| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <2025022654-CVE-2022-49065-46dc@gregkh>
Date: Wed, 26 Feb 2025 02:54:30 +0100
From: Greg Kroah-Hartman <gregkh@...uxfoundation.org>
To: linux-cve-announce@...r.kernel.org
Cc: Greg Kroah-Hartman <gregkh@...uxfoundation.org>
Subject: CVE-2022-49065: SUNRPC: Fix the svc_deferred_event trace class
Description
===========
In the Linux kernel, the following vulnerability has been resolved:
SUNRPC: Fix the svc_deferred_event trace class
Fix a NULL deref crash that occurs when an svc_rqst is deferred
while the sunrpc tracing subsystem is enabled. svc_revisit() sets
dr->xprt to NULL, so it can't be relied upon in the tracepoint to
provide the remote's address.
Unfortunately we can't revert the "svc_deferred_class" hunk in
commit ece200ddd54b ("sunrpc: Save remote presentation address in
svc_xprt for trace events") because there is now a specific check
of event format specifiers for unsafe dereferences. The warning
that check emits is:
event svc_defer_recv has unsafe dereference of argument 1
A "%pISpc" format specifier with a "struct sockaddr *" is indeed
flagged by this check.
Instead, take the brute-force approach used by the svcrdma_qp_error
tracepoint. Convert the dr::addr field into a presentation address
in the TP_fast_assign() arm of the trace event, and store that as
a string. This fix can be backported to -stable kernels.
In the meantime, commit c6ced22997ad ("tracing: Update print fmt
check to handle new __get_sockaddr() macro") is now in v5.18, so
this wonky fix can be replaced with __sockaddr() and friends
properly during the v5.19 merge window.
The Linux kernel CVE team has assigned CVE-2022-49065 to this issue.
Affected and fixed versions
===========================
Issue introduced in 4.17 with commit ece200ddd54b9ce840cfee554fb812560c545c7d and fixed in 5.10.112 with commit 85ee17ca21cf92989e8c923e3ea4514c291e9d38
Issue introduced in 4.17 with commit ece200ddd54b9ce840cfee554fb812560c545c7d and fixed in 5.15.35 with commit 726ae7300fcc25fefa46d188cc07eb16dc908f9e
Issue introduced in 4.17 with commit ece200ddd54b9ce840cfee554fb812560c545c7d and fixed in 5.17.4 with commit c2456f470eea3bd06574d988bf6089e7c3f4c5cc
Issue introduced in 4.17 with commit ece200ddd54b9ce840cfee554fb812560c545c7d and fixed in 5.18 with commit 4d5004451ab2218eab94a30e1841462c9316ba19
Please see https://www.kernel.org for a full list of currently supported
kernel versions by the kernel community.
Unaffected versions might change over time as fixes are backported to
older supported kernel versions. The official CVE entry at
https://cve.org/CVERecord/?id=CVE-2022-49065
will be updated if fixes are backported, please check that for the most
up to date information about this issue.
Affected files
==============
The file(s) affected by this issue are:
include/trace/events/sunrpc.h
Mitigation
==========
The Linux kernel CVE team recommends that you update to the latest
stable kernel version for this, and many other bugfixes. Individual
changes are never tested alone, but rather are part of a larger kernel
release. Cherry-picking individual commits is not recommended or
supported by the Linux kernel community at all. If however, updating to
the latest release is impossible, the individual changes to resolve this
issue can be found at these commits:
https://git.kernel.org/stable/c/85ee17ca21cf92989e8c923e3ea4514c291e9d38
https://git.kernel.org/stable/c/726ae7300fcc25fefa46d188cc07eb16dc908f9e
https://git.kernel.org/stable/c/c2456f470eea3bd06574d988bf6089e7c3f4c5cc
https://git.kernel.org/stable/c/4d5004451ab2218eab94a30e1841462c9316ba19
Powered by blists - more mailing lists