Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

CVE-2022-48673

Severity CVSS v4.0:
Pending analysis
Type:
Unavailable / Other
Publication date:
03/05/2024
Last modified:
23/05/2024

Description

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> net/smc: Fix possible access to freed memory in link clear<br /> <br /> After modifying the QP to the Error state, all RX WR would be completed<br /> with WC in IB_WC_WR_FLUSH_ERR status. Current implementation does not<br /> wait for it is done, but destroy the QP and free the link group directly.<br /> So there is a risk that accessing the freed memory in tasklet context.<br /> <br /> Here is a crash example:<br /> <br /> BUG: unable to handle page fault for address: ffffffff8f220860<br /> #PF: supervisor write access in kernel mode<br /> #PF: error_code(0x0002) - not-present page<br /> PGD f7300e067 P4D f7300e067 PUD f7300f063 PMD 8c4e45063 PTE 800ffff08c9df060<br /> Oops: 0002 [#1] SMP PTI<br /> CPU: 1 PID: 0 Comm: swapper/1 Kdump: loaded Tainted: G S OE 5.10.0-0607+ #23<br /> Hardware name: Inspur NF5280M4/YZMB-00689-101, BIOS 4.1.20 07/09/2018<br /> RIP: 0010:native_queued_spin_lock_slowpath+0x176/0x1b0<br /> Code: f3 90 48 8b 32 48 85 f6 74 f6 eb d5 c1 ee 12 83 e0 03 83 ee 01 48 c1 e0 05 48 63 f6 48 05 00 c8 02 00 48 03 04 f5 00 09 98 8e 89 10 8b 42 08 85 c0 75 09 f3 90 8b 42 08 85 c0 74 f7 48 8b 32<br /> RSP: 0018:ffffb3b6c001ebd8 EFLAGS: 00010086<br /> RAX: ffffffff8f220860 RBX: 0000000000000246 RCX: 0000000000080000<br /> RDX: ffff91db1f86c800 RSI: 000000000000173c RDI: ffff91db62bace00<br /> RBP: ffff91db62bacc00 R08: 0000000000000000 R09: c00000010000028b<br /> R10: 0000000000055198 R11: ffffb3b6c001ea58 R12: ffff91db80e05010<br /> R13: 000000000000000a R14: 0000000000000006 R15: 0000000000000040<br /> FS: 0000000000000000(0000) GS:ffff91db1f840000(0000) knlGS:0000000000000000<br /> CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033<br /> CR2: ffffffff8f220860 CR3: 00000001f9580004 CR4: 00000000003706e0<br /> DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000<br /> DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400<br /> Call Trace:<br /> <br /> _raw_spin_lock_irqsave+0x30/0x40<br /> mlx5_ib_poll_cq+0x4c/0xc50 [mlx5_ib]<br /> smc_wr_rx_tasklet_fn+0x56/0xa0 [smc]<br /> tasklet_action_common.isra.21+0x66/0x100<br /> __do_softirq+0xd5/0x29c<br /> asm_call_irq_on_stack+0x12/0x20<br /> <br /> do_softirq_own_stack+0x37/0x40<br /> irq_exit_rcu+0x9d/0xa0<br /> sysvec_call_function_single+0x34/0x80<br /> asm_sysvec_call_function_single+0x12/0x20

Impact

Vector 3.x
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVSS v3.1 Severity and Metrics:

Base Score: 5.50 MEDIUM
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Attack Vector (AV): Local
Attack Complexity (AC): Low
Privileges Required (PR): Low
User Interaction (UI): None
Scope (S): Unchanged
Confidentiality (C): None
Integrity (I): None
Availability (A): High

Base Score 3.x
5.50
Severity 3.x
MEDIUM

Vulnerable products and versions

CPE From Up to
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 4.11 (including) 5.19.9 (excluding)

To consult the complete list of CPE names with products and versions, see this page


References to Advisories, Solutions, and Tools