CVE-2022-50005

Description

In the Linux kernel, the following vulnerability has been resolved: nfc: pn533: Fix use-after-free bugs caused by pn532_cmd_timeout When the pn532 uart device is detaching, the pn532_uart_remove() is called. But there are no functions in pn532_uart_remove() that could delete the cmd_timeout timer, which will cause use-after-free bugs. The process is shown below: (thread 1) | (thread 2) | pn532_uart_send_frame pn532_uart_remove | mod_timer(&pn532->cmd_timeout,...) ... | (wait a time) kfree(pn532) //FREE | pn532_cmd_timeout | pn532_uart_send_frame | pn532->... //USE This patch adds del_timer_sync() in pn532_uart_remove() in order to prevent the use-after-free bugs. What's more, the pn53x_unregister_nfc() is well synchronized, it sets nfc_dev->shutting_down to true and there are no syscalls could restart the cmd_timeout timer.

Reserved 2025-06-18 | Published 2025-06-18 | Updated 2025-06-18 | Assigner Linux

Product status

Default status
unaffected

c656aa4c27b17a8c70da223ed5ab42145800d6b5 before 50403ee6daddf0d7a14e9d3b51a377c39a08ec8c
affected

c656aa4c27b17a8c70da223ed5ab42145800d6b5 before 9c34c33893db7a80d0e4b55c23d3b65e29609cfb
affected

c656aa4c27b17a8c70da223ed5ab42145800d6b5 before 2c71f5d55a86fd5969428abf525c1ae6b1c7b0f5
affected

c656aa4c27b17a8c70da223ed5ab42145800d6b5 before f1e941dbf80a9b8bab0bffbc4cbe41cc7f4c6fb6
affected

Default status
affected

5.5
affected

Any version before 5.5
unaffected

5.10.140
unaffected

5.15.64
unaffected

5.19.6
unaffected

6.0
unaffected

References

git.kernel.org/...c/50403ee6daddf0d7a14e9d3b51a377c39a08ec8c

git.kernel.org/...c/9c34c33893db7a80d0e4b55c23d3b65e29609cfb

git.kernel.org/...c/2c71f5d55a86fd5969428abf525c1ae6b1c7b0f5

git.kernel.org/...c/f1e941dbf80a9b8bab0bffbc4cbe41cc7f4c6fb6

cve.org (CVE-2022-50005)

nvd.nist.gov (CVE-2022-50005)

Download JSON