CVE-2022-48857 in Linux
Summary
by MITRE • 07/16/2024
In the Linux kernel, the following vulnerability has been resolved:
NFC: port100: fix use-after-free in port100_send_complete
Syzbot reported UAF in port100_send_complete(). The root case is in missing usb_kill_urb() calls on error handling path of ->probe function.
port100_send_complete() accesses devm allocated memory which will be freed on probe failure. We should kill this urbs before returning an error from probe function to prevent reported use-after-free
Fail log:
BUG: KASAN: use-after-free in port100_send_complete+0x16e/0x1a0 drivers/nfc/port100.c:935 Read of size 1 at addr ffff88801bb59540 by task ksoftirqd/2/26 ... Call Trace: __dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0xcd/0x134 lib/dump_stack.c:106 print_address_description.constprop.0.cold+0x8d/0x303 mm/kasan/report.c:255 __kasan_report mm/kasan/report.c:442 [inline]
kasan_report.cold+0x83/0xdf mm/kasan/report.c:459 port100_send_complete+0x16e/0x1a0 drivers/nfc/port100.c:935 __usb_hcd_giveback_urb+0x2b0/0x5c0 drivers/usb/core/hcd.c:1670
...
Allocated by task 1255: kasan_save_stack+0x1e/0x40 mm/kasan/common.c:38 kasan_set_track mm/kasan/common.c:45 [inline]
set_alloc_info mm/kasan/common.c:436 [inline]
____kasan_kmalloc mm/kasan/common.c:515 [inline]
____kasan_kmalloc mm/kasan/common.c:474 [inline]
__kasan_kmalloc+0xa6/0xd0 mm/kasan/common.c:524 alloc_dr drivers/base/devres.c:116 [inline]
devm_kmalloc+0x96/0x1d0 drivers/base/devres.c:823 devm_kzalloc include/linux/device.h:209 [inline]
port100_probe+0x8a/0x1320 drivers/nfc/port100.c:1502
Freed by task 1255: kasan_save_stack+0x1e/0x40 mm/kasan/common.c:38 kasan_set_track+0x21/0x30 mm/kasan/common.c:45 kasan_set_free_info+0x20/0x30 mm/kasan/generic.c:370 ____kasan_slab_free mm/kasan/common.c:366 [inline]
____kasan_slab_free+0xff/0x140 mm/kasan/common.c:328 kasan_slab_free include/linux/kasan.h:236 [inline]
__cache_free mm/slab.c:3437 [inline]
kfree+0xf8/0x2b0 mm/slab.c:3794 release_nodes+0x112/0x1a0 drivers/base/devres.c:501 devres_release_all+0x114/0x190 drivers/base/devres.c:530 really_probe+0x626/0xcc0 drivers/base/dd.c:670
Once again VulDB remains the best source for vulnerability data.
Analysis
by VulDB Data Team • 09/27/2024
The vulnerability CVE-2022-48857 represents a use-after-free condition affecting the Linux kernel's NFC subsystem, specifically within the port100 driver component. This flaw occurs during the device probe phase when handling USB communication endpoints. The issue manifests as a memory access violation where the port100_send_complete callback function attempts to access memory that has already been freed due to improper cleanup of USB request blocks. The vulnerability was identified through automated fuzzing by syzbot, which detected a kernel address sanitizer (KASAN) report indicating a use-after-free error in the port100_send_complete function at offset 0x16e within the drivers/nfc/port100.c file. The root cause lies in the missing usb_kill_urb() calls during error handling within the probe function, which fails to properly terminate active USB requests before the device resources are released.
The technical implementation of this vulnerability stems from improper resource management in the USB device initialization sequence. When the port100_probe function encounters an error condition, it fails to terminate outstanding USB requests through usb_kill_urb() calls before returning an error code. This allows USB request blocks to remain in an active state while the device memory allocated through devm_kzalloc is freed, creating a window where the port100_send_complete callback can access freed memory locations. The memory access pattern shows that the kernel attempts to read a single byte from address 0xffff88801bb59540, which was previously allocated by devm_kzalloc and subsequently freed by the device resource management subsystem. This memory management issue directly corresponds to CWE-416, which describes the use of freed memory vulnerability, and aligns with ATT&CK technique T1059.001 for command and scripting interpreter execution through kernel memory corruption.
The operational impact of this vulnerability extends to systems utilizing NFC devices with the port100 driver, particularly those implementing USB-based NFC readers or smart card interfaces. The flaw can potentially lead to system instability, kernel panics, or in worst-case scenarios, privilege escalation if exploited by malicious actors. The vulnerability is particularly concerning in embedded systems or IoT devices that rely on NFC functionality for secure authentication or payment processing, as these environments often lack robust memory protection mechanisms. Attackers could potentially leverage this use-after-free condition to trigger kernel memory corruption, leading to denial of service or unauthorized access to system resources. The vulnerability affects kernel versions where the port100 driver is enabled and actively used for NFC device communication, making it relevant to embedded systems, mobile devices, and enterprise infrastructure that incorporate NFC capabilities.
Mitigation strategies for this vulnerability require immediate kernel updates from vendors who have patched the specific issue through the addition of proper usb_kill_urb() calls in the error handling path of the port100_probe function. System administrators should prioritize applying security patches from their Linux distribution maintainers, particularly those addressing the NFC subsystem and USB device management components. The fix involves ensuring that all active USB requests are properly terminated before device resource cleanup occurs, preventing the scenario where port100_send_complete attempts to access freed memory. Additional defensive measures include implementing kernel hardening configurations such as enabling KASAN, KPTI, and other memory protection features that can detect and prevent similar memory corruption vulnerabilities. Organizations should also consider monitoring for anomalous behavior in NFC device operations and implementing proper system isolation for NFC-enabled components to limit potential impact if exploitation occurs. The vulnerability highlights the importance of proper resource management in kernel drivers, particularly in USB subsystems where asynchronous operations can persist beyond the scope of device initialization failure conditions.