Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

CVE-2022-49018

Severity CVSS v4.0:
Pending analysis
Type:
Unavailable / Other
Publication date:
21/10/2024
Last modified:
24/10/2024

Description

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> mptcp: fix sleep in atomic at close time<br /> <br /> Matt reported a splat at msk close time:<br /> <br /> BUG: sleeping function called from invalid context at net/mptcp/protocol.c:2877<br /> in_atomic(): 1, irqs_disabled(): 0, non_block: 0, pid: 155, name: packetdrill<br /> preempt_count: 201, expected: 0<br /> RCU nest depth: 0, expected: 0<br /> 4 locks held by packetdrill/155:<br /> #0: ffff888001536990 (&amp;sb-&gt;s_type-&gt;i_mutex_key#6){+.+.}-{3:3}, at: __sock_release (net/socket.c:650)<br /> #1: ffff88800b498130 (sk_lock-AF_INET){+.+.}-{0:0}, at: mptcp_close (net/mptcp/protocol.c:2973)<br /> #2: ffff88800b49a130 (sk_lock-AF_INET/1){+.+.}-{0:0}, at: __mptcp_close_ssk (net/mptcp/protocol.c:2363)<br /> #3: ffff88800b49a0b0 (slock-AF_INET){+...}-{2:2}, at: __lock_sock_fast (include/net/sock.h:1820)<br /> Preemption disabled at:<br /> 0x0<br /> CPU: 1 PID: 155 Comm: packetdrill Not tainted 6.1.0-rc5 #365<br /> Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014<br /> Call Trace:<br /> <br /> dump_stack_lvl (lib/dump_stack.c:107 (discriminator 4))<br /> __might_resched.cold (kernel/sched/core.c:9891)<br /> __mptcp_destroy_sock (include/linux/kernel.h:110)<br /> __mptcp_close (net/mptcp/protocol.c:2959)<br /> mptcp_subflow_queue_clean (include/net/sock.h:1777)<br /> __mptcp_close_ssk (net/mptcp/protocol.c:2363)<br /> mptcp_destroy_common (net/mptcp/protocol.c:3170)<br /> mptcp_destroy (include/net/sock.h:1495)<br /> __mptcp_destroy_sock (net/mptcp/protocol.c:2886)<br /> __mptcp_close (net/mptcp/protocol.c:2959)<br /> mptcp_close (net/mptcp/protocol.c:2974)<br /> inet_release (net/ipv4/af_inet.c:432)<br /> __sock_release (net/socket.c:651)<br /> sock_close (net/socket.c:1367)<br /> __fput (fs/file_table.c:320)<br /> task_work_run (kernel/task_work.c:181 (discriminator 1))<br /> exit_to_user_mode_prepare (include/linux/resume_user_mode.h:49)<br /> syscall_exit_to_user_mode (kernel/entry/common.c:130)<br /> do_syscall_64 (arch/x86/entry/common.c:87)<br /> entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:120)<br /> <br /> We can&amp;#39;t call mptcp_close under the &amp;#39;fast&amp;#39; socket lock variant, replace<br /> it with a sock_lock_nested() as the relevant code is already under the<br /> listening msk socket lock protection.

Impact

Vector 3.x
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVSS v3.1 Severity and Metrics:

Base Score: 5.50 MEDIUM
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Attack Vector (AV): Local
Attack Complexity (AC): Low
Privileges Required (PR): Low
User Interaction (UI): None
Scope (S): Unchanged
Confidentiality (C): None
Integrity (I): None
Availability (A): High

Base Score 3.x
5.50
Severity 3.x
MEDIUM

Vulnerable products and versions

CPE From Up to
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 5.19.14 (including) 6.0 (excluding)
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 6.0 (including) 6.0.12 (excluding)
cpe:2.3:o:linux:linux_kernel:6.1:rc1:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.1:rc2:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.1:rc3:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.1:rc4:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.1:rc5:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.1:rc6:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.1:rc7:*:*:*:*:*:*

To consult the complete list of CPE names with products and versions, see this page


References to Advisories, Solutions, and Tools