CVE-2022-48970
Severity CVSS v4.0:
Pending analysis
Type:
CWE-476
NULL Pointer Dereference
Publication date:
21/10/2024
Last modified:
25/10/2024
Description
In the Linux kernel, the following vulnerability has been resolved:<br />
<br />
af_unix: Get user_ns from in_skb in unix_diag_get_exact().<br />
<br />
Wei Chen reported a NULL deref in sk_user_ns() [0][1], and Paolo diagnosed<br />
the root cause: in unix_diag_get_exact(), the newly allocated skb does not<br />
have sk. [2]<br />
<br />
We must get the user_ns from the NETLINK_CB(in_skb).sk and pass it to<br />
sk_diag_fill().<br />
<br />
[0]:<br />
BUG: kernel NULL pointer dereference, address: 0000000000000270<br />
#PF: supervisor read access in kernel mode<br />
#PF: error_code(0x0000) - not-present page<br />
PGD 12bbce067 P4D 12bbce067 PUD 12bc40067 PMD 0<br />
Oops: 0000 [#1] PREEMPT SMP<br />
CPU: 0 PID: 27942 Comm: syz-executor.0 Not tainted 6.1.0-rc5-next-20221118 #2<br />
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS<br />
rel-1.13.0-48-gd9c812dda519-prebuilt.qemu.org 04/01/2014<br />
RIP: 0010:sk_user_ns include/net/sock.h:920 [inline]<br />
RIP: 0010:sk_diag_dump_uid net/unix/diag.c:119 [inline]<br />
RIP: 0010:sk_diag_fill+0x77d/0x890 net/unix/diag.c:170<br />
Code: 89 ef e8 66 d4 2d fd c7 44 24 40 00 00 00 00 49 8d 7c 24 18 e8<br />
54 d7 2d fd 49 8b 5c 24 18 48 8d bb 70 02 00 00 e8 43 d7 2d fd 8b<br />
9b 70 02 00 00 48 8d 7b 10 e8 33 d7 2d fd 48 8b 5b 10 48 8d<br />
RSP: 0018:ffffc90000d67968 EFLAGS: 00010246<br />
RAX: ffff88812badaa48 RBX: 0000000000000000 RCX: ffffffff840d481d<br />
RDX: 0000000000000465 RSI: 0000000000000000 RDI: 0000000000000270<br />
RBP: ffffc90000d679a8 R08: 0000000000000277 R09: 0000000000000000<br />
R10: 0001ffffffffffff R11: 0001c90000d679a8 R12: ffff88812ac03800<br />
R13: ffff88812c87c400 R14: ffff88812ae42210 R15: ffff888103026940<br />
FS: 00007f08b4e6f700(0000) GS:ffff88813bc00000(0000) knlGS:0000000000000000<br />
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033<br />
CR2: 0000000000000270 CR3: 000000012c58b000 CR4: 00000000003506f0<br />
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000<br />
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400<br />
Call Trace:<br />
<br />
unix_diag_get_exact net/unix/diag.c:285 [inline]<br />
unix_diag_handler_dump+0x3f9/0x500 net/unix/diag.c:317<br />
__sock_diag_cmd net/core/sock_diag.c:235 [inline]<br />
sock_diag_rcv_msg+0x237/0x250 net/core/sock_diag.c:266<br />
netlink_rcv_skb+0x13e/0x250 net/netlink/af_netlink.c:2564<br />
sock_diag_rcv+0x24/0x40 net/core/sock_diag.c:277<br />
netlink_unicast_kernel net/netlink/af_netlink.c:1330 [inline]<br />
netlink_unicast+0x5e9/0x6b0 net/netlink/af_netlink.c:1356<br />
netlink_sendmsg+0x739/0x860 net/netlink/af_netlink.c:1932<br />
sock_sendmsg_nosec net/socket.c:714 [inline]<br />
