CVE-2022-49455
Published: 26 February 2025
Description
In the Linux kernel, the following vulnerability has been resolved: misc: ocxl: fix possible double free in ocxl_file_register_afu info_release() will be called in device_unregister() when info->dev's reference count is 0. So there is no need to call ocxl_afu_put() and kfree() again. Fix this by adding free_minor() and return to err_unregister error path.
Security Summary
CVE-2022-49455 is a double free vulnerability (CWE-415) in the Linux kernel's misc: ocxl component, specifically within the ocxl_file_register_afu function. The issue occurs because info_release() is automatically invoked during device_unregister() when the info->dev reference count reaches zero, rendering subsequent calls to ocxl_afu_put() and kfree() redundant and potentially causing a double free.
The vulnerability carries a CVSS v3.1 base score of 7.8 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), indicating it requires local access, low attack complexity, and low privileges with no user interaction. A successful local attacker could leverage the double free to achieve high impacts on confidentiality, integrity, and availability, potentially leading to memory corruption or kernel instability.
Kernel stable patches resolve the issue by adding a free_minor() call and an early return in the err_unregister error path, as detailed in the following commits: https://git.kernel.org/stable/c/252768d32e92c1214aeebb5fec0844ca479bcf5c, https://git.kernel.org/stable/c/8fb674216835e1f0c143762696d645facebb4685, https://git.kernel.org/stable/c/950cf957fe34d40d63dfa3bf3968210430b6491e, https://git.kernel.org/stable/c/9e9087cf34ee69f4e95d146ac29385d6e367a97b, and https://git.kernel.org/stable/c/de65c32ace9aa70d51facc61ba986607075e3a25. Security practitioners should ensure affected Linux kernel versions are updated with these fixes.
Details
- CWE(s)