CVE-2022-49014

In the Linux kernel, the following vulnerability has been resolved: net: tun: Fix use-after-free in tun_detach() syzbot reported use-after-free in tun_detach() [1]. This causes call trace like below: ================================================================== BUG: KASAN: use-after-free in notifier_call_chain+0x1ee/0x200 kernel/notifier.c:75 Read of size 8 at addr ffff88807324e2a8 by task syz-executor.0/3673 CPU: 0 PID: 3673 Comm: syz-executor.0 Not tainted 6.1.0-rc5-syzkaller-00044-gcc675d22e422 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022 Call Trace: <TASK> __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0xd1/0x138 lib/dump_stack.c:106 print_address_description mm/kasan/report.c:284 [inline] print_report+0x15e/0x461 mm/kasan/report.c:395 kasan_report+0xbf/0x1f0 mm/kasan/report.c:495 notifier_call_chain+0x1ee/0x200 kernel/notifier.c:75 call_netdevice_notifiers_info+0x86/0x130 net/core/dev.c:1942 call_netdevice_notifiers_extack net/core/dev.c:1983 [inline] call_netdevice_notifiers net/core/dev.c:1997 [inline] netdev_wait_allrefs_any net/core/dev.c:10237 [inline] netdev_run_todo+0xbc6/0x1100 net/core/dev.c:10351 tun_detach drivers/net/tun.c:704 [inline] tun_chr_close+0xe4/0x190 drivers/net/tun.c:3467 __fput+0x27c/0xa90 fs/file_table.c:320 task_work_run+0x16f/0x270 kernel/task_work.c:179 exit_task_work include/linux/task_work.h:38 [inline] do_exit+0xb3d/0x2a30 kernel/exit.c:820 do_group_exit+0xd4/0x2a0 kernel/exit.c:950 get_signal+0x21b1/0x2440 kernel/signal.c:2858 arch_do_signal_or_restart+0x86/0x2300 arch/x86/kernel/signal.c:869 exit_to_user_mode_loop kernel/entry/common.c:168 [inline] exit_to_user_mode_prepare+0x15f/0x250 kernel/entry/common.c:203 __syscall_exit_to_user_mode_work kernel/entry/common.c:285 [inline] syscall_exit_to_user_mode+0x1d/0x50 kernel/entry/common.c:296 do_syscall_64+0x46/0xb0 arch/x86/entry/common.c:86 entry_SYSCALL_64_after_hwframe+0x63/0xcd The cause of the issue is that sock_put() from __tun_detach() drops last reference count for struct net, and then notifier_call_chain() from netdev_state_change() accesses that struct net. This patch fixes the issue by calling sock_put() from tun_detach() after all necessary accesses for the struct net has done.

CVSS v3 7.8 HIGH

7.8^/10

CVSS v3 : HIGH

V3 Legend

Vector :

Exploitability : 1.8 / Impact : 5.9

Attack Vector LOCAL

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://git.kernel.org/stable/c/04b995e963229501401810dab89dc73e7f12d054	Patch
https://git.kernel.org/stable/c/16c244bc65d1175775325ec0489a5a5c830e02c7	Patch
https://git.kernel.org/stable/c/1f23f1890d91812c35d32eab1b49621b6d32dc7b	Patch
https://git.kernel.org/stable/c/4cde8da2d814a3b7b176db81922d4ddaad7c0f0e	Patch
https://git.kernel.org/stable/c/5daadc86f27ea4d691e2131c04310d0418c6cd12	Patch
https://git.kernel.org/stable/c/5f442e1d403e0496bacb74a58e2be7f500695e6f	Patch

Configurations

Configuration 1 (hide)

OR	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel:6.1:rc1::::::
	cpe:2.3:o:linux:linux_kernel:6.1:rc2::::::
	cpe:2.3:o:linux:linux_kernel:6.1:rc3::::::
	cpe:2.3:o:linux:linux_kernel:6.1:rc4::::::
	cpe:2.3:o:linux:linux_kernel:6.1:rc5::::::
	cpe:2.3:o:linux:linux_kernel:6.1:rc6::::::
	cpe:2.3:o:linux:linux_kernel:6.1:rc7::::::

