Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

CVE-2022-49696

Severity CVSS v4.0:
Pending analysis
Type:
CWE-416 Use After Free
Publication date:
26/02/2025
Last modified:
25/03/2025

Description

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> tipc: fix use-after-free Read in tipc_named_reinit<br /> <br /> syzbot found the following issue on:<br /> ==================================================================<br /> BUG: KASAN: use-after-free in tipc_named_reinit+0x94f/0x9b0<br /> net/tipc/name_distr.c:413<br /> Read of size 8 at addr ffff88805299a000 by task kworker/1:9/23764<br /> <br /> CPU: 1 PID: 23764 Comm: kworker/1:9 Not tainted<br /> 5.18.0-rc4-syzkaller-00878-g17d49e6e8012 #0<br /> Hardware name: Google Compute Engine/Google Compute Engine,<br /> BIOS Google 01/01/2011<br /> Workqueue: events tipc_net_finalize_work<br /> Call Trace:<br /> <br /> __dump_stack lib/dump_stack.c:88 [inline]<br /> dump_stack_lvl+0xcd/0x134 lib/dump_stack.c:106<br /> print_address_description.constprop.0.cold+0xeb/0x495<br /> mm/kasan/report.c:313<br /> print_report mm/kasan/report.c:429 [inline]<br /> kasan_report.cold+0xf4/0x1c6 mm/kasan/report.c:491<br /> tipc_named_reinit+0x94f/0x9b0 net/tipc/name_distr.c:413<br /> tipc_net_finalize+0x234/0x3d0 net/tipc/net.c:138<br /> process_one_work+0x996/0x1610 kernel/workqueue.c:2289<br /> worker_thread+0x665/0x1080 kernel/workqueue.c:2436<br /> kthread+0x2e9/0x3a0 kernel/kthread.c:376<br /> ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:298<br /> <br /> [...]<br /> ==================================================================<br /> <br /> In the commit<br /> d966ddcc3821 ("tipc: fix a deadlock when flushing scheduled work"),<br /> the cancel_work_sync() function just to make sure ONLY the work<br /> tipc_net_finalize_work() is executing/pending on any CPU completed before<br /> tipc namespace is destroyed through tipc_exit_net(). But this function<br /> is not guaranteed the work is the last queued. So, the destroyed instance<br /> may be accessed in the work which will try to enqueue later.<br /> <br /> In order to completely fix, we re-order the calling of cancel_work_sync()<br /> to make sure the work tipc_net_finalize_work() was last queued and it<br /> must be completed by calling cancel_work_sync().

Impact

Vector 3.x
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVSS v3.1 Severity and Metrics:

Base Score: 7.80 HIGH
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Attack Vector (AV): Local
Attack Complexity (AC): Low
Privileges Required (PR): Low
User Interaction (UI): None
Scope (S): Unchanged
Confidentiality (C): High
Integrity (I): High
Availability (A): High

Base Score 3.x
7.80
Severity 3.x
HIGH

Vulnerable products and versions

CPE From Up to
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 5.4.83 (including) 5.5 (excluding)
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 5.9.14 (including) 5.10.127 (excluding)
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 5.11 (including) 5.15.51 (excluding)
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 5.16 (including) 5.18.8 (excluding)
cpe:2.3:o:linux:linux_kernel:5.19:rc1:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:5.19:rc2:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:5.19:rc3:*:*:*:*:*:*

To consult the complete list of CPE names with products and versions, see this page


References to Advisories, Solutions, and Tools