lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <2025022649-CVE-2022-49390-1583@gregkh>
Date: Wed, 26 Feb 2025 03:11:04 +0100
From: Greg Kroah-Hartman <gregkh@...uxfoundation.org>
To: linux-cve-announce@...r.kernel.org
Cc: Greg Kroah-Hartman <gregkh@...uxfoundation.org>
Subject: CVE-2022-49390: macsec: fix UAF bug for real_dev

Description
===========

In the Linux kernel, the following vulnerability has been resolved:

macsec: fix UAF bug for real_dev

Create a new macsec device but not get reference to real_dev. That can
not ensure that real_dev is freed after macsec. That will trigger the
UAF bug for real_dev as following:

==================================================================
BUG: KASAN: use-after-free in macsec_get_iflink+0x5f/0x70 drivers/net/macsec.c:3662
Call Trace:
 ...
 macsec_get_iflink+0x5f/0x70 drivers/net/macsec.c:3662
 dev_get_iflink+0x73/0xe0 net/core/dev.c:637
 default_operstate net/core/link_watch.c:42 [inline]
 rfc2863_policy+0x233/0x2d0 net/core/link_watch.c:54
 linkwatch_do_dev+0x2a/0x150 net/core/link_watch.c:161

Allocated by task 22209:
 ...
 alloc_netdev_mqs+0x98/0x1100 net/core/dev.c:10549
 rtnl_create_link+0x9d7/0xc00 net/core/rtnetlink.c:3235
 veth_newlink+0x20e/0xa90 drivers/net/veth.c:1748

Freed by task 8:
 ...
 kfree+0xd6/0x4d0 mm/slub.c:4552
 kvfree+0x42/0x50 mm/util.c:615
 device_release+0x9f/0x240 drivers/base/core.c:2229
 kobject_cleanup lib/kobject.c:673 [inline]
 kobject_release lib/kobject.c:704 [inline]
 kref_put include/linux/kref.h:65 [inline]
 kobject_put+0x1c8/0x540 lib/kobject.c:721
 netdev_run_todo+0x72e/0x10b0 net/core/dev.c:10327

After commit faab39f63c1f ("net: allow out-of-order netdev unregistration")
and commit e5f80fcf869a ("ipv6: give an IPv6 dev to blackhole_netdev"), we
can add dev_hold_track() in macsec_dev_init() and dev_put_track() in
macsec_free_netdev() to fix the problem.

The Linux kernel CVE team has assigned CVE-2022-49390 to this issue.


Affected and fixed versions
===========================

	Issue introduced in 5.4 with commit 2bce1ebed17da54c65042ec2b962e3234bad5b47 and fixed in 5.17.15 with commit 78933cbc143b82d02330e00900d2fd08f2682f4e
	Issue introduced in 5.4 with commit 2bce1ebed17da54c65042ec2b962e3234bad5b47 and fixed in 5.18.3 with commit d130282179aa6051449ac8f8df1115769998a665
	Issue introduced in 5.4 with commit 2bce1ebed17da54c65042ec2b962e3234bad5b47 and fixed in 5.19 with commit 196a888ca6571deb344468e1d7138e3273206335
	Issue introduced in 4.14.154 with commit 1861904a6092ed411203c6a02c75bfc45b27cc3c
	Issue introduced in 4.19.84 with commit 3a2675a2d97a68332fa5c33043038bfeb31455a8
	Issue introduced in 5.3.11 with commit b0add6db3d5ec4561cab257358871a9d3df7f0a3

Please see https://www.kernel.org for a full list of currently supported
kernel versions by the kernel community.

Unaffected versions might change over time as fixes are backported to
older supported kernel versions.  The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2022-49390
will be updated if fixes are backported, please check that for the most
up to date information about this issue.


Affected files
==============

The file(s) affected by this issue are:
	drivers/net/macsec.c


Mitigation
==========

The Linux kernel CVE team recommends that you update to the latest
stable kernel version for this, and many other bugfixes.  Individual
changes are never tested alone, but rather are part of a larger kernel
release.  Cherry-picking individual commits is not recommended or
supported by the Linux kernel community at all.  If however, updating to
the latest release is impossible, the individual changes to resolve this
issue can be found at these commits:
	https://git.kernel.org/stable/c/78933cbc143b82d02330e00900d2fd08f2682f4e
	https://git.kernel.org/stable/c/d130282179aa6051449ac8f8df1115769998a665
	https://git.kernel.org/stable/c/196a888ca6571deb344468e1d7138e3273206335

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