CVE-2022-49729 in Linux
Summary
by MITRE • 02/26/2025
In the Linux kernel, the following vulnerability has been resolved:
nfc: nfcmrvl: Fix memory leak in nfcmrvl_play_deferred
Similar to the handling of play_deferred in commit 19cfe912c37b ("Bluetooth: btusb: Fix memory leak in play_deferred"), we thought a patch might be needed here as well.
Currently usb_submit_urb is called directly to submit deferred tx urbs after unanchor them.
So the usb_giveback_urb_bh would failed to unref it in usb_unanchor_urb and cause memory leak.
Put those urbs in tx_anchor to avoid the leak, and also fix the error handling.
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
Analysis
by VulDB Data Team • 06/28/2025
The vulnerability CVE-2022-49729 represents a memory leak issue within the Linux kernel's NFC subsystem, specifically affecting the nfcmrvl driver component. This flaw exists in the handling of deferred transmission USB requests and demonstrates the importance of proper resource management in kernel-level networking drivers. The vulnerability was addressed through a patch that mirrors similar fixes implemented in the Bluetooth subsystem, highlighting the interconnected nature of kernel driver development and the reuse of proven mitigation patterns across different hardware interfaces.
The technical flaw occurs within the nfcmrvl driver's implementation of the play_deferred function where USB transfer requests are processed asynchronously. When the driver processes deferred transmission USB requests, it directly calls usb_submit_urb without properly anchoring these requests within the USB subsystem's management structures. This direct submission approach bypasses the normal USB subsystem reference counting mechanisms that would normally handle cleanup operations. The usb_unanchor_urb function expects URBs to be properly anchored in the tx_anchor list, but when the URBs are submitted directly without anchoring, the usb_giveback_urb_bh function fails to properly decrement the reference count during cleanup, resulting in a memory leak that persists until the driver is unloaded or the system reboots.
The operational impact of this vulnerability extends beyond simple resource consumption, as memory leaks in kernel space can lead to progressive system degradation and potential denial of service conditions. When the nfcmrvl driver handles multiple deferred transmission requests, each unmanaged URB consumes kernel memory that cannot be reclaimed, eventually leading to memory exhaustion that may affect system stability. This vulnerability particularly affects NFC devices that rely on the mrvl (Marvell) chipset family and could be exploited in scenarios where continuous NFC communication is maintained, such as in mobile devices, IoT sensors, or embedded systems with NFC capabilities. The issue represents a classic case of improper resource management that violates fundamental kernel programming practices and can be classified under CWE-401 as "Improper Release of Memory Before Removing Last Reference."
The mitigation implemented in the fix follows established best practices from the Linux kernel's USB subsystem design patterns and aligns with the ATT&CK framework's defensive techniques for kernel-level memory management. The solution involves properly anchoring the URBs in the tx_anchor list before submission, ensuring that the USB subsystem's reference counting mechanisms function correctly. This approach prevents the memory leak by ensuring that usb_unanchor_urb can properly clean up the URB references when they complete processing, maintaining proper resource lifecycle management. The fix also includes improved error handling mechanisms that ensure cleanup occurs even when errors occur during the submission process, demonstrating adherence to the principle of defensive programming in kernel space. This vulnerability resolution exemplifies how kernel vulnerabilities often stem from subtle deviations from established patterns and emphasizes the critical importance of following established subsystem interfaces and resource management protocols in kernel driver development.