| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <2025122415-CVE-2022-50697-6281@gregkh> Date: Wed, 24 Dec 2025 11:56:14 +0100 From: Greg Kroah-Hartman <gregkh@...uxfoundation.org> To: linux-cve-announce@...r.kernel.org Cc: Greg Kroah-Hartman <gregkh@...nel.org> Subject: CVE-2022-50697: mrp: introduce active flags to prevent UAF when applicant uninit From: Greg Kroah-Hartman <gregkh@...nel.org> Description =========== In the Linux kernel, the following vulnerability has been resolved: mrp: introduce active flags to prevent UAF when applicant uninit The caller of del_timer_sync must prevent restarting of the timer, If we have no this synchronization, there is a small probability that the cancellation will not be successful. And syzbot report the fellowing crash: ================================================================== BUG: KASAN: use-after-free in hlist_add_head include/linux/list.h:929 [inline] BUG: KASAN: use-after-free in enqueue_timer+0x18/0xa4 kernel/time/timer.c:605 Write at addr f9ff000024df6058 by task syz-fuzzer/2256 Pointer tag: [f9], memory tag: [fe] CPU: 1 PID: 2256 Comm: syz-fuzzer Not tainted 6.1.0-rc5-syzkaller-00008- ge01d50cbd6ee #0 Hardware name: linux,dummy-virt (DT) Call trace: dump_backtrace.part.0+0xe0/0xf0 arch/arm64/kernel/stacktrace.c:156 dump_backtrace arch/arm64/kernel/stacktrace.c:162 [inline] show_stack+0x18/0x40 arch/arm64/kernel/stacktrace.c:163 __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0x68/0x84 lib/dump_stack.c:106 print_address_description mm/kasan/report.c:284 [inline] print_report+0x1a8/0x4a0 mm/kasan/report.c:395 kasan_report+0x94/0xb4 mm/kasan/report.c:495 __do_kernel_fault+0x164/0x1e0 arch/arm64/mm/fault.c:320 do_bad_area arch/arm64/mm/fault.c:473 [inline] do_tag_check_fault+0x78/0x8c arch/arm64/mm/fault.c:749 do_mem_abort+0x44/0x94 arch/arm64/mm/fault.c:825 el1_abort+0x40/0x60 arch/arm64/kernel/entry-common.c:367 el1h_64_sync_handler+0xd8/0xe4 arch/arm64/kernel/entry-common.c:427 el1h_64_sync+0x64/0x68 arch/arm64/kernel/entry.S:576 hlist_add_head include/linux/list.h:929 [inline] enqueue_timer+0x18/0xa4 kernel/time/timer.c:605 mod_timer+0x14/0x20 kernel/time/timer.c:1161 mrp_periodic_timer_arm net/802/mrp.c:614 [inline] mrp_periodic_timer+0xa0/0xc0 net/802/mrp.c:627 call_timer_fn.constprop.0+0x24/0x80 kernel/time/timer.c:1474 expire_timers+0x98/0xc4 kernel/time/timer.c:1519 To fix it, we can introduce a new active flags to make sure the timer will not restart. The Linux kernel CVE team has assigned CVE-2022-50697 to this issue. Affected and fixed versions =========================== Fixed in 4.9.337 with commit 98f53e591940e4c3818be358c5dc684d5b30cb56 Fixed in 4.14.303 with commit aacffc1a8dbf67c5463cb4f67b37143c01ca6fa9 Fixed in 4.19.270 with commit 78d48bc41f7726113c9f114268d3ab11212814da Fixed in 5.4.229 with commit aadb1507a77b060c529edfeaf67f803e31461f24 Fixed in 5.10.163 with commit 755eb0879224ffc2a43de724554aeaf0e51e5a64 Fixed in 5.15.86 with commit 5d5a481a7fd0234f617535dc464ea010804a1129 Fixed in 6.0.16 with commit 1a185fe83c2a60c1e3596fb9d82dbeb148dc09c6 Fixed in 6.1.2 with commit 563e45fd5046045cc194af3ba17f5423e1c98170 Fixed in 6.2 with commit ab0377803dafc58f1e22296708c1c28e309414d6 Please see https://www.kernel.org for a full list of currently supported kernel versions by the kernel community. Unaffected versions might change over time as fixes are backported to older supported kernel versions. The official CVE entry at https://cve.org/CVERecord/?id=CVE-2022-50697 will be updated if fixes are backported, please check that for the most up to date information about this issue. Affected files ============== The file(s) affected by this issue are: include/net/mrp.h net/802/mrp.c Mitigation ========== The Linux kernel CVE team recommends that you update to the latest stable kernel version for this, and many other bugfixes. Individual changes are never tested alone, but rather are part of a larger kernel release. Cherry-picking individual commits is not recommended or supported by the Linux kernel community at all. If however, updating to the latest release is impossible, the individual changes to resolve this issue can be found at these commits: https://git.kernel.org/stable/c/98f53e591940e4c3818be358c5dc684d5b30cb56 https://git.kernel.org/stable/c/aacffc1a8dbf67c5463cb4f67b37143c01ca6fa9 https://git.kernel.org/stable/c/78d48bc41f7726113c9f114268d3ab11212814da https://git.kernel.org/stable/c/aadb1507a77b060c529edfeaf67f803e31461f24 https://git.kernel.org/stable/c/755eb0879224ffc2a43de724554aeaf0e51e5a64 https://git.kernel.org/stable/c/5d5a481a7fd0234f617535dc464ea010804a1129 https://git.kernel.org/stable/c/1a185fe83c2a60c1e3596fb9d82dbeb148dc09c6 https://git.kernel.org/stable/c/563e45fd5046045cc194af3ba17f5423e1c98170 https://git.kernel.org/stable/c/ab0377803dafc58f1e22296708c1c28e309414d6
Powered by blists - more mailing lists