{"dataType":"CVE_RECORD","dataVersion":"5.1","cveMetadata":{"cveId":"CVE-2022-48674","assignerOrgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","state":"PUBLISHED","assignerShortName":"Linux","dateReserved":"2024-02-25T13:44:28.322Z","datePublished":"2024-05-03T14:51:57.294Z","dateUpdated":"2025-05-04T12:43:34.523Z"},"containers":{"cna":{"providerMetadata":{"orgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","shortName":"Linux","dateUpdated":"2025-05-04T12:43:34.523Z"},"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nerofs: fix pcluster use-after-free on UP platforms\n\nDuring stress testing with CONFIG_SMP disabled, KASAN reports as below:\n\n==================================================================\nBUG: KASAN: use-after-free in __mutex_lock+0xe5/0xc30\nRead of size 8 at addr ffff8881094223f8 by task stress/7789\n\nCPU: 0 PID: 7789 Comm: stress Not tainted 6.0.0-rc1-00002-g0d53d2e882f9 #3\nHardware name: Red Hat KVM, BIOS 0.5.1 01/01/2011\nCall Trace:\n <TASK>\n..\n __mutex_lock+0xe5/0xc30\n..\n z_erofs_do_read_page+0x8ce/0x1560\n..\n z_erofs_readahead+0x31c/0x580\n..\nFreed by task 7787\n kasan_save_stack+0x1e/0x40\n kasan_set_track+0x20/0x30\n kasan_set_free_info+0x20/0x40\n __kasan_slab_free+0x10c/0x190\n kmem_cache_free+0xed/0x380\n rcu_core+0x3d5/0xc90\n __do_softirq+0x12d/0x389\n\nLast potentially related work creation:\n kasan_save_stack+0x1e/0x40\n __kasan_record_aux_stack+0x97/0xb0\n call_rcu+0x3d/0x3f0\n erofs_shrink_workstation+0x11f/0x210\n erofs_shrink_scan+0xdc/0x170\n shrink_slab.constprop.0+0x296/0x530\n drop_slab+0x1c/0x70\n drop_caches_sysctl_handler+0x70/0x80\n proc_sys_call_handler+0x20a/0x2f0\n vfs_write+0x555/0x6c0\n ksys_write+0xbe/0x160\n do_syscall_64+0x3b/0x90\n\nThe root cause is that erofs_workgroup_unfreeze() doesn't reset to\norig_val thus it causes a race that the pcluster reuses unexpectedly\nbefore freeing.\n\nSince UP platforms are quite rare now, such path becomes unnecessary.\nLet's drop such specific-designed path directly instead."}],"affected":[{"product":"Linux","vendor":"Linux","defaultStatus":"unaffected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["fs/erofs/internal.h"],"versions":[{"version":"73f5c66df3e26ab750cefcb9a3e08c71c9f79cad","lessThan":"8ddd001cef5e82d19192e6861068463ecca5f556","status":"affected","versionType":"git"},{"version":"73f5c66df3e26ab750cefcb9a3e08c71c9f79cad","lessThan":"94c34faaafe7b55adc2d8d881db195b646959b9e","status":"affected","versionType":"git"},{"version":"73f5c66df3e26ab750cefcb9a3e08c71c9f79cad","lessThan":"2f44013e39984c127c6efedf70e6b5f4e9dcf315","status":"affected","versionType":"git"},{"version":"08ec9e6892cc792d7f8fe4d13bd8a0e91fb23488","status":"affected","versionType":"git"},{"version":"78c46113413bea1cc345757112aa2642e0f66de5","status":"affected","versionType":"git"}]},{"product":"Linux","vendor":"Linux","defaultStatus":"affected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["fs/erofs/internal.h"],"versions":[{"version":"5.0","status":"affected"},{"version":"0","lessThan":"5.0","status":"unaffected","versionType":"semver"},{"version":"5.15.68","lessThanOrEqual":"5.15.*","status":"unaffected","versionType":"semver"},{"version":"5.19.9","lessThanOrEqual":"5.19.*","status":"unaffected","versionType":"semver"},{"version":"6.0","lessThanOrEqual":"*","status":"unaffected","versionType":"original_commit_for_fix"}]}],"cpeApplicability":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.0","versionEndExcluding":"5.15.68"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.0","versionEndExcluding":"5.19.9"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.0","versionEndExcluding":"6.0"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"4.19.26"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"4.20.13"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/8ddd001cef5e82d19192e6861068463ecca5f556"},{"url":"https://git.kernel.org/stable/c/94c34faaafe7b55adc2d8d881db195b646959b9e"},{"url":"https://git.kernel.org/stable/c/2f44013e39984c127c6efedf70e6b5f4e9dcf315"}],"title":"erofs: fix pcluster use-after-free on UP platforms","x_generator":{"engine":"bippy-1.2.0"}},"adp":[{"problemTypes":[{"descriptions":[{"type":"CWE","cweId":"CWE-416","lang":"en","description":"CWE-416 Use After Free"}]}],"metrics":[{"cvssV3_1":{"scope":"UNCHANGED","version":"3.1","baseScore":6.2,"attackVector":"LOCAL","baseSeverity":"MEDIUM","vectorString":"CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","integrityImpact":"NONE","userInteraction":"NONE","attackComplexity":"LOW","availabilityImpact":"HIGH","privilegesRequired":"NONE","confidentialityImpact":"NONE"}},{"other":{"type":"ssvc","content":{"timestamp":"2024-06-17T17:40:01.935760Z","id":"CVE-2022-48674","options":[{"Exploitation":"none"},{"Automatable":"no"},{"Technical Impact":"partial"}],"role":"CISA Coordinator","version":"2.0.3"}}}],"title":"CISA ADP Vulnrichment","providerMetadata":{"orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP","dateUpdated":"2024-11-21T21:25:20.019Z"}},{"providerMetadata":{"orgId":"af854a3a-2127-422b-91ae-364da2661108","shortName":"CVE","dateUpdated":"2024-08-03T15:17:55.810Z"},"title":"CVE Program Container","references":[{"url":"https://git.kernel.org/stable/c/8ddd001cef5e82d19192e6861068463ecca5f556","tags":["x_transferred"]},{"url":"https://git.kernel.org/stable/c/94c34faaafe7b55adc2d8d881db195b646959b9e","tags":["x_transferred"]},{"url":"https://git.kernel.org/stable/c/2f44013e39984c127c6efedf70e6b5f4e9dcf315","tags":["x_transferred"]}]}]}}