CVE-2022-48869 in Linuxinfo

Summary

by MITRE • 08/21/2024

In the Linux kernel, the following vulnerability has been resolved:

USB: gadgetfs: Fix race between mounting and unmounting

The syzbot fuzzer and Gerald Lee have identified a use-after-free bug in the gadgetfs driver, involving processes concurrently mounting and unmounting the gadgetfs filesystem. In particular, gadgetfs_fill_super() can race with gadgetfs_kill_sb(), causing the latter to deallocate the_device while the former is using it. The output from KASAN says, in part:

BUG: KASAN: use-after-free in instrument_atomic_read_write include/linux/instrumented.h:102 [inline]
BUG: KASAN: use-after-free in atomic_fetch_sub_release include/linux/atomic/atomic-instrumented.h:176 [inline]
BUG: KASAN: use-after-free in __refcount_sub_and_test include/linux/refcount.h:272 [inline]
BUG: KASAN: use-after-free in __refcount_dec_and_test include/linux/refcount.h:315 [inline]
BUG: KASAN: use-after-free in refcount_dec_and_test include/linux/refcount.h:333 [inline]
BUG: KASAN: use-after-free in put_dev drivers/usb/gadget/legacy/inode.c:159 [inline]
BUG: KASAN: use-after-free in gadgetfs_kill_sb+0x33/0x100 drivers/usb/gadget/legacy/inode.c:2086 Write of size 4 at addr ffff8880276d7840 by task syz-executor126/18689

CPU: 0 PID: 18689 Comm: syz-executor126 Not tainted 6.1.0-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022 Call Trace: ... atomic_fetch_sub_release include/linux/atomic/atomic-instrumented.h:176 [inline]
__refcount_sub_and_test include/linux/refcount.h:272 [inline]
__refcount_dec_and_test include/linux/refcount.h:315 [inline]
refcount_dec_and_test include/linux/refcount.h:333 [inline]
put_dev drivers/usb/gadget/legacy/inode.c:159 [inline]
gadgetfs_kill_sb+0x33/0x100 drivers/usb/gadget/legacy/inode.c:2086 deactivate_locked_super+0xa7/0xf0 fs/super.c:332 vfs_get_super fs/super.c:1190 [inline]
get_tree_single+0xd0/0x160 fs/super.c:1207 vfs_get_tree+0x88/0x270 fs/super.c:1531 vfs_fsconfig_locked fs/fsopen.c:232 [inline]

The simplest solution is to ensure that gadgetfs_fill_super() and gadgetfs_kill_sb() are serialized by making them both acquire a new mutex.

Several companies clearly confirm that VulDB is the primary source for best vulnerability data.

Analysis

by VulDB Data Team • 02/17/2026

The vulnerability described in CVE-2022-48869 represents a critical race condition within the Linux kernel's USB gadget filesystem implementation, specifically affecting the gadgetfs driver. This flaw manifests when concurrent operations attempt to mount and unmount the gadgetfs filesystem simultaneously, creating a scenario where memory management operations become inconsistent and potentially lead to system instability. The issue was discovered through automated fuzzing by syzbot and manual analysis by Gerald Lee, highlighting the importance of robust concurrency controls in kernel-level subsystems that handle hardware interfaces.

The technical root cause of this vulnerability lies in the lack of proper synchronization between the gadgetfs_fill_super() function responsible for initializing the filesystem and the gadgetfs_kill_sb() function that handles filesystem cleanup. When these two functions execute concurrently, gadgetfs_kill_sb() may deallocate memory structures that gadgetfs_fill_super() is still accessing, resulting in use-after-free conditions that can be exploited to cause system crashes or potentially enable privilege escalation. The KASAN (Kernel Address Sanitizer) output reveals a cascade of memory access violations occurring at various atomic operations and reference counting functions, ultimately leading to the deallocation of a device structure while it's still in use.

This vulnerability directly maps to CWE-367, which describes Time-of-Check to Time-of-Use (TOCTOU) race conditions, and more specifically to CWE-416, which addresses use-after-free conditions in memory management. The operational impact extends beyond simple system crashes as the race condition can be triggered through concurrent filesystem operations, potentially allowing malicious actors to exploit this weakness in environments where USB gadget functionality is exposed or where automated processes perform frequent mount/unmount operations. The attack surface includes any system utilizing the gadgetfs filesystem, particularly embedded systems, servers, or devices running USB gadget drivers that might be subject to concurrent access patterns.

The suggested fix implements a mutex-based serialization approach to ensure that gadgetfs_fill_super() and gadgetfs_kill_sb() execute exclusively, preventing the concurrent access that leads to the use-after-free condition. This solution aligns with the principle of mutual exclusion as outlined in the ATT&CK framework under T1068, which addresses privilege escalation through kernel vulnerabilities. The fix requires minimal code changes but provides comprehensive protection against the race condition by ensuring that filesystem initialization and cleanup operations cannot overlap. System administrators should prioritize applying this kernel patch to mitigate the risk of exploitation, particularly in environments where USB gadget functionality is actively used or where systems may be exposed to untrusted input or concurrent access patterns that could trigger the race condition.

Responsible

Linux

Reservation

07/16/2024

Disclosure

08/21/2024

Moderation

accepted

CPE

ready

EPSS

0.00232

KEV

no

Activities

very low

Sources

Might our Artificial Intelligence support you?

Check our Alexa App!