Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

CVE-2022-48954

Severity CVSS v4.0:
Pending analysis
Type:
CWE-416 Use After Free
Publication date:
21/10/2024
Last modified:
24/10/2024

Description

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> s390/qeth: fix use-after-free in hsci<br /> <br /> KASAN found that addr was dereferenced after br2dev_event_work was freed.<br /> <br /> ==================================================================<br /> BUG: KASAN: use-after-free in qeth_l2_br2dev_worker+0x5ba/0x6b0<br /> Read of size 1 at addr 00000000fdcea440 by task kworker/u760:4/540<br /> CPU: 17 PID: 540 Comm: kworker/u760:4 Tainted: G E 6.1.0-20221128.rc7.git1.5aa3bed4ce83.300.fc36.s390x+kasan #1<br /> Hardware name: IBM 8561 T01 703 (LPAR)<br /> Workqueue: 0.0.8000_event qeth_l2_br2dev_worker<br /> Call Trace:<br /> [] dump_stack_lvl+0xc6/0xf8<br /> [] print_address_description.constprop.0+0x34/0x2a0<br /> [] print_report+0x110/0x1f8<br /> [] kasan_report+0xfc/0x128<br /> [] qeth_l2_br2dev_worker+0x5ba/0x6b0<br /> [] process_one_work+0x76e/0x1128<br /> [] worker_thread+0x184/0x1098<br /> [] kthread+0x26a/0x310<br /> [] __ret_from_fork+0x8a/0xe8<br /> [] ret_from_fork+0xa/0x40<br /> Allocated by task 108338:<br /> kasan_save_stack+0x40/0x68<br /> kasan_set_track+0x36/0x48<br /> __kasan_kmalloc+0xa0/0xc0<br /> qeth_l2_switchdev_event+0x25a/0x738<br /> atomic_notifier_call_chain+0x9c/0xf8<br /> br_switchdev_fdb_notify+0xf4/0x110<br /> fdb_notify+0x122/0x180<br /> fdb_add_entry.constprop.0.isra.0+0x312/0x558<br /> br_fdb_add+0x59e/0x858<br /> rtnl_fdb_add+0x58a/0x928<br /> rtnetlink_rcv_msg+0x5f8/0x8d8<br /> netlink_rcv_skb+0x1f2/0x408<br /> netlink_unicast+0x570/0x790<br /> netlink_sendmsg+0x752/0xbe0<br /> sock_sendmsg+0xca/0x110<br /> ____sys_sendmsg+0x510/0x6a8<br /> ___sys_sendmsg+0x12a/0x180<br /> __sys_sendmsg+0xe6/0x168<br /> __do_sys_socketcall+0x3c8/0x468<br /> do_syscall+0x22c/0x328<br /> __do_syscall+0x94/0xf0<br /> system_call+0x82/0xb0<br /> Freed by task 540:<br /> kasan_save_stack+0x40/0x68<br /> kasan_set_track+0x36/0x48<br /> kasan_save_free_info+0x4c/0x68<br /> ____kasan_slab_free+0x14e/0x1a8<br /> __kasan_slab_free+0x24/0x30<br /> __kmem_cache_free+0x168/0x338<br /> qeth_l2_br2dev_worker+0x154/0x6b0<br /> process_one_work+0x76e/0x1128<br /> worker_thread+0x184/0x1098<br /> kthread+0x26a/0x310<br /> __ret_from_fork+0x8a/0xe8<br /> ret_from_fork+0xa/0x40<br /> Last potentially related work creation:<br /> kasan_save_stack+0x40/0x68<br /> __kasan_record_aux_stack+0xbe/0xd0<br /> insert_work+0x56/0x2e8<br /> __queue_work+0x4ce/0xd10<br /> queue_work_on+0xf4/0x100<br /> qeth_l2_switchdev_event+0x520/0x738<br /> atomic_notifier_call_chain+0x9c/0xf8<br /> br_switchdev_fdb_notify+0xf4/0x110<br /> fdb_notify+0x122/0x180<br /> fdb_add_entry.constprop.0.isra.0+0x312/0x558<br /> br_fdb_add+0x59e/0x858<br /> rtnl_fdb_add+0x58a/0x928<br /> rtnetlink_rcv_msg+0x5f8/0x8d8<br /> netlink_rcv_skb+0x1f2/0x408<br /> netlink_unicast+0x570/0x790<br /> netlink_sendmsg+0x752/0xbe0<br /> sock_sendmsg+0xca/0x110<br /> ____sys_sendmsg+0x510/0x6a8<br /> ___sys_sendmsg+0x12a/0x180<br /> __sys_sendmsg+0xe6/0x168<br /> __do_sys_socketcall+0x3c8/0x468<br /> do_syscall+0x22c/0x328<br /> __do_syscall+0x94/0xf0<br /> system_call+0x82/0xb0<br /> Second to last potentially related work creation:<br /> kasan_save_stack+0x40/0x68<br /> __kasan_record_aux_stack+0xbe/0xd0<br /> kvfree_call_rcu+0xb2/0x760<br /> kernfs_unlink_open_file+0x348/0x430<br /> kernfs_fop_release+0xc2/0x320<br /> __fput+0x1ae/0x768<br /> task_work_run+0x1bc/0x298<br /> exit_to_user_mode_prepare+0x1a0/0x1a8<br /> __do_syscall+0x94/0xf0<br /> system_call+0x82/0xb0<br /> The buggy address belongs to the object at 00000000fdcea400<br /> which belongs to the cache kmalloc-96 of size 96<br /> The buggy address is located 64 bytes inside of<br /> 96-byte region [00000000fdcea400, 00000000fdcea460)<br /> The buggy address belongs to the physical page:<br /> page:000000005a9c26e8 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0xfdcea<br /> flags: 0x3ffff00000000200(slab|node=0|zone=1|lastcpupid=0x1ffff)<br /> raw: 3ffff00000000200 0000000000000000 0000000100000122 000000008008cc00<br /> raw: 0000000000000000 0020004100000000 ffffffff00000001 0000000000000000<br /> page dumped because: kasan: bad access detected<br /> Memory state around the buggy address:<br /> 00000000fdcea300: fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc<br /> 00000000fdcea380: fb fb fb fb fb fb f<br /> ---truncated---

Impact

Vector 3.x
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVSS v3.1 Severity and Metrics:

Base Score: 7.80 HIGH
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Attack Vector (AV): Local
Attack Complexity (AC): Low
Privileges Required (PR): Low
User Interaction (UI): None
Scope (S): Unchanged
Confidentiality (C): High
Integrity (I): High
Availability (A): High

Base Score 3.x
7.80
Severity 3.x
HIGH

Vulnerable products and versions

CPE From Up to
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 5.15 (including) 5.15.83 (excluding)
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 5.16 (including) 6.0.13 (excluding)
cpe:2.3:o:linux:linux_kernel:6.1:rc1:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.1:rc2:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.1:rc3:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.1:rc4:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.1:rc5:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.1:rc6:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.1:rc7:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.1:rc8:*:*:*:*:*:*

To consult the complete list of CPE names with products and versions, see this page


References to Advisories, Solutions, and Tools