CVE-2022-50310
Gravedad:
Pendiente de análisis
Tipo:
No Disponible / Otro tipo
Fecha de publicación:
15/09/2025
Última modificación:
15/09/2025
Descripción
*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br />
<br />
ip6mr: fix UAF issue in ip6mr_sk_done() when addrconf_init_net() failed<br />
<br />
If the initialization fails in calling addrconf_init_net(), devconf_all is<br />
the pointer that has been released. Then ip6mr_sk_done() is called to<br />
release the net, accessing devconf->mc_forwarding directly causes invalid<br />
pointer access.<br />
<br />
The process is as follows:<br />
setup_net()<br />
ops_init()<br />
addrconf_init_net()<br />
all = kmemdup(...) ---> alloc "all"<br />
...<br />
net->ipv6.devconf_all = all;<br />
__addrconf_sysctl_register() ---> failed<br />
...<br />
kfree(all); ---> ipv6.devconf_all invalid<br />
...<br />
ops_exit_list()<br />
...<br />
ip6mr_sk_done()<br />
devconf = net->ipv6.devconf_all;<br />
//devconf is invalid pointer<br />
if (!devconf || !atomic_read(&devconf->mc_forwarding))<br />
<br />
The following is the Call Trace information:<br />
BUG: KASAN: use-after-free in ip6mr_sk_done+0x112/0x3a0<br />
Read of size 4 at addr ffff888075508e88 by task ip/14554<br />
Call Trace:<br />
<br />
dump_stack_lvl+0x8e/0xd1<br />
print_report+0x155/0x454<br />
kasan_report+0xba/0x1f0<br />
kasan_check_range+0x35/0x1b0<br />
ip6mr_sk_done+0x112/0x3a0<br />
rawv6_close+0x48/0x70<br />
inet_release+0x109/0x230<br />
inet6_release+0x4c/0x70<br />
sock_release+0x87/0x1b0<br />
igmp6_net_exit+0x6b/0x170<br />
ops_exit_list+0xb0/0x170<br />
setup_net+0x7ac/0xbd0<br />
copy_net_ns+0x2e6/0x6b0<br />
create_new_namespaces+0x382/0xa50<br />
unshare_nsproxy_namespaces+0xa6/0x1c0<br />
ksys_unshare+0x3a4/0x7e0<br />
__x64_sys_unshare+0x2d/0x40<br />
do_syscall_64+0x35/0x80<br />
entry_SYSCALL_64_after_hwframe+0x46/0xb0<br />
RIP: 0033:0x7f7963322547<br />
<br />
<br />
Allocated by task 14554:<br />
kasan_save_stack+0x1e/0x40<br />
kasan_set_track+0x21/0x30<br />
__kasan_kmalloc+0xa1/0xb0<br />
__kmalloc_node_track_caller+0x4a/0xb0<br />
kmemdup+0x28/0x60<br />
addrconf_init_net+0x1be/0x840<br />
ops_init+0xa5/0x410<br />
setup_net+0x5aa/0xbd0<br />
copy_net_ns+0x2e6/0x6b0<br />
create_new_namespaces+0x382/0xa50<br />
unshare_nsproxy_namespaces+0xa6/0x1c0<br />
ksys_unshare+0x3a4/0x7e0<br />
__x64_sys_unshare+0x2d/0x40<br />
do_syscall_64+0x35/0x80<br />
entry_SYSCALL_64_after_hwframe+0x46/0xb0<br />
<br />
Freed by task 14554:<br />
kasan_save_stack+0x1e/0x40<br />
kasan_set_track+0x21/0x30<br />
kasan_save_free_info+0x2a/0x40<br />
____kasan_slab_free+0x155/0x1b0<br />
slab_free_freelist_hook+0x11b/0x220<br />
__kmem_cache_free+0xa4/0x360<br />
addrconf_init_net+0x623/0x840<br />
ops_init+0xa5/0x410<br />
setup_net+0x5aa/0xbd0<br />
copy_net_ns+0x2e6/0x6b0<br />
create_new_namespaces+0x382/0xa50<br />
unshare_nsproxy_namespaces+0xa6/0x1c0<br />
ksys_unshare+0x3a4/0x7e0<br />
__x64_sys_unshare+0x2d/0x40<br />
do_syscall_64+0x35/0x80<br />
entry_SYSCALL_64_after_hwframe+0x46/0xb0