lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <2025022628-CVE-2022-49696-c188@gregkh>
Date: Wed, 26 Feb 2025 03:24:19 +0100
From: Greg Kroah-Hartman <gregkh@...uxfoundation.org>
To: linux-cve-announce@...r.kernel.org
Cc: Greg Kroah-Hartman <gregkh@...uxfoundation.org>
Subject: CVE-2022-49696: tipc: fix use-after-free Read in tipc_named_reinit

Description
===========

In the Linux kernel, the following vulnerability has been resolved:

tipc: fix use-after-free Read in tipc_named_reinit

syzbot found the following issue on:
==================================================================
BUG: KASAN: use-after-free in tipc_named_reinit+0x94f/0x9b0
net/tipc/name_distr.c:413
Read of size 8 at addr ffff88805299a000 by task kworker/1:9/23764

CPU: 1 PID: 23764 Comm: kworker/1:9 Not tainted
5.18.0-rc4-syzkaller-00878-g17d49e6e8012 #0
Hardware name: Google Compute Engine/Google Compute Engine,
BIOS Google 01/01/2011
Workqueue: events tipc_net_finalize_work
Call Trace:
 <TASK>
 __dump_stack lib/dump_stack.c:88 [inline]
 dump_stack_lvl+0xcd/0x134 lib/dump_stack.c:106
 print_address_description.constprop.0.cold+0xeb/0x495
mm/kasan/report.c:313
 print_report mm/kasan/report.c:429 [inline]
 kasan_report.cold+0xf4/0x1c6 mm/kasan/report.c:491
 tipc_named_reinit+0x94f/0x9b0 net/tipc/name_distr.c:413
 tipc_net_finalize+0x234/0x3d0 net/tipc/net.c:138
 process_one_work+0x996/0x1610 kernel/workqueue.c:2289
 worker_thread+0x665/0x1080 kernel/workqueue.c:2436
 kthread+0x2e9/0x3a0 kernel/kthread.c:376
 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:298
 </TASK>
[...]
==================================================================

In the commit
d966ddcc3821 ("tipc: fix a deadlock when flushing scheduled work"),
the cancel_work_sync() function just to make sure ONLY the work
tipc_net_finalize_work() is executing/pending on any CPU completed before
tipc namespace is destroyed through tipc_exit_net(). But this function
is not guaranteed the work is the last queued. So, the destroyed instance
may be accessed in the work which will try to enqueue later.

In order to completely fix, we re-order the calling of cancel_work_sync()
to make sure the work tipc_net_finalize_work() was last queued and it
must be completed by calling cancel_work_sync().

The Linux kernel CVE team has assigned CVE-2022-49696 to this issue.


Affected and fixed versions
===========================

	Issue introduced in 5.10 with commit d966ddcc38217a6110a6a0ff37ad2dee7d42e23e and fixed in 5.10.127 with commit 361c5521c1e49843b710f455cae3c0a50b714323
	Issue introduced in 5.10 with commit d966ddcc38217a6110a6a0ff37ad2dee7d42e23e and fixed in 5.15.51 with commit cd7789e659e84f137631dc1f5ec8d794f2700e6c
	Issue introduced in 5.10 with commit d966ddcc38217a6110a6a0ff37ad2dee7d42e23e and fixed in 5.18.8 with commit 8b246ddd394d7d9640816611693b0096b998e27a
	Issue introduced in 5.10 with commit d966ddcc38217a6110a6a0ff37ad2dee7d42e23e and fixed in 5.19 with commit 911600bf5a5e84bfda4d33ee32acc75ecf6159f0
	Issue introduced in 5.4.83 with commit fdc1416c21992ea7b4737123c8aa8c7424a1a540
	Issue introduced in 5.9.14 with commit 1716c9bd567bc6cdb3d18be78f36941a306b708d

Please see https://www.kernel.org for a full list of currently supported
kernel versions by the kernel community.

Unaffected versions might change over time as fixes are backported to
older supported kernel versions.  The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2022-49696
will be updated if fixes are backported, please check that for the most
up to date information about this issue.


Affected files
==============

The file(s) affected by this issue are:
	net/tipc/core.c


Mitigation
==========

The Linux kernel CVE team recommends that you update to the latest
stable kernel version for this, and many other bugfixes.  Individual
changes are never tested alone, but rather are part of a larger kernel
release.  Cherry-picking individual commits is not recommended or
supported by the Linux kernel community at all.  If however, updating to
the latest release is impossible, the individual changes to resolve this
issue can be found at these commits:
	https://git.kernel.org/stable/c/361c5521c1e49843b710f455cae3c0a50b714323
	https://git.kernel.org/stable/c/cd7789e659e84f137631dc1f5ec8d794f2700e6c
	https://git.kernel.org/stable/c/8b246ddd394d7d9640816611693b0096b998e27a
	https://git.kernel.org/stable/c/911600bf5a5e84bfda4d33ee32acc75ecf6159f0

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