| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <2025022621-CVE-2022-49654-4ed4@gregkh> Date: Wed, 26 Feb 2025 03:23:37 +0100 From: Greg Kroah-Hartman <gregkh@...uxfoundation.org> To: linux-cve-announce@...r.kernel.org Cc: Greg Kroah-Hartman <gregkh@...uxfoundation.org> Subject: CVE-2022-49654: net: dsa: qca8k: reset cpu port on MTU change Description =========== In the Linux kernel, the following vulnerability has been resolved: net: dsa: qca8k: reset cpu port on MTU change It was discovered that the Documentation lacks of a fundamental detail on how to correctly change the MAX_FRAME_SIZE of the switch. In fact if the MAX_FRAME_SIZE is changed while the cpu port is on, the switch panics and cease to send any packet. This cause the mgmt ethernet system to not receive any packet (the slow fallback still works) and makes the device not reachable. To recover from this a switch reset is required. To correctly handle this, turn off the cpu ports before changing the MAX_FRAME_SIZE and turn on again after the value is applied. The Linux kernel CVE team has assigned CVE-2022-49654 to this issue. Affected and fixed versions =========================== Issue introduced in 5.9 with commit f58d2598cf70d41f73e761b62a114d2e8f94a676 and fixed in 5.15.54 with commit 188c798f3c2554fa0d7147e9b97baf144b817019 Issue introduced in 5.9 with commit f58d2598cf70d41f73e761b62a114d2e8f94a676 and fixed in 5.18.11 with commit 1993f5a06736ada59dd54b50dc96755a38796ee5 Issue introduced in 5.9 with commit f58d2598cf70d41f73e761b62a114d2e8f94a676 and fixed in 5.19 with commit 386228c694bf1e7a7688e44412cb33500b0ac585 Please see https://www.kernel.org for a full list of currently supported kernel versions by the kernel community. Unaffected versions might change over time as fixes are backported to older supported kernel versions. The official CVE entry at https://cve.org/CVERecord/?id=CVE-2022-49654 will be updated if fixes are backported, please check that for the most up to date information about this issue. Affected files ============== The file(s) affected by this issue are: drivers/net/dsa/qca8k.c Mitigation ========== The Linux kernel CVE team recommends that you update to the latest stable kernel version for this, and many other bugfixes. Individual changes are never tested alone, but rather are part of a larger kernel release. Cherry-picking individual commits is not recommended or supported by the Linux kernel community at all. If however, updating to the latest release is impossible, the individual changes to resolve this issue can be found at these commits: https://git.kernel.org/stable/c/188c798f3c2554fa0d7147e9b97baf144b817019 https://git.kernel.org/stable/c/1993f5a06736ada59dd54b50dc96755a38796ee5 https://git.kernel.org/stable/c/386228c694bf1e7a7688e44412cb33500b0ac585
Powered by blists - more mailing lists