Executive Summary

Informations
Name CVE-2022-48649 First vendor Publication 2024-04-28
Vendor Cve Last vendor Modification 2025-01-10

Security-Database Scoring CVSS v3

Cvss vector : CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Overall CVSS Score 7.8
Base Score 7.8 Environmental Score 7.8
impact SubScore 5.9 Temporal Score 7.8
Exploitabality Sub Score 1.8
 
Attack Vector Local Attack Complexity Low
Privileges Required Low User Interaction None
Scope Unchanged Confidentiality Impact High
Integrity Impact High Availability Impact High
Calculate full CVSS 3.0 Vectors scores

Security-Database Scoring CVSS v2

Cvss vector :
Cvss Base Score N/A Attack Range N/A
Cvss Impact Score N/A Attack Complexity N/A
Cvss Expoit Score N/A Authentication N/A
Calculate full CVSS 2.0 Vectors scores

Detail

In the Linux kernel, the following vulnerability has been resolved:

mm/slab_common: fix possible double free of kmem_cache

When doing slub_debug test, kfence's 'test_memcache_typesafe_by_rcu' kunit test case cause a use-after-free error:

BUG: KASAN: use-after-free in kobject_del+0x14/0x30
Read of size 8 at addr ffff888007679090 by task kunit_try_catch/261

CPU: 1 PID: 261 Comm: kunit_try_catch Tainted: G B N 6.0.0-rc5-next-20220916 #17
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014
Call Trace:

dump_stack_lvl+0x34/0x48
print_address_description.constprop.0+0x87/0x2a5
print_report+0x103/0x1ed
kasan_report+0xb7/0x140
kobject_del+0x14/0x30
kmem_cache_destroy+0x130/0x170
test_exit+0x1a/0x30
kunit_try_run_case+0xad/0xc0
kunit_generic_run_threadfn_adapter+0x26/0x50
kthread+0x17b/0x1b0

The cause is inside kmem_cache_destroy():

kmem_cache_destroy
acquire lock/mutex
shutdown_cache
schedule_work(kmem_cache_release) (if RCU flag set)
release lock/mutex
kmem_cache_release (if RCU flag not set)

In some certain timing, the scheduled work could be run before the next RCU flag checking, which can then get a wrong value and lead to double kmem_cache_release().

Fix it by caching the RCU flag inside protected area, just like 'refcnt'

Original Source

Url : http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-48649

CWE : Common Weakness Enumeration

% Id Name
50 % CWE-416 Use After Free
50 % CWE-415 Double Free

CPE : Common Platform Enumeration

TypeDescriptionCount
Application 8
Os 3545

Sources (Detail)

https://git.kernel.org/stable/c/c673c6ceac53fb2e631c9fbbd79957099a08927f
https://git.kernel.org/stable/c/d71608a877362becdc94191f190902fac1e64d35
Source Url

Alert History

If you want to see full details history, please login or register.
0
1
2
3
4
5
6
7
8
9
10
Date Informations
2025-03-29 03:13:16
  • Multiple Updates
2025-03-28 13:33:37
  • Multiple Updates
2025-03-28 02:55:53
  • Multiple Updates
2025-03-19 02:52:33
  • Multiple Updates
2025-03-18 03:04:14
  • Multiple Updates
2025-03-14 02:53:14
  • Multiple Updates
2025-02-22 03:01:50
  • Multiple Updates
2025-01-10 21:21:35
  • Multiple Updates
2024-11-25 09:25:57
  • Multiple Updates
2024-04-29 17:27:26
  • Multiple Updates
2024-04-28 17:27:28
  • First insertion