Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

CVE-2022-50063

Severity CVSS v4.0:
Pending analysis
Type:
Unavailable / Other
Publication date:
18/06/2025
Last modified:
18/06/2025

Description

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> net: dsa: felix: suppress non-changes to the tagging protocol<br /> <br /> The way in which dsa_tree_change_tag_proto() works is that when<br /> dsa_tree_notify() fails, it doesn&amp;#39;t know whether the operation failed<br /> mid way in a multi-switch tree, or it failed for a single-switch tree.<br /> So even though drivers need to fail cleanly in<br /> ds-&gt;ops-&gt;change_tag_protocol(), DSA will still call dsa_tree_notify()<br /> again, to restore the old tag protocol for potential switches in the<br /> tree where the change did succeeed (before failing for others).<br /> <br /> This means for the felix driver that if we report an error in<br /> felix_change_tag_protocol(), we&amp;#39;ll get another call where proto_ops ==<br /> old_proto_ops. If we proceed to act upon that, we may do unexpected<br /> things. For example, we will call dsa_tag_8021q_register() twice in a<br /> row, without any dsa_tag_8021q_unregister() in between. Then we will<br /> actually call dsa_tag_8021q_unregister() via old_proto_ops-&gt;teardown,<br /> which (if it manages to run at all, after walking through corrupted data<br /> structures) will leave the ports inoperational anyway.<br /> <br /> The bug can be readily reproduced if we force an error while in<br /> tag_8021q mode; this crashes the kernel.<br /> <br /> echo ocelot-8021q &gt; /sys/class/net/eno2/dsa/tagging<br /> echo edsa &gt; /sys/class/net/eno2/dsa/tagging # -EPROTONOSUPPORT<br /> <br /> Unable to handle kernel NULL pointer dereference at virtual address 0000000000000014<br /> Call trace:<br /> vcap_entry_get+0x24/0x124<br /> ocelot_vcap_filter_del+0x198/0x270<br /> felix_tag_8021q_vlan_del+0xd4/0x21c<br /> dsa_switch_tag_8021q_vlan_del+0x168/0x2cc<br /> dsa_switch_event+0x68/0x1170<br /> dsa_tree_notify+0x14/0x34<br /> dsa_port_tag_8021q_vlan_del+0x84/0x110<br /> dsa_tag_8021q_unregister+0x15c/0x1c0<br /> felix_tag_8021q_teardown+0x16c/0x180<br /> felix_change_tag_protocol+0x1bc/0x230<br /> dsa_switch_event+0x14c/0x1170<br /> dsa_tree_change_tag_proto+0x118/0x1c0

Impact

References to Advisories, Solutions, and Tools