CVE-2022-48892— sched/core: Fix use-after-free bug in dup_user_cpus_ptr()
Affected Version Matrix 8
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| Linux | Linux | 07ec77a1d4e82526e1588979fff2f024f8e96df2< b22faa21b6230d5eccd233e1b7e0026a5002b287 | affected |
07ec77a1d4e82526e1588979fff2f024f8e96df2< 7b5cc7fd1789ea5dbb942c9f8207b076d365badc | affected | ||
07ec77a1d4e82526e1588979fff2f024f8e96df2< 87ca4f9efbd7cc649ff43b87970888f2812945b8 | affected | ||
5.15 | affected | ||
< 5.15 | unaffected | ||
5.15.89≤ 5.15.* | unaffected | ||
6.1.7≤ 6.1.* | unaffected | ||
6.2≤ * | unaffected |
Get alerts for future matching vulnerabilitiesLog in to subscribe
I. Basic Information for CVE-2022-48892
Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗ Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
sched/core: Fix use-after-free bug in dup_user_cpus_ptr()
Source: NVD (National Vulnerability Database)
Vulnerability Description
In the Linux kernel, the following vulnerability has been resolved: sched/core: Fix use-after-free bug in dup_user_cpus_ptr() Since commit 07ec77a1d4e8 ("sched: Allow task CPU affinity to be restricted on asymmetric systems"), the setting and clearing of user_cpus_ptr are done under pi_lock for arm64 architecture. However, dup_user_cpus_ptr() accesses user_cpus_ptr without any lock protection. Since sched_setaffinity() can be invoked from another process, the process being modified may be undergoing fork() at the same time. When racing with the clearing of user_cpus_ptr in __set_cpus_allowed_ptr_locked(), it can lead to user-after-free and possibly double-free in arm64 kernel. Commit 8f9ea86fdf99 ("sched: Always preserve the user requested cpumask") fixes this problem as user_cpus_ptr, once set, will never be cleared in a task's lifetime. However, this bug was re-introduced in commit 851a723e45d1 ("sched: Always clear user_cpus_ptr in do_set_cpus_allowed()") which allows the clearing of user_cpus_ptr in do_set_cpus_allowed(). This time, it will affect all arches. Fix this bug by always clearing the user_cpus_ptr of the newly cloned/forked task before the copying process starts and check the user_cpus_ptr state of the source task under pi_lock. Note to stable, this patch won't be applicable to stable releases. Just copy the new dup_user_cpus_ptr() function over.
Source: NVD (National Vulnerability Database)
CVSS Information
N/A
Source: NVD (National Vulnerability Database)
Vulnerability Type
N/A
Source: NVD (National Vulnerability Database)
Vulnerability Title
Linux kernel 安全漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
Linux kernel是美国Linux基金会的开源操作系统Linux所使用的内核。 Linux kernel存在安全漏洞,该漏洞源于 sched/core 组件在dup_user_cpus_ptr()中存在释放后重用问题。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)
Affected Products
II. Public POCs for CVE-2022-48892
| # | POC Description | Source Link | Shenlong Link |
|---|
AI-Generated POCPremium
No public POC found.
Login to generate AI POCIII. Intelligence Information for CVE-2022-48892
请登录查看更多情报信息。
Other References for CVE-2022-48892 (3)
Same Patch Batch · Linux · 2024-08-21 · 69 CVEs total
| CVE-2022-48876 | wifi: mac80211: fix initialization of rx->link and rx->link_sta | |
| CVE-2024-43874 | crypto: ccp - Fix null pointer dereference in __sev_snp_shutdown_locked | |
| CVE-2024-43873 | vhost/vsock: always initialize seqpacket_allow | |
| CVE-2024-43875 | PCI: endpoint: Clean up error handling in vpci_scan_bus() | |
| CVE-2022-48870 | tty: fix possible null-ptr-defer in spk_ttyio_release | |
| CVE-2022-48871 | tty: serial: qcom-geni-serial: fix slab-out-of-bounds on RX FIFO buffer | |
| CVE-2022-48872 | misc: fastrpc: Fix use-after-free race condition for maps | |
| CVE-2022-48873 | misc: fastrpc: Don't remove map on creater_process and device_release | |
| CVE-2022-48874 | misc: fastrpc: Fix use-after-free and race in fastrpc_map_find | |
| CVE-2022-48875 | wifi: mac80211: sdata can be NULL during AMPDU start | |
| CVE-2022-48869 | USB: gadgetfs: Fix race between mounting and unmounting | |
| CVE-2022-48877 | f2fs: let's avoid panic if extent_tree is not created | |
| CVE-2022-48878 | Bluetooth: hci_qca: Fix driver shutdown on closed serdev | |
| CVE-2022-48879 | efi: fix NULL-deref in init error path | |
| CVE-2022-48880 | platform/surface: aggregator: Add missing call to ssam_request_sync_free() | |
| CVE-2022-48881 | platform/x86/amd: Fix refcount leak in amd_pmc_probe | |
| CVE-2022-48882 | net/mlx5e: Fix macsec possible null dereference when updating MAC security entity (SecY) | |
| CVE-2022-48883 | net/mlx5e: IPoIB, Block PKEY interfaces with less rx queues than parent | |
| CVE-2022-48884 | net/mlx5: Fix command stats access after free | |
| CVE-2022-48885 | ice: Fix potential memory leak in ice_gnss_tty_write() |
Showing top 20 of 69 CVEs. View all on vendor page → →
IV. Related Vulnerabilities
Same product: Linux
- CVE-2026-46300
net: skbuff: preserve shared-frag marker during coalescing - CVE-2026-43503
net: skbuff: propagate shared-frag marker through frag-trans - CVE-2026-43502
net/rds: handle zerocopy send cleanup before the message is - CVE-2026-43501
ipv6: rpl: reserve mac_len headroom when recompressed SRH gr - CVE-2026-43498
accel/ivpu: Disallow re-exporting imported GEM objects
Same vendor: Linux
- CVE-2026-46300
net: skbuff: preserve shared-frag marker during coalescing - CVE-2026-43503
net: skbuff: propagate shared-frag marker through frag-trans - CVE-2026-43502
net/rds: handle zerocopy send cleanup before the message is - CVE-2026-43501
ipv6: rpl: reserve mac_len headroom when recompressed SRH gr - CVE-2026-43498
accel/ivpu: Disallow re-exporting imported GEM objects
V. Comments for CVE-2022-48892
No comments yet