{
  "threat_severity" : "Moderate",
  "public_date" : "2024-07-16T00:00:00Z",
  "bugzilla" : {
    "description" : "kernel: iommu: Fix potential use-after-free during probe",
    "id" : "2298132",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2298132"
  },
  "cvss3" : {
    "cvss3_base_score" : "7.8",
    "cvss3_scoring_vector" : "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
    "status" : "verified"
  },
  "cwe" : "CWE-416",
  "details" : [ "In the Linux kernel, the following vulnerability has been resolved:\niommu: Fix potential use-after-free during probe\nKasan has reported the following use after free on dev->iommu.\nwhen a device probe fails and it is in process of freeing dev->iommu\nin dev_iommu_free function, a deferred_probe_work_func runs in parallel\nand tries to access dev->iommu->fwspec in of_iommu_configure path thus\ncausing use after free.\nBUG: KASAN: use-after-free in of_iommu_configure+0xb4/0x4a4\nRead of size 8 at addr ffffff87a2f1acb8 by task kworker/u16:2/153\nWorkqueue: events_unbound deferred_probe_work_func\nCall trace:\ndump_backtrace+0x0/0x33c\nshow_stack+0x18/0x24\ndump_stack_lvl+0x16c/0x1e0\nprint_address_description+0x84/0x39c\n__kasan_report+0x184/0x308\nkasan_report+0x50/0x78\n__asan_load8+0xc0/0xc4\nof_iommu_configure+0xb4/0x4a4\nof_dma_configure_id+0x2fc/0x4d4\nplatform_dma_configure+0x40/0x5c\nreally_probe+0x1b4/0xb74\ndriver_probe_device+0x11c/0x228\n__device_attach_driver+0x14c/0x304\nbus_for_each_drv+0x124/0x1b0\n__device_attach+0x25c/0x334\ndevice_initial_probe+0x24/0x34\nbus_probe_device+0x78/0x134\ndeferred_probe_work_func+0x130/0x1a8\nprocess_one_work+0x4c8/0x970\nworker_thread+0x5c8/0xaec\nkthread+0x1f8/0x220\nret_from_fork+0x10/0x18\nAllocated by task 1:\n____kasan_kmalloc+0xd4/0x114\n__kasan_kmalloc+0x10/0x1c\nkmem_cache_alloc_trace+0xe4/0x3d4\n__iommu_probe_device+0x90/0x394\nprobe_iommu_group+0x70/0x9c\nbus_for_each_dev+0x11c/0x19c\nbus_iommu_probe+0xb8/0x7d4\nbus_set_iommu+0xcc/0x13c\narm_smmu_bus_init+0x44/0x130 [arm_smmu]\narm_smmu_device_probe+0xb88/0xc54 [arm_smmu]\nplatform_drv_probe+0xe4/0x13c\nreally_probe+0x2c8/0xb74\ndriver_probe_device+0x11c/0x228\ndevice_driver_attach+0xf0/0x16c\n__driver_attach+0x80/0x320\nbus_for_each_dev+0x11c/0x19c\ndriver_attach+0x38/0x48\nbus_add_driver+0x1dc/0x3a4\ndriver_register+0x18c/0x244\n__platform_driver_register+0x88/0x9c\ninit_module+0x64/0xff4 [arm_smmu]\ndo_one_initcall+0x17c/0x2f0\ndo_init_module+0xe8/0x378\nload_module+0x3f80/0x4a40\n__se_sys_finit_module+0x1a0/0x1e4\n__arm64_sys_finit_module+0x44/0x58\nel0_svc_common+0x100/0x264\ndo_el0_svc+0x38/0xa4\nel0_svc+0x20/0x30\nel0_sync_handler+0x68/0xac\nel0_sync+0x160/0x180\nFreed by task 1:\nkasan_set_track+0x4c/0x84\nkasan_set_free_info+0x28/0x4c\n____kasan_slab_free+0x120/0x15c\n__kasan_slab_free+0x18/0x28\nslab_free_freelist_hook+0x204/0x2fc\nkfree+0xfc/0x3a4\n__iommu_probe_device+0x284/0x394\nprobe_iommu_group+0x70/0x9c\nbus_for_each_dev+0x11c/0x19c\nbus_iommu_probe+0xb8/0x7d4\nbus_set_iommu+0xcc/0x13c\narm_smmu_bus_init+0x44/0x130 [arm_smmu]\narm_smmu_device_probe+0xb88/0xc54 [arm_smmu]\nplatform_drv_probe+0xe4/0x13c\nreally_probe+0x2c8/0xb74\ndriver_probe_device+0x11c/0x228\ndevice_driver_attach+0xf0/0x16c\n__driver_attach+0x80/0x320\nbus_for_each_dev+0x11c/0x19c\ndriver_attach+0x38/0x48\nbus_add_driver+0x1dc/0x3a4\ndriver_register+0x18c/0x244\n__platform_driver_register+0x88/0x9c\ninit_module+0x64/0xff4 [arm_smmu]\ndo_one_initcall+0x17c/0x2f0\ndo_init_module+0xe8/0x378\nload_module+0x3f80/0x4a40\n__se_sys_finit_module+0x1a0/0x1e4\n__arm64_sys_finit_module+0x44/0x58\nel0_svc_common+0x100/0x264\ndo_el0_svc+0x38/0xa4\nel0_svc+0x20/0x30\nel0_sync_handler+0x68/0xac\nel0_sync+0x160/0x180\nFix this by setting dev->iommu to NULL first and\nthen freeing dev_iommu structure in dev_iommu_free\nfunction.", "A vulnerability was found in the Linux kernel's IOMMU driver, where the dev_iommu_free function can lead to a use-after-free error. This occurs when a device probe fails while simultaneously accessing dev->iommu->fwspec in the of_iommu_configure path. As a result, this vulnerability can potentially cause system instability or crashes." ],
  "affected_release" : [ {
    "product_name" : "Red Hat Enterprise Linux 8.6 Advanced Mission Critical Update Support",
    "release_date" : "2024-09-04T00:00:00Z",
    "advisory" : "RHSA-2024:6297",
    "cpe" : "cpe:/o:redhat:rhel_aus:8.6",
    "package" : "kernel-0:4.18.0-372.121.1.el8_6"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8.6 Telecommunications Update Service",
    "release_date" : "2024-09-04T00:00:00Z",
    "advisory" : "RHSA-2024:6297",
    "cpe" : "cpe:/o:redhat:rhel_tus:8.6",
    "package" : "kernel-0:4.18.0-372.121.1.el8_6"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8.6 Update Services for SAP Solutions",
    "release_date" : "2024-09-04T00:00:00Z",
    "advisory" : "RHSA-2024:6297",
    "cpe" : "cpe:/o:redhat:rhel_e4s:8.6",
    "package" : "kernel-0:4.18.0-372.121.1.el8_6"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9.0 Update Services for SAP Solutions",
    "release_date" : "2024-11-19T00:00:00Z",
    "advisory" : "RHSA-2024:9942",
    "cpe" : "cpe:/a:redhat:rhel_e4s:9.0",
    "package" : "kernel-0:5.14.0-70.121.1.el9_0"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9.0 Update Services for SAP Solutions",
    "release_date" : "2024-11-19T00:00:00Z",
    "advisory" : "RHSA-2024:9943",
    "cpe" : "cpe:/a:redhat:rhel_e4s:9.0::nfv",
    "package" : "kernel-rt-0:5.14.0-70.121.1.rt21.193.el9_0"
  } ],
  "package_state" : [ {
    "product_name" : "Red Hat Enterprise Linux 6",
    "fix_state" : "Not affected",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:6"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "fix_state" : "Out of support scope",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "fix_state" : "Out of support scope",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "fix_state" : "Affected",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "fix_state" : "Affected",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "fix_state" : "Not affected",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "fix_state" : "Not affected",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2022-48796\nhttps://nvd.nist.gov/vuln/detail/CVE-2022-48796\nhttps://lore.kernel.org/linux-cve-announce/2024071642-CVE-2022-48796-8474@gregkh/T" ],
  "name" : "CVE-2022-48796",
  "mitigation" : {
    "value" : "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
    "lang" : "en:us"
  },
  "csaw" : false
}