sock_sendmsg net/socket.c:734 [inline]<br />
____sys_sendmsg+0x38f/0x500 net/socket.c:2476<br />
___sys_sendmsg net/socket.c:2530 [inline]<br />
__sys_sendmsg+0x197/0x230 net/socket.c:2559<br />
__do_sys_sendmsg net/socket.c:2568 [inline]<br />
__se_sys_sendmsg net/socket.c:2566 [inline]<br />
__x64_sys_sendmsg+0x42/0x50 net/socket.c:2566<br />
do_syscall_x64 arch/x86/entry/common.c:50 [inline]<br />
do_syscall_64+0x2b/0x70 arch/x86/entry/common.c:80<br />
entry_SYSCALL_64_after_hwframe+0x63/0xcd<br />
RIP: 0033:0x4697f9<br />
Code: f7 d8 64 89 02 b8 ff ff ff ff c3 66 0f 1f 44 00 00 48 89 f8 48<br />
89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 3d<br />
01 f0 ff ff 73 01 c3 48 c7 c1 bc ff ff ff f7 d8 64 89 01 48<br />
RSP: 002b:00007f08b4e6ec48 EFLAGS: 00000246 ORIG_RAX: 000000000000002e<br />
RAX: ffffffffffffffda RBX: 000000000077bf80 RCX: 00000000004697f9<br />
RDX: 0000000000000000 RSI: 00000000200001c0 RDI: 0000000000000003<br />
RBP: 00000000004d29e9 R08: 0000000000000000 R09: 0000000000000000<br />
R10: 0000000000000000 R11: 0000000000000246 R12: 000000000077bf80<br />
R13: 0000000000000000 R14: 000000000077bf80 R15: 00007ffdb36bc6c0<br />
<br />
Modules linked in:<br />
CR2: 0000000000000270<br />
<br />
[1]: https://lore.kernel.org/netdev/CAO4mrfdvyjFpokhNsiwZiP-wpdSD0AStcJwfKcKQdAALQ9_2Qw@mail.gmail.com/<br />
[2]: https://lore.kernel.org/netdev/e04315e7c90d9a75613f3993c2baf2d344eef7eb.camel@redhat.com/
Impact
Base Score 3.x
5.50
Severity 3.x
MEDIUM
Vulnerable products and versions
| CPE | From | Up to |
|---|---|---|
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 5.3 (including) | 5.4.227 (excluding) |
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 5.5 (including) | 5.10.159 (excluding) |
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 5.11 (including) | 5.15.83 (excluding) |
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 5.16 (including) | 6.0.13 (excluding) |
| cpe:2.3:o:linux:linux_kernel:6.1:rc1:*:*:*:*:*:* | ||
| cpe:2.3:o:linux:linux_kernel:6.1:rc2:*:*:*:*:*:* | ||
| cpe:2.3:o:linux:linux_kernel:6.1:rc3:*:*:*:*:*:* | ||
| cpe:2.3:o:linux:linux_kernel:6.1:rc4:*:*:*:*:*:* | ||
| cpe:2.3:o:linux:linux_kernel:6.1:rc5:*:*:*:*:*:* | ||
| cpe:2.3:o:linux:linux_kernel:6.1:rc6:*:*:*:*:*:* | ||
| cpe:2.3:o:linux:linux_kernel:6.1:rc7:*:*:*:*:*:* | ||
| cpe:2.3:o:linux:linux_kernel:6.1:rc8:*:*:*:*:*:* |
To consult the complete list of CPE names with products and versions, see this page
References to Advisories, Solutions, and Tools
- https://git.kernel.org/stable/c/575a6266f63dbb3b8eb1da03671451f0d81b8034
- https://git.kernel.org/stable/c/5c014eb0ed6c8c57f483e94cc6e90f34ce426d91
- https://git.kernel.org/stable/c/9c1d6f79a2c7b8221dcec27defc6dc461052ead4
- https://git.kernel.org/stable/c/b3abe42e94900bdd045c472f9c9be620ba5ce553
- https://git.kernel.org/stable/c/c66d78aee55dab72c92020ebfbebc464d4f5dd2a