CVE-2022-49724
Published: 26 February 2025
Description
In the Linux kernel, the following vulnerability has been resolved: tty: goldfish: Fix free_irq() on remove Pass the correct dev_id to free_irq() to fix this splat when the driver is unbound: WARNING: CPU: 0 PID: 30 at kernel/irq/manage.c:1895 free_irq Trying to free already-free IRQ 65 Call Trace: warn_slowpath_fmt free_irq goldfish_tty_remove platform_remove device_remove device_release_driver_internal device_driver_detach unbind_store drv_attr_store ...
Security Summary
CVE-2022-49724 is a use-after-free vulnerability (CWE-416) in the Linux kernel's goldfish tty driver. The issue arises during driver unbinding, where the goldfish_tty_remove function calls free_irq() with an incorrect dev_id, triggering a kernel warning about attempting to free an already-free IRQ 65. This splat is observed in the kernel/irq/manage.c code at line 1895, as seen in the call trace involving warn_slowpath_fmt, platform_remove, and device management functions.
A local attacker with low privileges (AV:L/AC:L/PR:L/UI:N/S:U) can exploit this vulnerability, potentially achieving high impacts on confidentiality, integrity, and availability (C:H/I:H/A:H), as indicated by its CVSS v3.1 base score of 7.8.
Mitigation is provided through kernel patches applied to stable branches, including commits such as 499e13aac6c762e1e828172b0f0f5275651d6512, 65ca4db68b6819244df9024aea4be55edf8af1ef, a6fcd7ffd76a9c1d998a2d02d518c78a55c5bed8, c4b0b8edccb0cfb15a8cecf4161e0571d3daac64, and c83a1d40dc624070a203eb383ef9fb60eb634136 available at git.kernel.org/stable. Security practitioners should ensure systems use kernel versions incorporating these fixes to prevent the faulty IRQ handling during driver removal.
Details
- CWE(s)