CVE-2022-49939

{"id": "CVE-2022-49939", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.0, "attackVector": "LOCAL", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 1.0}]}, "published": "2025-06-18T11:15:20.793", "references": [{"url": "https://git.kernel.org/stable/c/06e5b43ca4dab06a92bf4c2f33766e6fb11b880a", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/229f47603dd306bc0eb1a831439adb8e48bb0eae", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/30d0901b307f27d36b2655fb3048cf31ee0e89c0", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/603a47f2ae56bf68288784d3c0a8c5b8e0a827ed", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/9629f2dfdb1dad294b468038ff8e161e94d0b609", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/a0e44c64b6061dda7e00b7c458e4523e2331b739", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/c2a4b5dc8fa71af73bab704d0cac42ac39767ed6", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-362"}, {"lang": "en", "value": "CWE-416"}]}], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbinder: fix UAF of ref->proc caused by race condition\n\nA transaction of type BINDER_TYPE_WEAK_HANDLE can fail to increment the\nreference for a node. In this case, the target proc normally releases\nthe failed reference upon close as expected. However, if the target is\ndying in parallel the call will race with binder_deferred_release(), so\nthe target could have released all of its references by now leaving the\ncleanup of the new failed reference unhandled.\n\nThe transaction then ends and the target proc gets released making the\nref->proc now a dangling pointer. Later on, ref->node is closed and we\nattempt to take spin_lock(&ref->proc->inner_lock), which leads to the\nuse-after-free bug reported below. Let's fix this by cleaning up the\nfailed reference on the spot instead of relying on the target to do so.\n\n ==================================================================\n BUG: KASAN: use-after-free in _raw_spin_lock+0xa8/0x150\n Write of size 4 at addr ffff5ca207094238 by task kworker/1:0/590\n\n CPU: 1 PID: 590 Comm: kworker/1:0 Not tainted 5.19.0-rc8 #10\n Hardware name: linux,dummy-virt (DT)\n Workqueue: events binder_deferred_func\n Call trace:\n dump_backtrace.part.0+0x1d0/0x1e0\n show_stack+0x18/0x70\n dump_stack_lvl+0x68/0x84\n print_report+0x2e4/0x61c\n kasan_report+0xa4/0x110\n kasan_check_range+0xfc/0x1a4\n __kasan_check_write+0x3c/0x50\n _raw_spin_lock+0xa8/0x150\n binder_deferred_func+0x5e0/0x9b0\n process_one_work+0x38c/0x5f0\n worker_thread+0x9c/0x694\n kthread+0x188/0x190\n ret_from_fork+0x10/0x20"}, {"lang": "es", "value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: binder: arreglo UAF de ref->proc causado por condici\u00f3n de ejecuci\u00f3n Una transacci\u00f3n de tipo BINDER_TYPE_WEAK_HANDLE puede fallar al incrementar la referencia para un nodo. En este caso, el proc objetivo normalmente libera la referencia fallida al cerrar como se espera. Sin embargo, si el objetivo est\u00e1 muriendo en paralelo la llamada competir\u00e1 con binder_deferred_release(), por lo que el objetivo podr\u00eda haber liberado todas sus referencias por ahora dejando la limpieza de la nueva referencia fallida sin manejar. La transacci\u00f3n entonces termina y el proc objetivo se libera haciendo que ref->proc ahora sea un puntero colgante. M\u00e1s tarde, ref->node se cierra e intentamos tomar spin_lock(&ref->proc->inner_lock), lo que lleva al error de Use-After-Free reportado a continuaci\u00f3n. Vamos a arreglar esto limpiando la referencia fallida en el acto en lugar de depender de que el objetivo lo haga. ====================================================================== ERROR: KASAN: Use-After-Free en _raw_spin_lock+0xa8/0x150 Escritura de tama\u00f1o 4 en la direcci\u00f3n ffff5ca207094238 por la tarea kworker/1:0/590 CPU: 1 PID: 590 Comm: kworker/1:0 No contaminado 5.19.0-rc8 #10 Nombre del hardware: linux,dummy-virt (DT) Cola de trabajo: eventos binder_deferred_func Rastreo de llamadas: dump_backtrace.part.0+0x1d0/0x1e0 show_stack+0x18/0x70 dump_stack_lvl+0x68/0x84 print_report+0x2e4/0x61c kasan_report+0xa4/0x110 kasan_check_range+0xfc/0x1a4 __kasan_check_write+0x3c/0x50 _raw_spin_lock+0xa8/0x150 binder_deferred_func+0x5e0/0x9b0 process_one_work+0x38c/0x5f0 worker_thread+0x9c/0x694 kthread+0x188/0x190 ret_from_fork+0x10/0x20 "}], "lastModified": "2025-11-14T19:39:44.510", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "90B977E0-CD57-437D-AF5E-63F57E8BCCFF", "versionEndExcluding": "4.14.293"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "253D30F5-3734-4663-883A-288786D3B66E", "versionEndExcluding": "4.19.258", "versionStartIncluding": "4.15"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "4C373116-9E23-44BA-A6B7-87C8BF5C3B85", "versionEndExcluding": "5.4.213", "versionStartIncluding": "4.20"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "D44AD643-5591-432E-BD41-C2C737F54AC0", "versionEndExcluding": "5.10.142", "versionStartIncluding": "5.5"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "52AE7E2B-7BE3-4B8A-89CC-AB62434899A3", "versionEndExcluding": "5.15.66", "versionStartIncluding": "5.11"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "7FEC7656-4CE2-424C-8830-EDB160E701C8", "versionEndExcluding": "5.19.8", "versionStartIncluding": "5.16"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.0:rc1:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "E8BD11A3-8643-49B6-BADE-5029A0117325"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.0:rc2:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "5F0AD220-F6A9-4012-8636-155F1B841FAD"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.0:rc3:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "A46498B3-78E1-4623-AAE1-94D29A42BE4E"}], "operator": "OR"}]}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}