CVE-2022-48912

{"id": "CVE-2022-48912", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.8, "attackVector": "LOCAL", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 1.8}]}, "published": "2024-08-22T02:15:05.550", "references": [{"url": "https://git.kernel.org/stable/c/05f7927b25d2635e87267ff6c79db79fb46cf313", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/49c24579cec41e32f13d57b337fd28fb208d4a5b", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/56763f12b0f02706576a088e85ef856deacc98a0", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/5a8076e98dde17224dd47283b894a8b1dbe1bc72", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/8b0142c4143c1ca297dcf2c0cdd045d65dae2344", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/bd61f192a339b1095dfd6d56073a5265934c2979", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/bdd8fc1b826e6f23963f5bef3f7431c6188ec954", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-416"}]}], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: fix use-after-free in __nf_register_net_hook()\n\nWe must not dereference @new_hooks after nf_hook_mutex has been released,\nbecause other threads might have freed our allocated hooks already.\n\nBUG: KASAN: use-after-free in nf_hook_entries_get_hook_ops include/linux/netfilter.h:130 [inline]\nBUG: KASAN: use-after-free in hooks_validate net/netfilter/core.c:171 [inline]\nBUG: KASAN: use-after-free in __nf_register_net_hook+0x77a/0x820 net/netfilter/core.c:438\nRead of size 2 at addr ffff88801c1a8000 by task syz-executor237/4430\n\nCPU: 1 PID: 4430 Comm: syz-executor237 Not tainted 5.17.0-rc5-syzkaller-00306-g2293be58d6a1 #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011\nCall Trace:\n <TASK>\n __dump_stack lib/dump_stack.c:88 [inline]\n dump_stack_lvl+0xcd/0x134 lib/dump_stack.c:106\n print_address_description.constprop.0.cold+0x8d/0x336 mm/kasan/report.c:255\n __kasan_report mm/kasan/report.c:442 [inline]\n kasan_report.cold+0x83/0xdf mm/kasan/report.c:459\n nf_hook_entries_get_hook_ops include/linux/netfilter.h:130 [inline]\n hooks_validate net/netfilter/core.c:171 [inline]\n __nf_register_net_hook+0x77a/0x820 net/netfilter/core.c:438\n nf_register_net_hook+0x114/0x170 net/netfilter/core.c:571\n nf_register_net_hooks+0x59/0xc0 net/netfilter/core.c:587\n nf_synproxy_ipv6_init+0x85/0xe0 net/netfilter/nf_synproxy_core.c:1218\n synproxy_tg6_check+0x30d/0x560 net/ipv6/netfilter/ip6t_SYNPROXY.c:81\n xt_check_target+0x26c/0x9e0 net/netfilter/x_tables.c:1038\n check_target net/ipv6/netfilter/ip6_tables.c:530 [inline]\n find_check_entry.constprop.0+0x7f1/0x9e0 net/ipv6/netfilter/ip6_tables.c:573\n translate_table+0xc8b/0x1750 net/ipv6/netfilter/ip6_tables.c:735\n do_replace net/ipv6/netfilter/ip6_tables.c:1153 [inline]\n do_ip6t_set_ctl+0x56e/0xb90 net/ipv6/netfilter/ip6_tables.c:1639\n nf_setsockopt+0x83/0xe0 net/netfilter/nf_sockopt.c:101\n ipv6_setsockopt+0x122/0x180 net/ipv6/ipv6_sockglue.c:1024\n rawv6_setsockopt+0xd3/0x6a0 net/ipv6/raw.c:1084\n __sys_setsockopt+0x2db/0x610 net/socket.c:2180\n __do_sys_setsockopt net/socket.c:2191 [inline]\n __se_sys_setsockopt net/socket.c:2188 [inline]\n __x64_sys_setsockopt+0xba/0x150 net/socket.c:2188\n do_syscall_x64 arch/x86/entry/common.c:50 [inline]\n do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80\n