CVE-2022-49916
Severity CVSS v4.0:
Pending analysis
Type:
CWE-476
NULL Pointer Dereference
Publication date:
01/05/2025
Last modified:
07/05/2025
Description
In the Linux kernel, the following vulnerability has been resolved:<br />
<br />
rose: Fix NULL pointer dereference in rose_send_frame()<br />
<br />
The syzkaller reported an issue:<br />
<br />
KASAN: null-ptr-deref in range [0x0000000000000380-0x0000000000000387]<br />
CPU: 0 PID: 4069 Comm: kworker/0:15 Not tainted 6.0.0-syzkaller-02734-g0326074ff465 #0<br />
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/22/2022<br />
Workqueue: rcu_gp srcu_invoke_callbacks<br />
RIP: 0010:rose_send_frame+0x1dd/0x2f0 net/rose/rose_link.c:101<br />
Call Trace:<br />
<br />
rose_transmit_clear_request+0x1d5/0x290 net/rose/rose_link.c:255<br />
rose_rx_call_request+0x4c0/0x1bc0 net/rose/af_rose.c:1009<br />
rose_loopback_timer+0x19e/0x590 net/rose/rose_loopback.c:111<br />
call_timer_fn+0x1a0/0x6b0 kernel/time/timer.c:1474<br />
expire_timers kernel/time/timer.c:1519 [inline]<br />
__run_timers.part.0+0x674/0xa80 kernel/time/timer.c:1790<br />
__run_timers kernel/time/timer.c:1768 [inline]<br />
run_timer_softirq+0xb3/0x1d0 kernel/time/timer.c:1803<br />
__do_softirq+0x1d0/0x9c8 kernel/softirq.c:571<br />
[...]<br />
<br />
<br />
It triggers NULL pointer dereference when &#39;neigh->dev->dev_addr&#39; is<br />
called in the rose_send_frame(). It&#39;s the first occurrence of the<br />
`neigh` is in rose_loopback_timer() as `rose_loopback_neigh&#39;, and<br />
the &#39;dev&#39; in &#39;rose_loopback_neigh&#39; is initialized sa nullptr.<br />
<br />
It had been fixed by commit 3b3fd068c56e3fbea30090859216a368398e39bf<br />
("rose: Fix Null pointer dereference in rose_send_frame()") ever.<br />
But it&#39;s introduced by commit 3c53cd65dece47dd1f9d3a809f32e59d1d87b2b8<br />
("rose: check NULL rose_loopback_neigh->loopback") again.<br />
<br />
We fix it by add NULL check in rose_transmit_clear_request(). When<br />
the &#39;dev&#39; in &#39;neigh&#39; is NULL, we don&#39;t reply the request and just<br />
clear it.<br />
<br />
syzkaller don&#39;t provide repro, and I provide a syz repro like:<br />
r0 = syz_init_net_socket$bt_sco(0x1f, 0x5, 0x2)<br />
ioctl$sock_inet_SIOCSIFFLAGS(r0, 0x8914, &(0x7f0000000180)={&#39;rose0\x00&#39;, 0x201})<br />
r1 = syz_init_net_socket$rose(0xb, 0x5, 0x0)<br />
bind$rose(r1, &(0x7f00000000c0)=@full={0xb, @dev, @null, 0x0, [@null, @null, @netrom, @netrom, @default, @null]}, 0x40)<br />
connect$rose(r1, &(0x7f0000000240)=@short={0xb, @dev={0xbb, 0xbb, 0xbb, 0x1, 0x0}, @remote={0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0x1}, 0x1, @netrom={0xbb, 0xbb, 0xbb, 0xbb, 0xbb, 0x0, 0x0}}, 0x1c)
Impact
Base Score 3.x
5.50
Severity 3.x
MEDIUM
Vulnerable products and versions
CPE | From | Up to |
---|---|---|
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 4.9.327 (including) | 4.9.333 (excluding) |
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 4.14.292 (including) | 4.14.299 (excluding) |
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 4.19.257 (including) | 4.19.265 (excluding) |
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 5.4.212 (including) | 5.4.224 (excluding) |
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 5.10.140 (including) | 5.10.154 (excluding) |
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 5.15.64 (including) | 5.15.78 (excluding) |
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 5.19.6 (including) | 6.0.8 (excluding) |
cpe:2.3:o:linux:linux_kernel:6.1:rc1:*:*:*:*:*:* | ||
cpe:2.3:o:linux:linux_kernel:6.1:rc2:*:*:*:*:*:* | ||
cpe:2.3:o:linux:linux_kernel:6.1:rc3:*:*:*:*:*:* |
To consult the complete list of CPE names with products and versions, see this page
References to Advisories, Solutions, and Tools
- https://git.kernel.org/stable/c/01b9c68c121847d05a4ccef68244dadf82bfa331
- https://git.kernel.org/stable/c/3e2129c67daca21043a26575108f6286c85e71f6
- https://git.kernel.org/stable/c/5b46adfbee1e429f33b10a88d6c00fa88f3d6c77
- https://git.kernel.org/stable/c/a601e5eded33bb88b8a42743db8fef3ad41dd97e
- https://git.kernel.org/stable/c/b13be5e852b03f376058027e462fad4230240891
- https://git.kernel.org/stable/c/bbc03d74e641e824754443b908454ca9e203773e
- https://git.kernel.org/stable/c/e97c089d7a49f67027395ddf70bf327eeac2611e
- https://git.kernel.org/stable/c/f06186e5271b980bac03f5c97276ed0146ddc9b0