CVE-2022-49869
Severity CVSS v4.0:
Pending analysis
Type:
CWE-476
NULL Pointer Dereference
Publication date:
01/05/2025
Last modified:
07/05/2025
Description
In the Linux kernel, the following vulnerability has been resolved:<br />
<br />
bnxt_en: Fix possible crash in bnxt_hwrm_set_coal()<br />
<br />
During the error recovery sequence, the rtnl_lock is not held for the<br />
entire duration and some datastructures may be freed during the sequence.<br />
Check for the BNXT_STATE_OPEN flag instead of netif_running() to ensure<br />
that the device is fully operational before proceeding to reconfigure<br />
the coalescing settings.<br />
<br />
This will fix a possible crash like this:<br />
<br />
BUG: unable to handle kernel NULL pointer dereference at 0000000000000000<br />
PGD 0 P4D 0<br />
Oops: 0000 [#1] SMP NOPTI<br />
CPU: 10 PID: 181276 Comm: ethtool Kdump: loaded Tainted: G IOE --------- - - 4.18.0-348.el8.x86_64 #1<br />
Hardware name: Dell Inc. PowerEdge R740/0F9N89, BIOS 2.3.10 08/15/2019<br />
RIP: 0010:bnxt_hwrm_set_coal+0x1fb/0x2a0 [bnxt_en]<br />
Code: c2 66 83 4e 22 08 66 89 46 1c e8 10 cb 00 00 41 83 c6 01 44 39 b3 68 01 00 00 0f 8e a3 00 00 00 48 8b 93 c8 00 00 00 49 63 c6 8b 2c c2 48 8b 85 b8 02 00 00 48 85 c0 74 2e 48 8b 74 24 08 f6<br />
RSP: 0018:ffffb11c8dcaba50 EFLAGS: 00010246<br />
RAX: 0000000000000000 RBX: ffff8d168a8b0ac0 RCX: 00000000000000c5<br />
RDX: 0000000000000000 RSI: ffff8d162f72c000 RDI: ffff8d168a8b0b28<br />
RBP: 0000000000000000 R08: b6e1f68a12e9a7eb R09: 0000000000000000<br />
R10: 0000000000000001 R11: 0000000000000037 R12: ffff8d168a8b109c<br />
R13: ffff8d168a8b10aa R14: 0000000000000000 R15: ffffffffc01ac4e0<br />
FS: 00007f3852e4c740(0000) GS:ffff8d24c0080000(0000) knlGS:0000000000000000<br />
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033<br />
CR2: 0000000000000000 CR3: 000000041b3ee003 CR4: 00000000007706e0<br />
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000<br />
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400<br />
PKRU: 55555554<br />
Call Trace:<br />
ethnl_set_coalesce+0x3ce/0x4c0<br />
genl_family_rcv_msg_doit.isra.15+0x10f/0x150<br />
genl_family_rcv_msg+0xb3/0x160<br />
? coalesce_fill_reply+0x480/0x480<br />
genl_rcv_msg+0x47/0x90<br />
? genl_family_rcv_msg+0x160/0x160<br />
netlink_rcv_skb+0x4c/0x120<br />
genl_rcv+0x24/0x40<br />
netlink_unicast+0x196/0x230<br />
netlink_sendmsg+0x204/0x3d0<br />
sock_sendmsg+0x4c/0x50<br />
__sys_sendto+0xee/0x160<br />
? syscall_trace_enter+0x1d3/0x2c0<br />
? __audit_syscall_exit+0x249/0x2a0<br />
__x64_sys_sendto+0x24/0x30<br />
do_syscall_64+0x5b/0x1a0<br />
entry_SYSCALL_64_after_hwframe+0x65/0xca<br />
RIP: 0033:0x7f38524163bb
Impact
Base Score 3.x
5.50
Severity 3.x
MEDIUM
Vulnerable products and versions
| CPE | From | Up to |
|---|---|---|
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 5.4 (including) | 5.4.225 (excluding) |
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 5.5 (including) | 5.10.155 (excluding) |
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 5.11 (including) | 5.15.79 (excluding) |
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 5.16 (including) | 6.0.9 (excluding) |
| cpe:2.3:o:linux:linux_kernel:6.1:rc1:*:*:*:*:*:* | ||
| cpe:2.3:o:linux:linux_kernel:6.1:rc2:*:*:*:*:*:* | ||
| cpe:2.3:o:linux:linux_kernel:6.1:rc3:*:*:*:*:*:* | ||
| cpe:2.3:o:linux:linux_kernel:6.1:rc4:*:*:*:*:*:* |
To consult the complete list of CPE names with products and versions, see this page
References to Advisories, Solutions, and Tools
- https://git.kernel.org/stable/c/38147073c96dce8c7e142ce0e5f305a420a729ba
- https://git.kernel.org/stable/c/6d81ea3765dfa6c8a20822613c81edad1c4a16a0
- https://git.kernel.org/stable/c/7781e32984cde65549bedc3201537e253297c98d
- https://git.kernel.org/stable/c/a5a05fbef4a0dfe45fe03b2f1d02ba23aebf5384
- https://git.kernel.org/stable/c/ac257c43fa615d22180916074feed803b8bb8cb0