entry_SYSCALL_64_after_hwframe+0x44/0xae\nRIP: 0033:0x7f65a1ace7d9\nCode: 28 00 00 00 75 05 48 83 c4 28 c3 e8 71 15 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48\nRSP: 002b:00007f65a1a7f308 EFLAGS: 00000246 ORIG_RAX: 0000000000000036\nRAX: ffffffffffffffda RBX: 0000000000000006 RCX: 00007f65a1ace7d9\nRDX: 0000000000000040 RSI: 0000000000000029 RDI: 0000000000000003\nRBP: 00007f65a1b574c8 R08: 0000000000000001 R09: 0000000000000000\nR10: 0000000020000000 R11: 0000000000000246 R12: 00007f65a1b55130\nR13: 00007f65a1b574c0 R14: 00007f65a1b24090 R15: 0000000000022000\n </TASK>\n\nThe buggy address belongs to the page:\npage:ffffea0000706a00 refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1c1a8\nflags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff)\nraw: 00fff00000000000 ffffea0001c1b108 ffffea000046dd08 0000000000000000\nraw: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000\npage dumped because: kasan: bad access detected\npage_owner tracks the page as freed\npage last allocated via order 2, migratetype Unmovable, gfp_mask 0x52dc0(GFP_KERNEL|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_ZERO), pid 4430, ts 1061781545818, free_ts 1061791488993\n prep_new_page mm/page_alloc.c:2434 [inline]\n get_page_from_freelist+0xa72/0x2f50 mm/page_alloc.c:4165\n __alloc_pages+0x1b2/0x500 mm/page_alloc.c:5389\n __alloc_pages_node include/linux/gfp.h:572 [inline]\n alloc_pages_node include/linux/gfp.h:595 [inline]\n kmalloc_large_node+0x62/0x130 mm/slub.c:4438\n __kmalloc_node+0x35a/0x4a0 mm/slub.\n---truncated---"}, {"lang": "es", "value": "En el kernel de Linux, se resolvi\u00f3 la siguiente vulnerabilidad: netfilter: corrige el use-after-free en __nf_register_net_hook() No debemos eliminar la referencia a @new_hooks despu\u00e9s de que se haya lanzado nf_hook_mutex, porque es posible que otros subprocesos ya hayan liberado nuestros ganchos asignados. ERROR: KASAN: use-after-free en nf_hook_entries_get_hook_ops include/linux/netfilter.h:130 [en l\u00ednea] ERROR: KASAN: use-after-free en ganchos_validate net/netfilter/core.c:171 [en l\u00ednea] ERROR: KASAN: use-after-free en __nf_register_net_hook+0x77a/0x820 net/netfilter/core.c:438 Lectura de tama\u00f1o 2 en la direcci\u00f3n ffff88801c1a8000 por tarea syz-executor237/4430 CPU: 1 PID: 4430 Comm: syz-executor237 No contaminado 5.17.0 -rc5-syzkaller-00306-g2293be58d6a1 #0 Nombre del hardware: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Seguimiento de llamadas: __dump_stack lib/dump_stack.c:88 [en l\u00ednea] dump_stack_lvl+0xcd/ 0x134 lib/dump_stack.c:106 print_address_description.constprop.0.cold+0x8d/0x336 mm/kasan/report.c:255 __kasan_report mm/kasan/report.c:442 [en l\u00ednea] kasan_report.cold+0x83/0xdf mm/ kasan/report.c: 459 nf_hook_entries_get_hook_ops include/linux/netfilter.h: 130 [inline] gooks_validate net/netfilter/core.c: 171 [inline] __nf_register_net_hook+0x77a/0x820 net/netfilter/core.c: 438 nf_net_hook+0x77a/0x820 net/netfilter/core.c: 438 nf_net_hook+0x77a/0x820 net/netfilter/core.c: 438 nfhhook_net_net+0x11 /0x170 net/netfilter/core.c:571 nf_register_net_hooks+0x59/0xc0 net/netfilter/core.c:587 nf_synproxy_ipv6_init+0x85/0xe0 net/netfilter/nf_synproxy_core.c:1218 synproxy_tg6_check+0x30d/0x560 ipv6/filtro de red/ ip6t_SYNPROXY.c:81 xt_check_target+0x26c/0x9e0 net/netfilter/x_tables.c:1038 