Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

CVE-2022-48912

Severity CVSS v4.0:
Pending analysis
Type:
CWE-416 Use After Free
Publication date:
22/08/2024
Last modified:
27/08/2024

Description

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> netfilter: fix use-after-free in __nf_register_net_hook()<br /> <br /> We must not dereference @new_hooks after nf_hook_mutex has been released,<br /> because other threads might have freed our allocated hooks already.<br /> <br /> BUG: KASAN: use-after-free in nf_hook_entries_get_hook_ops include/linux/netfilter.h:130 [inline]<br /> BUG: KASAN: use-after-free in hooks_validate net/netfilter/core.c:171 [inline]<br /> BUG: KASAN: use-after-free in __nf_register_net_hook+0x77a/0x820 net/netfilter/core.c:438<br /> Read of size 2 at addr ffff88801c1a8000 by task syz-executor237/4430<br /> <br /> CPU: 1 PID: 4430 Comm: syz-executor237 Not tainted 5.17.0-rc5-syzkaller-00306-g2293be58d6a1 #0<br /> Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011<br /> Call Trace:<br /> <br /> __dump_stack lib/dump_stack.c:88 [inline]<br /> dump_stack_lvl+0xcd/0x134 lib/dump_stack.c:106<br /> print_address_description.constprop.0.cold+0x8d/0x336 mm/kasan/report.c:255<br /> __kasan_report mm/kasan/report.c:442 [inline]<br /> kasan_report.cold+0x83/0xdf mm/kasan/report.c:459<br /> nf_hook_entries_get_hook_ops include/linux/netfilter.h:130 [inline]<br /> hooks_validate net/netfilter/core.c:171 [inline]<br /> __nf_register_net_hook+0x77a/0x820 net/netfilter/core.c:438<br /> nf_register_net_hook+0x114/0x170 net/netfilter/core.c:571<br /> nf_register_net_hooks+0x59/0xc0 net/netfilter/core.c:587<br /> nf_synproxy_ipv6_init+0x85/0xe0 net/netfilter/nf_synproxy_core.c:1218<br /> synproxy_tg6_check+0x30d/0x560 net/ipv6/netfilter/ip6t_SYNPROXY.c:81<br /> xt_check_target+0x26c/0x9e0 net/netfilter/x_tables.c:1038<br /> check_target net/ipv6/netfilter/ip6_tables.c:530 [inline]<br /> find_check_entry.constprop.0+0x7f1/0x9e0 net/ipv6/netfilter/ip6_tables.c:573<br /> translate_table+0xc8b/0x1750 net/ipv6/netfilter/ip6_tables.c:735<br /> do_replace net/ipv6/netfilter/ip6_tables.c:1153 [inline]<br /> do_ip6t_set_ctl+0x56e/0xb90 net/ipv6/netfilter/ip6_tables.c:1639<br /> nf_setsockopt+0x83/0xe0 net/netfilter/nf_sockopt.c:101<br /> ipv6_setsockopt+0x122/0x180 net/ipv6/ipv6_sockglue.c:1024<br /> rawv6_setsockopt+0xd3/0x6a0 net/ipv6/raw.c:1084<br /> __sys_setsockopt+0x2db/0x610 net/socket.c:2180<br /> __do_sys_setsockopt net/socket.c:2191 [inline]<br /> __se_sys_setsockopt net/socket.c:2188 [inline]<br /> __x64_sys_setsockopt+0xba/0x150 net/socket.c:2188<br /> do_syscall_x64 arch/x86/entry/common.c:50 [inline]<br /> do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80<br /> entry_SYSCALL_64_after_hwframe+0x44/0xae<br /> RIP: 0033:0x7f65a1ace7d9<br /> Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 71 15 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48<br /> RSP: 002b:00007f65a1a7f308 EFLAGS: 00000246 ORIG_RAX: 0000000000000036<br /> RAX: ffffffffffffffda RBX: 0000000000000006 RCX: 00007f65a1ace7d9<br /> RDX: 0000000000000040 RSI: 0000000000000029 RDI: 0000000000000003<br /> RBP: 00007f65a1b574c8 R08: 0000000000000001 R09: 0000000000000000<br /> R10: 0000000020000000 R11: 0000000000000246 R12: 00007f65a1b55130<br /> R13: 00007f65a1b574c0 R14: 00007f65a1b24090 R15: 0000000000022000<br /> <br /> <br /> The buggy address belongs to the page:<br /> page:ffffea0000706a00 refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1c1a8<br /> flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff)<br /> raw: 00fff00000000000 ffffea0001c1b108 ffffea000046dd08 0000000000000000<br /> raw: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000<br /> page dumped because: kasan: bad access detected<br /> page_owner tracks the page as freed<br /> page last allocated via order 2, migratetype Unmovable, gfp_mask 0x52dc0(GFP_KERNEL|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_ZERO), pid 4430, ts 1061781545818, free_ts 1061791488993<br /> prep_new_page mm/page_alloc.c:2434 [inline]<br /> get_page_from_freelist+0xa72/0x2f50 mm/page_alloc.c:4165<br /> __alloc_pages+0x1b2/0x500 mm/page_alloc.c:5389<br /> __alloc_pages_node include/linux/gfp.h:572 [inline]<br /> alloc_pages_node include/linux/gfp.h:595 [inline]<br /> kmalloc_large_node+0x62/0x130 mm/slub.c:4438<br /> __kmalloc_node+0x35a/0x4a0 mm/slub.<br /> ---truncated---

Impact

Vector 3.x
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVSS v3.1 Severity and Metrics:

Base Score: 7.80 HIGH
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Attack Vector (AV): Local
Attack Complexity (AC): Low
Privileges Required (PR): Low
User Interaction (UI): None
Scope (S): Unchanged
Confidentiality (C): High
Integrity (I): High
Availability (A): High

Base Score 3.x
7.80
Severity 3.x
HIGH

Vulnerable products and versions

CPE From Up to
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 4.14 (including) 4.14.270 (excluding)
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 4.15 (including) 4.19.233 (excluding)
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 4.20 (including) 5.4.183 (excluding)
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 5.5 (including) 5.10.104 (excluding)
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 5.11 (including) 5.15.27 (excluding)
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 5.16 (including) 5.16.13 (excluding)

To consult the complete list of CPE names with products and versions, see this page


References to Advisories, Solutions, and Tools