Linux Kernel up to 6.1.7 dmaengine idxd_dmaengine_drv_remove use after free

Summaryinfo

A vulnerability, which was classified as critical, has been found in Linux Kernel up to 6.1.7. This issue affects the function idxd_dmaengine_drv_remove of the component dmaengine. Performing a manipulation results in use after free. This vulnerability is reported as CVE-2022-48867. No exploit exists. It is advisable to upgrade the affected component.

Detailsinfo

A vulnerability, which was classified as critical, was found in Linux Kernel up to 6.1.7. This affects the function idxd_dmaengine_drv_remove of the component dmaengine. The manipulation with an unknown input leads to a use after free vulnerability. CWE is classifying the issue as CWE-416. Referencing memory after it has been freed can cause a program to crash, use unexpected values, or execute code. This is going to have an impact on confidentiality, integrity, and availability. The summary by CVE is:

In the Linux kernel, the following vulnerability has been resolved: dmaengine: idxd: Prevent use after free on completion memory On driver unload any pending descriptors are flushed at the time the interrupt is freed: idxd_dmaengine_drv_remove() -> drv_disable_wq() -> idxd_wq_free_irq() -> idxd_flush_pending_descs(). If there are any descriptors present that need to be flushed this flow triggers a "not present" page fault as below: BUG: unable to handle page fault for address: ff391c97c70c9040 #PF: supervisor read access in kernel mode #PF: error_code(0x0000) - not-present page The address that triggers the fault is the address of the descriptor that was freed moments earlier via: drv_disable_wq()->idxd_wq_free_resources() Fix the use after free by freeing the descriptors after any possible usage. This is done after idxd_wq_reset() to ensure that the memory remains accessible during possible completion writes by the device.

It is possible to read the advisory at git.kernel.org. This vulnerability is uniquely identified as CVE-2022-48867 since 07/16/2024. Technical details of the vulnerability are known, but there is no available exploit. The pricing for an exploit might be around USD $0-$5k at the moment (estimation calculated on 02/17/2026).

The vulnerability scanner Nessus provides a plugin with the ID 212625 (EulerOS 2.0 SP12 : kernel (EulerOS-SA-2024-2953)), which helps to determine the existence of the flaw in a target environment.

Upgrading to version 6.1.8 eliminates this vulnerability. Applying the patch b9e8e3fcfec6/1beeec45f9ac is able to eliminate this problem. The bugfix is ready for download at git.kernel.org. The best possible mitigation is suggested to be upgrading to the latest version.

The vulnerability is also documented in the databases at Tenable (212625) and CERT Bund (WID-SEC-2024-1888). Be aware that VulDB is the high quality source for vulnerability data.

Affected

• Debian Linux
• Amazon Linux 2
• Red Hat Enterprise Linux
• Ubuntu Linux
• SUSE Linux
• IBM InfoSphere Guardium
• Oracle Linux
• Kyocera Printer
• IBM Security Guardium
• RESF Rocky Linux
• Broadcom Brocade SANnav
• Open Source Linux Kernel
• IBM QRadar SIEM
• IBM DB2
• Dell PowerProtect Data Domain
• Dell PowerProtect Data Domain Management Center
• Dell PowerProtect Data Domain OS
• Dell Secure Connect Gateway

Productinfo

Type

• Operating System

Vendor

• Linux

Name

• Kernel

Version

• 6.1.0
• 6.1.1
• 6.1.2
• 6.1.3
• 6.1.4
• 6.1.5
• 6.1.6
• 6.1.7

License

• open-source

Website

• Vendor: https://www.kernel.org/

CPE 2.3info

• 🔍
• 🔍
• 🔍

CPE 2.2info

• 🔍
• 🔍
• 🔍

CVSSv4info

CVSSv3info

CVSSv2info

Exploitinginfo

Threat Intelligenceinfo

Countermeasuresinfo

Timelineinfo

Sourcesinfo

Entryinfo

Be aware that VulDB is the high quality source for vulnerability data.

Discussion