check_target net/ipv6/netfilter/ip6_tables.c:530 [en l\u00ednea] find_check_entry.constprop.0+0x7f1/0x9e0 net/ipv6/netfilter/ip6_tables .c:573 traducir_table+0xc8b/0x1750 net/ipv6/netfilter/ip6_tables.c:735 do_replace net/ipv6/netfilter/ip6_tables.c:1153 [en l\u00ednea] do_ip6t_set_ctl+0x56e/0xb90 net/ipv6/netfilter/ip6_tables.c: 1639 nf_setsockopt+0x83/0xe0 net/netfilter/nf_sockopt.c:101 ipv6_setsockopt+0x122/0x180 net/ipv6/ipv6_sockglue.c:1024 rawv6_setsockopt+0xd3/0x6a0 net/ipv6/raw.c:1084 ys_setsockopt+0x2db/0x610 neto/ socket.c:2180 __do_sys_setsockopt net/socket.c:2191 [en l\u00ednea] __se_sys_setsockopt net/socket.c:2188 [en l\u00ednea] __x64_sys_setsockopt+0xba/0x150 net/socket.c:2188 do_syscall_x64 arch/x86/entry/common.c : 50 [en l\u00ednea] do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80 Entry_SYSCALL_64_after_hwframe+0x44/0xae RIP: 0033:0x7f65a1ace7d9 C\u00f3digo: 28 00 00 00 75 05 48 83 c4 28 c3 e8 1 15 00 00 90 48 89 F8 48 89 F7 48 89 D6 48 89 CA 4D 89 C2 4D 89 C8 4C 8B 4C 24 08 0F 05 &lt;48&gt; 3D 01 F0 FF FF 73 01 C3 48 C7 C1 B8 FF FF FF F7 D8 64 89 01 48 RSP: 002b:00007f65a1a7f308 EFLAGS: 00000246 ORIG_RAX: 0000000000000036 RAX: ffffffffffffffda RBX: 00000000000000006 RCX: 00007f65a1ace7d9 RDX: 00000040 RSI: 0000000000000029 RDI: 0000000000000003 RBP: 00007f65a1b574c8 R08: 0000000000000001 R09: 000000000000000 R10: 000000002 0000000 R11: 0000000000000246 R12: 00007f65a1b55130 R13: 00007f65a1b574c0 R14: 00007f65a1b24090 R15: 0000000000022000 La direcci\u00f3n del error pertenece a la p\u00e1gina: p\u00e1gina:ffffea0000706a00 refcount:0 mapcount:0 mapeo:0000000000000000 index:0x0 pfn:0x1c1a8 flags: 0xfff000000 00000(nodo=0|zona=1|lastcpupid=0x7ff) crudo: 00fff00000000000 ffffea0001c1b108 ffffea000046dd08 0000000000000000 crudo: 0000000000000000 00000000000000000 00000000ffffffff 00000000000 00000 p\u00e1gina volcada porque: kasan: mal acceso detectado page_owner rastrea la p\u00e1gina como p\u00e1gina liberada asignada por \u00faltima vez mediante orden 2, migrar tipo Inamovible, gfp_mask 0x52dc0(GFP_KERNEL|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_ZERO) , pid 4430, ts 1061781545818, free_ts 1061791488993 prep_new_page mm/page_alloc.c:2434 [en l\u00ednea] ---truncado---"}], "lastModified": "2024-08-27T16:12:47.173", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "64D82A2D-7E3F-4739-BADB-F611732BE6C2", "versionEndExcluding": "4.14.270", "versionStartIncluding": "4.14"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "B59A7E33-6262-458E-AC76-E8CC4E812344", "versionEndExcluding": "4.19.233", "versionStartIncluding": "4.15"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "76A7616E-E6B9-4A7F-AA7C-1D47F774215F", "versionEndExcluding": "5.4.183", "versionStartIncluding": "4.20"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "764998FC-D1F7-4BAA-BD56-A553C7AB8F08", "versionEndExcluding": "5.10.104", "versionStartIncluding": "5.5"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "B3A8E092-3021-4A34-8DCE-B89D2238818B", "versionEndExcluding": "5.15.27", "versionStartIncluding": "5.11"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "B871B667-EDC0-435D-909E-E918D8D90995", "versionEndExcluding": "5.16.13", "versionStartIncluding": "5.16"}], "operator": "OR"}]}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}