CVE-2022-49223
Published: 26 February 2025
Description
In the Linux kernel, the following vulnerability has been resolved: cxl/port: Hold port reference until decoder release KASAN + DEBUG_KOBJECT_RELEASE reports a potential use-after-free in cxl_decoder_release() where it goes to reference its parent, a cxl_port, to free its id back to port->decoder_ida. BUG: KASAN: use-after-free in to_cxl_port+0x18/0x90 [cxl_core] Read of size 8 at addr ffff888119270908 by task kworker/35:2/379 CPU: 35 PID: 379 Comm: kworker/35:2 Tainted: G OE 5.17.0-rc2+ #198 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 0.0.0 02/06/2015 Workqueue: events kobject_delayed_cleanup Call Trace: <TASK> dump_stack_lvl+0x59/0x73 print_address_description.constprop.0+0x1f/0x150 ? to_cxl_port+0x18/0x90 [cxl_core] kasan_report.cold+0x83/0xdf ? to_cxl_port+0x18/0x90 [cxl_core] to_cxl_port+0x18/0x90 [cxl_core] cxl_decoder_release+0x2a/0x60 [cxl_core] device_release+0x5f/0x100 kobject_cleanup+0x80/0x1c0 The device core only guarantees parent lifetime until all children are unregistered. If a child needs a parent to complete its ->release() callback that child needs to hold a reference to extend the lifetime of the parent.
Security Summary
CVE-2022-49223 is a use-after-free vulnerability in the Linux kernel's CXL (Compute Express Link) subsystem, specifically within the cxl/port component. The issue occurs in the cxl_decoder_release() function, where it references its parent cxl_port to free its ID back to the port's decoder_ida after the parent has potentially been freed. This was detected by KASAN and DEBUG_KOBJECT_RELEASE, with a reported bug involving a read of size 8 at an invalid address during kobject_delayed_cleanup in kernel version 5.17.0-rc2. The vulnerability is classified under CWE-416 and carries a CVSS v3.1 base score of 7.8.
A local attacker with low privileges can exploit this vulnerability due to its low attack complexity and lack of required user interaction. Successful exploitation could result in high impacts to confidentiality, integrity, and availability, potentially allowing arbitrary code execution, privilege escalation, or system crashes within the kernel context.
Mitigation involves applying upstream kernel patches, as detailed in the referenced stable commit fixes: 49f2dab77a5e1354f5da6ccdc9346a8212697be2, 518bb96367123062b48b0a9842f2864249b565f6, 74be98774dfbc5b8b795db726bd772e735d2edd4, and b0022ca445d5fc4d0c89d15dcd0f855977b22c1d. These patches ensure the port reference is held until decoder release, extending the parent's lifetime as required by the device core for child release callbacks.
Details
- CWE(s)