para completar su devoluci\u00f3n de llamada ->release(), ese elemento secundario debe contener una referencia para extender la duraci\u00f3n del elemento primario."}], "lastModified": "2025-03-25T15:07:53.967", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "761DDEC2-EE3F-4A67-B08A-052842A9A1A5", "versionEndExcluding": "5.15.54", "versionStartIncluding": "5.14"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "20C43679-0439-405A-B97F-685BEE50613B", "versionEndExcluding": "5.16.19", "versionStartIncluding": "5.16"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "210C679C-CF84-44A3-8939-E629C87E54BF", "versionEndExcluding": "5.17.2", "versionStartIncluding": "5.17"}], "operator": "OR"}]}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}