Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

CVE-2022-49812

Severity CVSS v4.0:
Pending analysis
Type:
Unavailable / Other
Publication date:
01/05/2025
Last modified:
02/05/2025

Description

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> bridge: switchdev: Fix memory leaks when changing VLAN protocol<br /> <br /> The bridge driver can offload VLANs to the underlying hardware either<br /> via switchdev or the 8021q driver. When the former is used, the VLAN is<br /> marked in the bridge driver with the &amp;#39;BR_VLFLAG_ADDED_BY_SWITCHDEV&amp;#39;<br /> private flag.<br /> <br /> To avoid the memory leaks mentioned in the cited commit, the bridge<br /> driver will try to delete a VLAN via the 8021q driver if the VLAN is not<br /> marked with the previously mentioned flag.<br /> <br /> When the VLAN protocol of the bridge changes, switchdev drivers are<br /> notified via the &amp;#39;SWITCHDEV_ATTR_ID_BRIDGE_VLAN_PROTOCOL&amp;#39; attribute, but<br /> the 8021q driver is also called to add the existing VLANs with the new<br /> protocol and delete them with the old protocol.<br /> <br /> In case the VLANs were offloaded via switchdev, the above behavior is<br /> both redundant and buggy. Redundant because the VLANs are already<br /> programmed in hardware and drivers that support VLAN protocol change<br /> (currently only mlx5) change the protocol upon the switchdev attribute<br /> notification. Buggy because the 8021q driver is called despite these<br /> VLANs being marked with &amp;#39;BR_VLFLAG_ADDED_BY_SWITCHDEV&amp;#39;. This leads to<br /> memory leaks [1] when the VLANs are deleted.<br /> <br /> Fix by not calling the 8021q driver for VLANs that were already<br /> programmed via switchdev.<br /> <br /> [1]<br /> unreferenced object 0xffff8881f6771200 (size 256):<br /> comm "ip", pid 446855, jiffies 4298238841 (age 55.240s)<br /> hex dump (first 32 bytes):<br /> 00 00 7f 0e 83 88 ff ff 00 00 00 00 00 00 00 00 ................<br /> 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................<br /> backtrace:<br /> [] vlan_vid_add+0x437/0x750<br /> [] __br_vlan_set_proto+0x289/0x920<br /> [] br_changelink+0x3d6/0x13f0<br /> [] __rtnl_newlink+0x8ae/0x14c0<br /> [] rtnl_newlink+0x5f/0x90<br /> [] rtnetlink_rcv_msg+0x336/0xa00<br /> [] netlink_rcv_skb+0x11d/0x340<br /> [] netlink_unicast+0x438/0x710<br /> [] netlink_sendmsg+0x788/0xc40<br /> [] sock_sendmsg+0xb0/0xe0<br /> [] ____sys_sendmsg+0x4ff/0x6d0<br /> [] ___sys_sendmsg+0x12e/0x1b0<br /> [] __sys_sendmsg+0xab/0x130<br /> [] do_syscall_64+0x3d/0x90<br /> [] entry_SYSCALL_64_after_hwframe+0x46/0xb0

Impact

References to Advisories, Solutions, and Tools