CVE-2022-49076

CVE-2022-49076 is a use-after-free vulnerability in the Linux kernel's RDMA/hfi1 driver, specifically affecting the handling of the task's mm struct. Under conditions such as an MPI_Abort, the hfi1 cleanup code in hfi1_mmu_rb_unregister() may drop the last reference to the mm struct, freeing it prematurely before its final use in hfi1_release_user_pages(). This allows a new task to allocate and reuse the freed mm struct while it is still in use, leading to memory corruption.

A local attacker with low privileges can exploit this vulnerability, as indicated by its CVSS v3.1 score of 7.8 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H). Exploitation occurs during specific cleanup scenarios in the hfi1 driver, potentially causing corruption of the mmap_sem counter, which results in hangs during down_write() operations, or corruption of an mm struct used by another task, enabling high-impact confidentiality, integrity, and availability violations.

Mitigation involves applying the relevant stable kernel patches referenced in the CVE, including commits such as 0b7186d657ee55e2cdefae498f07d5c1961e8023, 2bbac98d0930e8161b1957dc0ec99de39ade1b3c, 5a9a1b24ddb510715f8f621263938186579a965c, 5f54364ff6cfcd14cddf5441c4a490bb28dd69f7, and 9ca11bd8222a612de0d2f54d050bfcf61ae2883f from git.kernel.org. These patches resolve the use-after-free bug (CWE-416) in the hfi1 driver.