CVE-2022-1280: concurrency use-after-free between drm_setmaster_ioctl and drm_mode_getresources

Bug 2071022 (CVE-2022-1280) - CVE-2022-1280 kernel: concurrency use-after-free between drm_setmaster_ioctl and drm_mode_getresources

Summary: CVE-2022-1280 kernel: concurrency use-after-free between drm_setmaster_ioctl …

Keywords:

Status:

NEW

Alias:

CVE-2022-1280

Product:

Security Response

Classification:

Other

Component:

vulnerability

Sub Component:

Version:

unspecified

Hardware:

All

OS:

Linux

Priority:

medium

Severity:

medium

Target Milestone:

—

Assignee:

Red Hat Product Security

QA Contact:

Docs Contact:

URL:

Whiteboard:

Duplicates (1):

2073427 (view as bug list)

Depends On:

2072198 2072199 2073757 2073758

Blocks:

2071023 2073430

TreeView+

depends on / blocked

Reported:

2022-04-01 15:10 UTC by Marian Rehak

Modified:

2022-04-13 11:39 UTC (History)

CC List:

52 users (show)

Fixed In Version:

Doc Type:

If docs needed, set a value

Doc Text:

A use-after-free vulnerability was found in drm_lease_held in drivers/gpu/drm/drm_lease.c in the Linux kernel due to a race problem. This flaw allows a local user privilege attacker to cause a denial of service (DoS) or a kernel information leak.

Clone Of:

Environment:

Last Closed:

Attachments

(Terms of Use)

Add an attachment (proposed patch, testcase, etc.)

Description Marian Rehak 2022-04-01 15:10:27 UTC

The root cause of this race is that drm_setmaster_ioctl can free an old *fpriv->master* in drm_new_set_master, while drm_mode_getresources holds a freed *fpriv->master *in drm_lease_held due to the absence of proper lock.

References:

https://www.openwall.com/lists/oss-security/2022/04/12/3

Comment 11 Pedro Sampaio 2022-04-11 12:34:20 UTC

*** Bug 2073427 has been marked as a duplicate of this bug. ***

Note You need to log in before you can comment on or make changes to this bug.