CVE-2022-49636
Severity CVSS v4.0:
Pending analysis
Type:
Unavailable / Other
Publication date:
26/02/2025
Last modified:
10/04/2025
Description
In the Linux kernel, the following vulnerability has been resolved:<br />
<br />
vlan: fix memory leak in vlan_newlink()<br />
<br />
Blamed commit added back a bug I fixed in commit 9bbd917e0bec<br />
("vlan: fix memory leak in vlan_dev_set_egress_priority")<br />
<br />
If a memory allocation fails in vlan_changelink() after other allocations<br />
succeeded, we need to call vlan_dev_free_egress_priority()<br />
to free all allocated memory because after a failed ->newlink()<br />
we do not call any methods like ndo_uninit() or dev->priv_destructor().<br />
<br />
In following example, if the allocation for last element 2000:2001 fails,<br />
we need to free eight prior allocations:<br />
<br />
ip link add link dummy0 dummy0.100 type vlan id 100 \<br />
egress-qos-map 1:2 2:3 3:4 4:5 5:6 6:7 7:8 8:9 2000:2001<br />
<br />
syzbot report was:<br />
<br />
BUG: memory leak<br />
unreferenced object 0xffff888117bd1060 (size 32):<br />
comm "syz-executor408", pid 3759, jiffies 4294956555 (age 34.090s)<br />
hex dump (first 32 bytes):<br />
09 00 00 00 00 a0 00 00 00 00 00 00 00 00 00 00 ................<br />
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................<br />
backtrace:<br />
[] kmalloc include/linux/slab.h:600 [inline]<br />
[] vlan_dev_set_egress_priority+0xed/0x170 net/8021q/vlan_dev.c:193<br />
[] vlan_changelink+0x178/0x1d0 net/8021q/vlan_netlink.c:128<br />
[] vlan_newlink+0x148/0x260 net/8021q/vlan_netlink.c:185<br />
[] rtnl_newlink_create net/core/rtnetlink.c:3363 [inline]<br />
[] __rtnl_newlink+0xa58/0xdc0 net/core/rtnetlink.c:3580<br />
[] rtnl_newlink+0x49/0x70 net/core/rtnetlink.c:3593<br />
[] rtnetlink_rcv_msg+0x21c/0x5c0 net/core/rtnetlink.c:6089<br />
[] netlink_rcv_skb+0x87/0x1d0 net/netlink/af_netlink.c:2501<br />
[] netlink_unicast_kernel net/netlink/af_netlink.c:1319 [inline]<br />
[] netlink_unicast+0x397/0x4c0 net/netlink/af_netlink.c:1345<br />
[] netlink_sendmsg+0x396/0x710 net/netlink/af_netlink.c:1921<br />
[] sock_sendmsg_nosec net/socket.c:714 [inline]<br />
[] sock_sendmsg+0x56/0x80 net/socket.c:734<br />
[] ____sys_sendmsg+0x36c/0x390 net/socket.c:2488<br />
[] ___sys_sendmsg+0x8b/0xd0 net/socket.c:2542<br />
[] __sys_sendmsg net/socket.c:2571 [inline]<br />
[] __do_sys_sendmsg net/socket.c:2580 [inline]<br />
[] __se_sys_sendmsg net/socket.c:2578 [inline]<br />
[] __x64_sys_sendmsg+0x78/0xf0 net/socket.c:2578<br />
[] do_syscall_x64 arch/x86/entry/common.c:50 [inline]<br />
[] do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80<br />
[] entry_SYSCALL_64_after_hwframe+0x46/0xb0
Impact
Base Score 3.x
5.50
Severity 3.x
MEDIUM
Vulnerable products and versions
| CPE | From | Up to |
|---|---|---|
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 5.15.142 (including) | 5.16 (excluding) |
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 5.17 (including) | 5.18.13 (excluding) |
| cpe:2.3:o:linux:linux_kernel:5.19:rc1:*:*:*:*:*:* | ||
| cpe:2.3:o:linux:linux_kernel:5.19:rc2:*:*:*:*:*:* | ||
| cpe:2.3:o:linux:linux_kernel:5.19:rc3:*:*:*:*:*:* | ||
| cpe:2.3:o:linux:linux_kernel:5.19:rc4:*:*:*:*:*:* | ||
| cpe:2.3:o:linux:linux_kernel:5.19:rc5:*:*:*:*:*:* | ||
| cpe:2.3:o:linux:linux_kernel:5.19:rc6:*:*:*:*:*:* |
To consult the complete list of CPE names with products and versions, see this page
References to Advisories, Solutions, and Tools
- https://git.kernel.org/stable/c/4c43069bb1097dd6cc1cf0f7c43a36d1f7b3910b
- https://git.kernel.org/stable/c/549de58dba4bf1b2adc72e9948b9c76fa88be9d2
- https://git.kernel.org/stable/c/72a0b329114b1caa8e69dfa7cdad1dd3c69b8602
- https://git.kernel.org/stable/c/df27729a4fe0002dfd80c96fe1c142829c672728
- https://git.kernel.org/stable/c/f5dc10b910bdac523e5947336445a77066c51bf9