| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <2025022659-CVE-2022-49450-a2f7@gregkh> Date: Wed, 26 Feb 2025 03:12:04 +0100 From: Greg Kroah-Hartman <gregkh@...uxfoundation.org> To: linux-cve-announce@...r.kernel.org Cc: Greg Kroah-Hartman <gregkh@...uxfoundation.org> Subject: CVE-2022-49450: rxrpc: Fix listen() setting the bar too high for the prealloc rings Description =========== In the Linux kernel, the following vulnerability has been resolved: rxrpc: Fix listen() setting the bar too high for the prealloc rings AF_RXRPC's listen() handler lets you set the backlog up to 32 (if you bump up the sysctl), but whilst the preallocation circular buffers have 32 slots in them, one of them has to be a dead slot because we're using CIRC_CNT(). This means that listen(rxrpc_sock, 32) will cause an oops when the socket is closed because rxrpc_service_prealloc_one() allocated one too many calls and rxrpc_discard_prealloc() won't then be able to get rid of them because it'll think the ring is empty. rxrpc_release_calls_on_socket() then tries to abort them, but oopses because call->peer isn't yet set. Fix this by setting the maximum backlog to RXRPC_BACKLOG_MAX - 1 to match the ring capacity. BUG: kernel NULL pointer dereference, address: 0000000000000086 ... RIP: 0010:rxrpc_send_abort_packet+0x73/0x240 [rxrpc] Call Trace: <TASK> ? __wake_up_common_lock+0x7a/0x90 ? rxrpc_notify_socket+0x8e/0x140 [rxrpc] ? rxrpc_abort_call+0x4c/0x60 [rxrpc] rxrpc_release_calls_on_socket+0x107/0x1a0 [rxrpc] rxrpc_release+0xc9/0x1c0 [rxrpc] __sock_release+0x37/0xa0 sock_close+0x11/0x20 __fput+0x89/0x240 task_work_run+0x59/0x90 do_exit+0x319/0xaa0 The Linux kernel CVE team has assigned CVE-2022-49450 to this issue. Affected and fixed versions =========================== Issue introduced in 4.9 with commit 00e907127e6f86d0f9b122d9b4347a8aa09a8b61 and fixed in 4.9.318 with commit 61fb38cfbb1d54d3dafd0c25752f684b3cd00b32 Issue introduced in 4.9 with commit 00e907127e6f86d0f9b122d9b4347a8aa09a8b61 and fixed in 4.14.283 with commit 616f76498d5ddf26b997caf64a95cda3c8a55533 Issue introduced in 4.9 with commit 00e907127e6f86d0f9b122d9b4347a8aa09a8b61 and fixed in 4.19.247 with commit 4a3a78b7918bdd723d8c7c9786522ca969bffcc4 Issue introduced in 4.9 with commit 00e907127e6f86d0f9b122d9b4347a8aa09a8b61 and fixed in 5.4.198 with commit 91b34bf0409f43bb60453bab23c5beadd726d022 Issue introduced in 4.9 with commit 00e907127e6f86d0f9b122d9b4347a8aa09a8b61 and fixed in 5.10.121 with commit 5b4826657d36c218e9f08e8d3223b0edce3de88f Issue introduced in 4.9 with commit 00e907127e6f86d0f9b122d9b4347a8aa09a8b61 and fixed in 5.15.46 with commit b3a9b227d5e7467b8518160ff034ea22bb9de573 Issue introduced in 4.9 with commit 00e907127e6f86d0f9b122d9b4347a8aa09a8b61 and fixed in 5.17.14 with commit 369de57492c4f1a42563c5a3bd365822ca3bfc79 Issue introduced in 4.9 with commit 00e907127e6f86d0f9b122d9b4347a8aa09a8b61 and fixed in 5.18.3 with commit e198f1930050e3115c80b67d9249f80f98a27c67 Issue introduced in 4.9 with commit 00e907127e6f86d0f9b122d9b4347a8aa09a8b61 and fixed in 5.19 with commit 88e22159750b0d55793302eeed8ee603f5c1a95c Please see https://www.kernel.org for a full list of currently supported kernel versions by the kernel community. Unaffected versions might change over time as fixes are backported to older supported kernel versions. The official CVE entry at https://cve.org/CVERecord/?id=CVE-2022-49450 will be updated if fixes are backported, please check that for the most up to date information about this issue. Affected files ============== The file(s) affected by this issue are: net/rxrpc/sysctl.c Mitigation ========== The Linux kernel CVE team recommends that you update to the latest stable kernel version for this, and many other bugfixes. Individual changes are never tested alone, but rather are part of a larger kernel release. Cherry-picking individual commits is not recommended or supported by the Linux kernel community at all. If however, updating to the latest release is impossible, the individual changes to resolve this issue can be found at these commits: https://git.kernel.org/stable/c/61fb38cfbb1d54d3dafd0c25752f684b3cd00b32 https://git.kernel.org/stable/c/616f76498d5ddf26b997caf64a95cda3c8a55533 https://git.kernel.org/stable/c/4a3a78b7918bdd723d8c7c9786522ca969bffcc4 https://git.kernel.org/stable/c/91b34bf0409f43bb60453bab23c5beadd726d022 https://git.kernel.org/stable/c/5b4826657d36c218e9f08e8d3223b0edce3de88f https://git.kernel.org/stable/c/b3a9b227d5e7467b8518160ff034ea22bb9de573 https://git.kernel.org/stable/c/369de57492c4f1a42563c5a3bd365822ca3bfc79 https://git.kernel.org/stable/c/e198f1930050e3115c80b67d9249f80f98a27c67 https://git.kernel.org/stable/c/88e22159750b0d55793302eeed8ee603f5c1a95c
Powered by blists - more mailing lists