CVE-2022-50780
Severity CVSS v4.0:
Pending analysis
Type:
Unavailable / Other
Publication date:
24/12/2025
Last modified:
24/12/2025
Description
In the Linux kernel, the following vulnerability has been resolved:<br />
<br />
net: fix UAF issue in nfqnl_nf_hook_drop() when ops_init() failed<br />
<br />
When the ops_init() interface is invoked to initialize the net, but<br />
ops->init() fails, data is released. However, the ptr pointer in<br />
net->gen is invalid. In this case, when nfqnl_nf_hook_drop() is invoked<br />
to release the net, invalid address access occurs.<br />
<br />
The process is as follows:<br />
setup_net()<br />
ops_init()<br />
data = kzalloc(...) ---> alloc "data"<br />
net_assign_generic() ---> assign "date" to ptr in net->gen<br />
...<br />
ops->init() ---> failed<br />
...<br />
kfree(data); ---> ptr in net->gen is invalid<br />
...<br />
ops_exit_list()<br />
...<br />
nfqnl_nf_hook_drop()<br />
*q = nfnl_queue_pernet(net) ---> q is invalid<br />
<br />
The following is the Call Trace information:<br />
BUG: KASAN: use-after-free in nfqnl_nf_hook_drop+0x264/0x280<br />
Read of size 8 at addr ffff88810396b240 by task ip/15855<br />
Call Trace:<br />
<br />
dump_stack_lvl+0x8e/0xd1<br />
print_report+0x155/0x454<br />
kasan_report+0xba/0x1f0<br />
nfqnl_nf_hook_drop+0x264/0x280<br />
nf_queue_nf_hook_drop+0x8b/0x1b0<br />
__nf_unregister_net_hook+0x1ae/0x5a0<br />
nf_unregister_net_hooks+0xde/0x130<br />
ops_exit_list+0xb0/0x170<br />
setup_net+0x7ac/0xbd0<br />
copy_net_ns+0x2e6/0x6b0<br />
create_new_namespaces+0x382/0xa50<br />
unshare_nsproxy_namespaces+0xa6/0x1c0<br />
ksys_unshare+0x3a4/0x7e0<br />
__x64_sys_unshare+0x2d/0x40<br />
do_syscall_64+0x35/0x80<br />
entry_SYSCALL_64_after_hwframe+0x46/0xb0<br />
<br />
<br />
Allocated by task 15855:<br />
kasan_save_stack+0x1e/0x40<br />
kasan_set_track+0x21/0x30<br />
__kasan_kmalloc+0xa1/0xb0<br />
__kmalloc+0x49/0xb0<br />
ops_init+0xe7/0x410<br />
setup_net+0x5aa/0xbd0<br />
copy_net_ns+0x2e6/0x6b0<br />
create_new_namespaces+0x382/0xa50<br />
unshare_nsproxy_namespaces+0xa6/0x1c0<br />
ksys_unshare+0x3a4/0x7e0<br />
__x64_sys_unshare+0x2d/0x40<br />
do_syscall_64+0x35/0x80<br />
entry_SYSCALL_64_after_hwframe+0x46/0xb0<br />
<br />
Freed by task 15855:<br />
kasan_save_stack+0x1e/0x40<br />
kasan_set_track+0x21/0x30<br />
kasan_save_free_info+0x2a/0x40<br />
____kasan_slab_free+0x155/0x1b0<br />
slab_free_freelist_hook+0x11b/0x220<br />
__kmem_cache_free+0xa4/0x360<br />
ops_init+0xb9/0x410<br />
setup_net+0x5aa/0xbd0<br />
copy_net_ns+0x2e6/0x6b0<br />
create_new_namespaces+0x382/0xa50<br />
unshare_nsproxy_namespaces+0xa6/0x1c0<br />
ksys_unshare+0x3a4/0x7e0<br />
__x64_sys_unshare+0x2d/0x40<br />
do_syscall_64+0x35/0x80<br />
entry_SYSCALL_64_after_hwframe+0x46/0xb0
Impact
References to Advisories, Solutions, and Tools
- https://git.kernel.org/stable/c/4a4df5e78712de39d6f90d6a64b5eb48dca03bd5
- https://git.kernel.org/stable/c/5a2ea549be94924364f6911227d99be86e8cf34a
- https://git.kernel.org/stable/c/97ad240fd9aa9214497d14af2b91608e20856cac
- https://git.kernel.org/stable/c/a1e18acb0246bfb001b08b8b1b830b5ec92a0f13
- https://git.kernel.org/stable/c/c3edc6e808209aa705185f732e682a370981ced1
- https://git.kernel.org/stable/c/d266935ac43d57586e311a087510fe6a084af742