CVE-2022-49916

Severity CVSS v4.0:
Pending analysis
Type:
CWE-476 NULL Pointer Dereference
Publication date:
01/05/2025
Last modified:
07/05/2025

Description

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> rose: Fix NULL pointer dereference in rose_send_frame()<br /> <br /> The syzkaller reported an issue:<br /> <br /> KASAN: null-ptr-deref in range [0x0000000000000380-0x0000000000000387]<br /> CPU: 0 PID: 4069 Comm: kworker/0:15 Not tainted 6.0.0-syzkaller-02734-g0326074ff465 #0<br /> Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/22/2022<br /> Workqueue: rcu_gp srcu_invoke_callbacks<br /> RIP: 0010:rose_send_frame+0x1dd/0x2f0 net/rose/rose_link.c:101<br /> Call Trace:<br /> <br /> rose_transmit_clear_request+0x1d5/0x290 net/rose/rose_link.c:255<br /> rose_rx_call_request+0x4c0/0x1bc0 net/rose/af_rose.c:1009<br /> rose_loopback_timer+0x19e/0x590 net/rose/rose_loopback.c:111<br /> call_timer_fn+0x1a0/0x6b0 kernel/time/timer.c:1474<br /> expire_timers kernel/time/timer.c:1519 [inline]<br /> __run_timers.part.0+0x674/0xa80 kernel/time/timer.c:1790<br /> __run_timers kernel/time/timer.c:1768 [inline]<br /> run_timer_softirq+0xb3/0x1d0 kernel/time/timer.c:1803<br /> __do_softirq+0x1d0/0x9c8 kernel/softirq.c:571<br /> [...]<br /> <br /> <br /> It triggers NULL pointer dereference when &amp;#39;neigh-&gt;dev-&gt;dev_addr&amp;#39; is<br /> called in the rose_send_frame(). It&amp;#39;s the first occurrence of the<br /> `neigh` is in rose_loopback_timer() as `rose_loopback_neigh&amp;#39;, and<br /> the &amp;#39;dev&amp;#39; in &amp;#39;rose_loopback_neigh&amp;#39; is initialized sa nullptr.<br /> <br /> It had been fixed by commit 3b3fd068c56e3fbea30090859216a368398e39bf<br /> ("rose: Fix Null pointer dereference in rose_send_frame()") ever.<br /> But it&amp;#39;s introduced by commit 3c53cd65dece47dd1f9d3a809f32e59d1d87b2b8<br /> ("rose: check NULL rose_loopback_neigh-&gt;loopback") again.<br /> <br /> We fix it by add NULL check in rose_transmit_clear_request(). When<br /> the &amp;#39;dev&amp;#39; in &amp;#39;neigh&amp;#39; is NULL, we don&amp;#39;t reply the request and just<br /> clear it.<br /> <br /> syzkaller don&amp;#39;t provide repro, and I provide a syz repro like:<br /> r0 = syz_init_net_socket$bt_sco(0x1f, 0x5, 0x2)<br /> ioctl$sock_inet_SIOCSIFFLAGS(r0, 0x8914, &amp;(0x7f0000000180)={&amp;#39;rose0\x00&amp;#39;, 0x201})<br /> r1 = syz_init_net_socket$rose(0xb, 0x5, 0x0)<br /> bind$rose(r1, &amp;(0x7f00000000c0)=@full={0xb, @dev, @null, 0x0, [@null, @null, @netrom, @netrom, @default, @null]}, 0x40)<br /> connect$rose(r1, &amp;(0x7f0000000240)=@short={0xb, @dev={0xbb, 0xbb, 0xbb, 0x1, 0x0}, @remote={0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0x1}, 0x1, @netrom={0xbb, 0xbb, 0xbb, 0xbb, 0xbb, 0x0, 0x0}}, 0x1c)

Vulnerable products and versions

CPE From Up to
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 4.9.327 (including) 4.9.333 (excluding)
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 4.14.292 (including) 4.14.299 (excluding)
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 4.19.257 (including) 4.19.265 (excluding)
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 5.4.212 (including) 5.4.224 (excluding)
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 5.10.140 (including) 5.10.154 (excluding)
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 5.15.64 (including) 5.15.78 (excluding)
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 5.19.6 (including) 6.0.8 (excluding)
cpe:2.3:o:linux:linux_kernel:6.1:rc1:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.1:rc2:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.1:rc3:*:*:*:*:*:*