CVE-2022-49359
Published: 26 February 2025
Description
In the Linux kernel, the following vulnerability has been resolved: drm/panfrost: Job should reference MMU not file_priv For a while now it's been allowed for a MMU context to outlive it's corresponding panfrost_priv, however the job structure still references panfrost_priv to get hold of the MMU context. If panfrost_priv has been freed this is a use-after-free which I've been able to trigger resulting in a splat. To fix this, drop the reference to panfrost_priv in the job structure and add a direct reference to the MMU structure which is what's actually needed.
Security Summary
CVE-2022-49359 is a use-after-free vulnerability in the Linux kernel's drm/panfrost driver. The issue arises because the job structure references panfrost_priv to access the MMU context, even though the MMU context can outlive the panfrost_priv structure after it has been freed. This leads to a use-after-free condition when attempting to access the freed panfrost_priv, which has been observed to trigger kernel splats.
A local attacker with low privileges (AV:L/AC:L/PR:L/UI:N) can exploit this vulnerability. Successful exploitation results in high impacts on confidentiality, integrity, and availability (C:H/I:H/A:H), with a CVSS v3.1 base score of 7.8. The attacker requires local access but no user interaction, enabling potential arbitrary code execution, privilege escalation, or system crashes within the kernel context.
Mitigation involves applying the upstream kernel patches referenced in the stable repository commits: 472dd7ea5e19a1aeabf1711ddc756777e05ee7c2, 6e516faf04317db2c46cbec4e3b78b4653a5b109, and 8c8e8cc91a6ffc79865108279a74fd57d9070a17. These patches eliminate the reference to panfrost_priv in the job structure and introduce a direct reference to the MMU structure instead.
Details
- CWE(s)