CVE-2022-22942: Use After Free
First published: Tue Jan 25 2022(Updated: )
A failing usercopy of the fence_rep object will lead to a stale entry in the file descriptor table as put_unused_fd() won't release it. This enables userland to refer to a dangling 'file' object through that still valid file descriptor, leading to all kinds of use-after-free exploitation scenarios.
Credit: security@vmware.com security@vmware.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| redhat/kernel-rt | <0:3.10.0-1160.59.1.rt56.1200.el7 | 0:3.10.0-1160.59.1.rt56.1200.el7 |
| redhat/kernel | <0:3.10.0-1160.59.1.el7 | 0:3.10.0-1160.59.1.el7 |
| redhat/kernel | <0:3.10.0-957.92.1.el7 | 0:3.10.0-957.92.1.el7 |
| redhat/kernel | <0:3.10.0-1062.66.1.el7 | 0:3.10.0-1062.66.1.el7 |
| redhat/kernel-rt | <0:4.18.0-348.20.1.rt7.150.el8_5 | 0:4.18.0-348.20.1.rt7.150.el8_5 |
| redhat/kernel | <0:4.18.0-348.20.1.el8_5 | 0:4.18.0-348.20.1.el8_5 |
| redhat/kernel | <0:4.18.0-147.64.1.el8_1 | 0:4.18.0-147.64.1.el8_1 |
| redhat/kernel-rt | <0:4.18.0-193.79.1.rt13.129.el8_2 | 0:4.18.0-193.79.1.rt13.129.el8_2 |
| redhat/kernel | <0:4.18.0-193.79.1.el8_2 | 0:4.18.0-193.79.1.el8_2 |
| redhat/kernel-rt | <0:4.18.0-305.40.1.rt7.112.el8_4 | 0:4.18.0-305.40.1.rt7.112.el8_4 |
| redhat/kernel | <0:4.18.0-305.40.1.el8_4 | 0:4.18.0-305.40.1.el8_4 |
| redhat/redhat-virtualization-host | <0:4.3.22-20220330.1.el7_9 | 0:4.3.22-20220330.1.el7_9 |
| redhat/Kernel | <5.16 | 5.16 |
| VMware Photon OS | =3.0 | |
| VMware Photon OS | =4.0 | |
| debian/linux | 5.10.223-1 5.10.226-1 6.1.115-1 6.1.119-1 6.12.5-1 6.12.6-1 |
Remedy
Mitigation for this issue is to skip loading the affected module vmwgfx onto the system until we have a fix available. This can be done by a blacklist mechanism and ensures the driver is not loaded at the boot time. ~~~ How do I blacklist a kernel module to prevent it from loading automatically? https://access.redhat.com/solutions/41278 ~~~
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://www.cve.org/CVERecord?id=CVE-2022-22942 https://nvd.nist.gov/vuln/detail/CVE-2022-22942
- https://bugzilla.redhat.com/show_bug.cgi?id=2044809
- https://access.redhat.com/errata/RHSA-2022:0622
- https://access.redhat.com/errata/RHSA-2022:0592
- https://access.redhat.com/errata/RHSA-2022:0620
- https://access.redhat.com/errata/RHSA-2022:1107
- https://access.redhat.com/errata/RHSA-2022:1103
- https://access.redhat.com/errata/RHSA-2022:1324
- https://access.redhat.com/errata/RHSA-2022:1373
- https://access.redhat.com/errata/RHSA-2022:0819
- https://access.redhat.com/errata/RHSA-2022:0825
- https://access.redhat.com/errata/RHSA-2022:0849
- https://access.redhat.com/errata/RHSA-2022:0823
- https://access.redhat.com/errata/RHSA-2022:0851
- https://access.redhat.com/errata/RHSA-2022:0958
- https://access.redhat.com/errata/RHSA-2022:0821
- https://access.redhat.com/errata/RHSA-2022:0820
- https://access.redhat.com/errata/RHSA-2022:0925
- https://access.redhat.com/errata/RHSA-2022:0771
- https://access.redhat.com/errata/RHSA-2022:0772
- https://access.redhat.com/errata/RHSA-2022:0777
- https://access.redhat.com/errata/RHSA-2022:1263
- https://access.redhat.com/errata/RHSA-2022:0841
- https://access.redhat.com/security/cve/cve-2022-22942
- https://github.com/vmware/photon/wiki/Security-Update-3.0-356
- https://github.com/vmware/photon/wiki/Security-Update-4.0-148
- https://www.openwall.com/lists/oss-security/2022/01/27/4
- https://launchpad.net/bugs/cve/CVE-2022-22942
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2055098
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22942
- https://nvd.nist.gov/vuln/detail/CVE-2022-22942
- https://security-tracker.debian.org/tracker/CVE-2022-22942
- https://ubuntu.com/security/CVE-2022-22942
- https://www.openwall.com/lists/oss-security/2022/02/03/1
- https://git.kernel.org/linus/a0f90c8815706981c483a652a6aefca51a5e191c
- https://github.com/opensrcsec/same_type_object_reuse_exploits/blob/main/cve-2022-22942-dc.c
- https://github.com/opensrcsec/same_type_object_reuse_exploits/blob/main/cve-2022-22942.c
Parent vulnerabilities
(Appears in the following advisories)
- collector/redhat-cve
- agent/type
- collector/launchpad-cve
- source/Launchpad
- agent/author
- agent/first-publish-date
- agent/severity
- agent/weakness
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2022-22942
- agent/software-canonical-lookup
- collector/nvd-api
- agent/software-canonical-lookup-request
- collector/mitre-cve
- source/MITRE
- collector/usn-cve
- source/Ubuntu
- collector/nvd-cve
- source/NVD
- collector/security-tracker-debian
- source/Debian
- agent/last-modified-date
- agent/references
- agent/remedy
- agent/tags
- agent/description
- agent/softwarecombine
- agent/event
- agent/trending
- package-manager/redhat
- vendor/vmware
- canonical/vmware photon os
- version/vmware photon os/3.0
- version/vmware photon os/4.0
- package-manager/debian