CVE-2022-1195: Use After Free
First published: Mon Feb 21 2022(Updated: )
A use-after-free vulnerability was found in drivers/net/hamradio in the Linux kernel. In this flaw, a local attacker with a user privilege may lead to a denial of service (DOS) problem, when mkiss or sixpack device is detached, and reclaim resources early. Reference: <a href="https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=b2f37aead1b82a770c48b5d583f35ec22aabb61e">https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=b2f37aead1b82a770c48b5d583f35ec22aabb61e</a> <a href="https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=81b1d548d00bcd028303c4f3150fa753b9b8aa71">https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=81b1d548d00bcd028303c4f3150fa753b9b8aa71</a> <a href="https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=0b9111922b1f399aba6ed1e1b8f2079c3da1aed8">https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=0b9111922b1f399aba6ed1e1b8f2079c3da1aed8</a> <a href="https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=3e0588c291d6ce225f2b891753ca41d45ba42469">https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=3e0588c291d6ce225f2b891753ca41d45ba42469</a> ================================================================== [ 26.882075] BUG: KASAN: use-after-free in tty_insert_flip_string_fixed_flag+0xd8/0x1e0 [ 26.882075] Read of size 85 at addr ffff88800690d000 by task trigger/141 [ 26.882075] [ 26.882075] CPU: 3 PID: 141 Comm: trigger Not tainted 5.11.0 #6 [ 26.882075] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.14.0-0-g155821a1990b-prebuilt.qemu.org 04/01/2014 [ 26.882075] Call Trace: [ 26.882075] dump_stack+0x7d/0xa3 [ 26.882075] print_address_description.constprop.0+0x18/0x130 [ 26.882075] ? tty_insert_flip_string_fixed_flag+0xd8/0x1e0 [ 26.882075] ? tty_insert_flip_string_fixed_flag+0xd8/0x1e0 [ 26.882075] kasan_report.cold+0x7f/0x10e [ 26.882075] ? tty_insert_flip_string_fixed_flag+0xd8/0x1e0 [ 26.882075] check_memory_region+0xf9/0x1e0 [ 26.882075] memcpy+0x20/0x60 [ 26.882075] tty_insert_flip_string_fixed_flag+0xd8/0x1e0 [ 26.882075] pty_write+0xfa/0x1b0 [ 26.882075] ? pty_set_termios+0x5d0/0x5d0 [ 26.882075] ax_encaps+0x9c9/0xb60 [ 26.882075] ax_xmit+0x36a/0x37e [ 26.882075] dev_hard_start_xmit+0x160/0x500 [ 26.882075] sch_direct_xmit+0x20b/0xa00 [ 26.882075] ? qdisc_put_unlocked+0x50/0x50 [ 26.882075] ? sysvec_apic_timer_interrupt+0x33/0xd0 [ 26.882075] ? pfifo_fast_dequeue+0x275/0xa30 [ 26.882075] __qdisc_run+0x3a0/0x1390 [ 26.882075] __dev_queue_xmit+0xabb/0x1b10 [ 26.882075] ? netdev_core_pick_tx+0x2a0/0x2a0 [ 26.882075] ? sysvec_apic_timer_interrupt+0x33/0xd0 [ 26.882075] ? memcpy+0x39/0x60 [ 26.882075] ? ax25_addr_build+0x7e/0x2a0 [ 26.882075] ax25_sendmsg+0xb70/0x1090 [ 26.882075] ? selinux_inode_notifysecctx+0x20/0x20 [ 26.882075] ? ax25_device_event+0x210/0x210 [ 26.882075] ? __fget_files+0x15b/0x210 [ 26.882075] ? ax25_device_event+0x210/0x210 [ 26.882075] sock_sendmsg+0xdf/0x110 [ 26.882075] __sys_sendto+0x19e/0x270 [ 26.882075] ? __ia32_sys_getpeername+0xa0/0xa0 [ 26.882075] ? copy_init_fpstate_to_fpregs+0x70/0x70 [ 26.882075] __x64_sys_sendto+0xd8/0x1b0 [ 26.882075] ? exit_to_user_mode_prepare+0x2c/0x120 [ 26.882075] do_syscall_64+0x33/0x40 [ 26.882075] entry_SYSCALL_64_after_hwframe+0x44/0xa9 <..> ==================================================================
Credit: secalert@redhat.com secalert@redhat.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Linux Linux kernel | <5.16 | |
| Linux Linux kernel | =5.16 | |
| Debian Debian Linux | =10.0 | |
| Debian Debian Linux | =11.0 | |
| redhat/kernel | <5.16 | 5.16 |
| debian/linux | 5.10.223-1 5.10.226-1 6.1.115-1 6.1.119-1 6.12.6-1 6.12.8-1 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://bugzilla.redhat.com/show_bug.cgi?id=2056381
- https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=0b9111922b1f399aba6ed1e1b8f2079c3da1aed8
- https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=3e0588c291d6ce225f2b891753ca41d45ba42469
- https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=81b1d548d00bcd028303c4f3150fa753b9b8aa71
- https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=b2f37aead1b82a770c48b5d583f35ec22aabb61e
- https://www.debian.org/security/2022/dsa-5127
- https://www.debian.org/security/2022/dsa-5173
- https://launchpad.net/bugs/cve/CVE-2022-1195
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2056382
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2141676
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-1195
- https://nvd.nist.gov/vuln/detail/CVE-2022-1195
- https://security-tracker.debian.org/tracker/CVE-2022-1195
- https://ubuntu.com/security/CVE-2022-1195
- collector/nvd-index
- agent/type
- collector/launchpad-cve
- source/Launchpad
- agent/author
- agent/first-publish-date
- agent/severity
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2022-1195
- agent/software-canonical-lookup
- agent/weakness
- collector/mitre-cve
- source/MITRE
- collector/usn-cve
- source/Ubuntu
- collector/nvd-cve
- source/NVD
- collector/security-tracker-debian
- source/Debian
- agent/last-modified-date
- agent/references
- agent/remedy
- agent/tags
- agent/description
- agent/softwarecombine
- agent/event
- agent/trending
- vendor/linux
- canonical/linux linux kernel
- version/linux linux kernel/5.16
- vendor/debian
- canonical/debian debian linux
- version/debian debian linux/10.0
- version/debian debian linux/11.0
- package-manager/redhat
- package-manager/debian