CVE-2022-49096
Severity CVSS v4.0:
Pending analysis
Type:
CWE-476
NULL Pointer Dereference
Publication date:
26/02/2025
Last modified:
01/10/2025
Description
In the Linux kernel, the following vulnerability has been resolved:<br />
<br />
net: sfc: add missing xdp queue reinitialization<br />
<br />
After rx/tx ring buffer size is changed, kernel panic occurs when<br />
it acts XDP_TX or XDP_REDIRECT.<br />
<br />
When tx/rx ring buffer size is changed(ethtool -G), sfc driver<br />
reallocates and reinitializes rx and tx queues and their buffer<br />
(tx_queue->buffer).<br />
But it misses reinitializing xdp queues(efx->xdp_tx_queues).<br />
So, while it is acting XDP_TX or XDP_REDIRECT, it uses the uninitialized<br />
tx_queue->buffer.<br />
<br />
A new function efx_set_xdp_channels() is separated from efx_set_channels()<br />
to handle only xdp queues.<br />
<br />
Splat looks like:<br />
BUG: kernel NULL pointer dereference, address: 000000000000002a<br />
#PF: supervisor write access in kernel mode<br />
#PF: error_code(0x0002) - not-present page<br />
PGD 0 P4D 0<br />
Oops: 0002 [#4] PREEMPT SMP NOPTI<br />
RIP: 0010:efx_tx_map_chunk+0x54/0x90 [sfc]<br />
CPU: 2 PID: 0 Comm: swapper/2 Tainted: G D 5.17.0+ #55 e8beeee8289528f11357029357cf<br />
Code: 48 8b 8d a8 01 00 00 48 8d 14 52 4c 8d 2c d0 44 89 e0 48 85 c9 74 0e 44 89 e2 4c 89 f6 48 80<br />
RSP: 0018:ffff92f121e45c60 EFLAGS: 00010297<br />
RIP: 0010:efx_tx_map_chunk+0x54/0x90 [sfc]<br />
RAX: 0000000000000040 RBX: ffff92ea506895c0 RCX: ffffffffc0330870<br />
RDX: 0000000000000001 RSI: 00000001139b10ce RDI: ffff92ea506895c0<br />
RBP: ffffffffc0358a80 R08: 00000001139b110d R09: 0000000000000000<br />
R10: 0000000000000001 R11: ffff92ea414c0088 R12: 0000000000000040<br />
R13: 0000000000000018 R14: 00000001139b10ce R15: ffff92ea506895c0<br />
FS: 0000000000000000(0000) GS:ffff92f121ec0000(0000) knlGS:0000000000000000<br />
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033<br />
Code: 48 8b 8d a8 01 00 00 48 8d 14 52 4c 8d 2c d0 44 89 e0 48 85 c9 74 0e 44 89 e2 4c 89 f6 48 80<br />
CR2: 000000000000002a CR3: 00000003e6810004 CR4: 00000000007706e0<br />
RSP: 0018:ffff92f121e85c60 EFLAGS: 00010297<br />
PKRU: 55555554<br />
RAX: 0000000000000040 RBX: ffff92ea50689700 RCX: ffffffffc0330870<br />
RDX: 0000000000000001 RSI: 00000001145a90ce RDI: ffff92ea50689700<br />
RBP: ffffffffc0358a80 R08: 00000001145a910d R09: 0000000000000000<br />
R10: 0000000000000001 R11: ffff92ea414c0088 R12: 0000000000000040<br />
R13: 0000000000000018 R14: 00000001145a90ce R15: ffff92ea50689700<br />
FS: 0000000000000000(0000) GS:ffff92f121e80000(0000) knlGS:0000000000000000<br />
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033<br />
CR2: 000000000000002a CR3: 00000003e6810005 CR4: 00000000007706e0<br />
PKRU: 55555554<br />
Call Trace:<br />
<br />
efx_xdp_tx_buffers+0x12b/0x3d0 [sfc 84c94b8e32d44d296c17e10a634d3ad454de4ba5]<br />
__efx_rx_packet+0x5c3/0x930 [sfc 84c94b8e32d44d296c17e10a634d3ad454de4ba5]<br />
efx_rx_packet+0x28c/0x2e0 [sfc 84c94b8e32d44d296c17e10a634d3ad454de4ba5]<br />
efx_ef10_ev_process+0x5f8/0xf40 [sfc 84c94b8e32d44d296c17e10a634d3ad454de4ba5]<br />
? enqueue_task_fair+0x95/0x550<br />
efx_poll+0xc4/0x360 [sfc 84c94b8e32d44d296c17e10a634d3ad454de4ba5]
Impact
Base Score 3.x
5.50
Severity 3.x
MEDIUM
Vulnerable products and versions
| CPE | From | Up to |
|---|---|---|
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 5.5 (including) | 5.15.34 (excluding) |
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 5.16 (including) | 5.16.20 (excluding) |
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 5.17 (including) | 5.17.3 (excluding) |
| cpe:2.3:o:linux:linux_kernel:5.18:rc1:*:*:*:*:*:* |
To consult the complete list of CPE names with products and versions, see this page