From 250ed4fa90030bf2a61fa3e37b223ee0e25c7b19 Mon Sep 17 00:00:00 2001 From: Paul Devitt Date: Fri, 16 Sep 2022 15:46:33 +0200 Subject: [PATCH] CVE-2022-3176 - Use after Free in io_uring --- 2022/3xxx/CVE-2022-3176.json | 110 ++++++++++++++++++++++++++++++----- 1 file changed, 94 insertions(+), 16 deletions(-) diff --git a/2022/3xxx/CVE-2022-3176.json b/2022/3xxx/CVE-2022-3176.json index 9453ddeb030..ea85c1f158e 100644 --- a/2022/3xxx/CVE-2022-3176.json +++ b/2022/3xxx/CVE-2022-3176.json @@ -1,18 +1,96 @@ { - "data_type": "CVE", - "data_format": "MITRE", - "data_version": "4.0", - "CVE_data_meta": { - "ID": "CVE-2022-3176", - "ASSIGNER": "cve@mitre.org", - "STATE": "RESERVED" - }, - "description": { - "description_data": [ - { - "lang": "eng", - "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided." - } - ] + "CVE_data_meta": { + "ASSIGNER": "security@google.com", + "DATE_PUBLIC": "2022-08-31T22:00:00.000Z", + "ID": "CVE-2022-3176", + "STATE": "PUBLIC", + "TITLE": "Use-after-free in io_uring in Linux Kernel" + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "Kernel", + "version": { + "version_data": [ + { + "version_affected": "<", + "version_value": "fc78b2fc21f10c4c9c4d5d659a685710ffa63659" + } + ] + } + } + ] + }, + "vendor_name": "Linux" + } + ] + } + }, + "credit": [ + { + "lang": "eng", + "value": "Bing-Jhong Billy Jheng " } -} \ No newline at end of file +], + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", + "description": { + "description_data": [ + { + "lang": "eng", + "value": "There exists a use-after-free in io_uring in the Linux kernel. Signalfd_poll() and binder_poll() use a waitqueue whose lifetime is the current task. It will send a POLLFREE notification to all waiters before the queue is freed. Unfortunately, the io_uring poll doesn't handle POLLFREE. This allows a use-after-free to occur if a signalfd or binder fd is polled with io_uring poll, and the waitqueue gets freed. We recommend upgrading past commit fc78b2fc21f10c4c9c4d5d659a685710ffa63659" + } + ] + }, + "generator": { + "engine": "Vulnogram 0.0.9" + }, + "impact": { + "cvss": { + "attackComplexity": "LOW", + "attackVector": "LOCAL", + "availabilityImpact": "HIGH", + "baseScore": 7.8, + "baseSeverity": "HIGH", + "confidentialityImpact": "HIGH", + "integrityImpact": "HIGH", + "privilegesRequired": "LOW", + "scope": "UNCHANGED", + "userInteraction": "NONE", + "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", + "version": "3.1" + } +}, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "CWE-416 Use After Free" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "refsource": "CONFIRM", + "url": "https://kernel.dance/#fc78b2fc21f10c4c9c4d5d659a685710ffa63659" + }, + { + "refsource": "CONFIRM", + "url": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit?h=linux-5.4.y&id=fc78b2fc21f10c4c9c4d5d659a685710ffa63659" + } + ] + }, + "source": { + "discovery": "EXTERNAL" + } +}