CVE-2022-48867

HIGH

Linux Kernel 5.19-6.1.8 - Use-After-Free in DMA Engine Completion Memory

Title source: llm

Description

In the Linux kernel, the following vulnerability has been resolved: dmaengine: idxd: Prevent use after free on completion memory On driver unload any pending descriptors are flushed at the time the interrupt is freed: idxd_dmaengine_drv_remove() -> drv_disable_wq() -> idxd_wq_free_irq() -> idxd_flush_pending_descs(). If there are any descriptors present that need to be flushed this flow triggers a "not present" page fault as below: BUG: unable to handle page fault for address: ff391c97c70c9040 #PF: supervisor read access in kernel mode #PF: error_code(0x0000) - not-present page The address that triggers the fault is the address of the descriptor that was freed moments earlier via: drv_disable_wq()->idxd_wq_free_resources() Fix the use after free by freeing the descriptors after any possible usage. This is done after idxd_wq_reset() to ensure that the memory remains accessible during possible completion writes by the device.

References (2)

Core 2

Core References

Patch

https://git.kernel.org/stable/c/b9e8e3fcfec625fc1c2f68f684448aeeb882625b

Patch

https://git.kernel.org/stable/c/1beeec45f9ac31eba52478379f70a5fa9c2ad005

Scores

CVSS v3 7.8

EPSS 0.0023

EPSS Percentile 14.0%

Attack Vector LOCAL

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-416

Status published

Products (8)

linux/Kernel 5.19.0 - 6.1.8linux

Linux/Linux < 5.19

Linux/Linux 5.19

Linux/Linux 6.1.8 - 6.1.*

Linux/Linux 6.2

Linux/Linux 63c14ae6c161dec8ff3be49277edc75a769e054a - 1beeec45f9ac31eba52478379f70a5fa9c2ad005

Linux/Linux 63c14ae6c161dec8ff3be49277edc75a769e054a - b9e8e3fcfec625fc1c2f68f684448aeeb882625b

linux/linux_kernel 5.19 - 6.1.8

Published Aug 21, 2024

Tracked Since Feb 18, 2026