History

24 Oct 2024, 18:29

Type	Values Removed	Values Added
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 7.8
CPE		cpe:2.3:o:linux:linux_kernel:6.1:rc3:::::: cpe:2.3:o:linux:linux_kernel:::::::: cpe:2.3:o:linux:linux_kernel:6.1:rc1:::::: cpe:2.3:o:linux:linux_kernel:6.1:rc7:::::: cpe:2.3:o:linux:linux_kernel:6.1:rc2:::::: cpe:2.3:o:linux:linux_kernel:6.1:rc6:::::: cpe:2.3:o:linux:linux_kernel:6.1:rc4:::::: cpe:2.3:o:linux:linux_kernel:6.1:rc5::::::
CWE		CWE-416
First Time		Linux linux Kernel Linux
References	~~() https://git.kernel.org/stable/c/04b995e963229501401810dab89dc73e7f12d054 -~~	() https://git.kernel.org/stable/c/04b995e963229501401810dab89dc73e7f12d054 - Patch
References	~~() https://git.kernel.org/stable/c/16c244bc65d1175775325ec0489a5a5c830e02c7 -~~	() https://git.kernel.org/stable/c/16c244bc65d1175775325ec0489a5a5c830e02c7 - Patch
References	~~() https://git.kernel.org/stable/c/1f23f1890d91812c35d32eab1b49621b6d32dc7b -~~	() https://git.kernel.org/stable/c/1f23f1890d91812c35d32eab1b49621b6d32dc7b - Patch
References	~~() https://git.kernel.org/stable/c/4cde8da2d814a3b7b176db81922d4ddaad7c0f0e -~~	() https://git.kernel.org/stable/c/4cde8da2d814a3b7b176db81922d4ddaad7c0f0e - Patch
References	~~() https://git.kernel.org/stable/c/5daadc86f27ea4d691e2131c04310d0418c6cd12 -~~	() https://git.kernel.org/stable/c/5daadc86f27ea4d691e2131c04310d0418c6cd12 - Patch
References	~~() https://git.kernel.org/stable/c/5f442e1d403e0496bacb74a58e2be7f500695e6f -~~	() https://git.kernel.org/stable/c/5f442e1d403e0496bacb74a58e2be7f500695e6f - Patch

23 Oct 2024, 15:12

Type	Values Removed	Values Added
Summary		(es) En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: net: tun: Se corrige el use after free en tun_detach() syzbot informó use after free en tun_detach() [1]. Esto provoca un seguimiento de llamadas como el siguiente: ==================================================================== ERROR: KASAN: use after free en notifier_call_chain+0x1ee/0x200 kernel/notifier.c:75 Lectura de tamaño 8 en la dirección ffff88807324e2a8 por la tarea syz-executor.0/3673 CPU: 0 PID: 3673 Comm: syz-executor.0 No contaminado 6.1.0-rc5-syzkaller-00044-gcc675d22e422 #0 Nombre del hardware: Google Google Compute Engine/Google Compute Engine, BIOS Google 26/10/2022 Seguimiento de llamadas: __dump_stack lib/dump_stack.c:88 [en línea] dump_stack_lvl+0xd1/0x138 lib/dump_stack.c:106 print_address_description mm/kasan/report.c:284 [en línea] print_report+0x15e/0x461 mm/kasan/report.c:395 kasan_report+0xbf/0x1f0 mm/kasan/report.c:495 notifier_call_chain+0x1ee/0x200 kernel/notifier.c:75 call_netdevice_notifiers_info+0x86/0x130 net/core/dev.c:1942 call_netdevice_notifiers_extack net/core/dev.c:1983 [en línea] llamar_notificadores_dispositivos_de_red net/core/dev.c:1997 [en línea] netdev_wait_allrefs_any net/core/dev.c:10237 [en línea] netdev_run_todo+0xbc6/0x1100 net/core/dev.c:10351 tun_detach drivers/net/tun.c:704 [en línea] tun_chr_close+0xe4/0x190 drivers/net/tun.c:3467 __fput+0x27c/0xa90 fs/file_table.c:320 tarea_trabajo_ejecutar+0x16f/0x270 kernel/tarea_trabajo.c:179 salir_tarea_trabajo incluir/linux/tarea_trabajo.h:38 [en línea] hacer_salir+0xb3d/0x2a30 kernel/exit.c:820 hacer_grupo_salir+0xd4/0x2a0 kernel/exit.c:950 obtener_señal+0x21b1/0x2440 kernel/señal.c:2858 arch_hacer_señal_o_reiniciar+0x86/0x2300 arch/x86/kernel/signal.c:869 bucle_salir_a_modo_usuario kernel/entry/common.c:168 [en línea] preparar_salir_a_modo_usuario+0x15f/0x250 kernel/entry/common.c:203 __syscall_salir_a_modo_usuario_trabajo kernel/entry/common.c:285 [en línea] syscall_salir_a_modo_usuario+0x1d/0x50 kernel/entry/common.c:296 La causa del problema es que sock_put() de __tun_detach() descarta el último recuento de referencias para struct net y luego notifier_call_chain() de netdev_state_change() accede a ese struct net. Este parche corrige el problema llamando a sock_put() desde tun_detach() después de que se hayan realizado todos los accesos necesarios para struct net.

21 Oct 2024, 20:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2024-10-21 20:15

Updated : 2024-10-24 18:29

NVD link : CVE-2022-49014

Mitre link : CVE-2022-49014

CVE.ORG link : CVE-2022-49014

JSON object : View

Products Affected

linux

linux_kernel

CWE

CWE-416

Use After Free

7.8 /10