CVE-2022-48935

Source
https://nvd.nist.gov/vuln/detail/CVE-2022-48935
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2022-48935.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2022-48935
Related
Published
2024-08-22T04:15:16Z
Modified
2024-09-18T03:22:40.318579Z
Severity
  • 5.5 (Medium) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVSS Calculator
Summary
[none]
Details

In the Linux kernel, the following vulnerability has been resolved:

netfilter: nf_tables: unregister flowtable hooks on netns exit

Unregister flowtable hooks before they are releases via nftablesflowtable_destroy() otherwise hook core reports UAF.

BUG: KASAN: use-after-free in nfhookentries_grow+0x5a7/0x700 net/netfilter/core.c:142 net/netfilter/core.c:142 Read of size 4 at addr ffff8880736f7438 by task syz-executor579/3666

CPU: 0 PID: 3666 Comm: syz-executor579 Not tainted 5.16.0-rc5-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: <TASK> _dumpstack lib/dumpstack.c:88 [inline] _dumpstack lib/dumpstack.c:88 [inline] lib/dumpstack.c:106 dumpstacklvl+0x1dc/0x2d8 lib/dumpstack.c:106 lib/dumpstack.c:106 printaddressdescription+0x65/0x380 mm/kasan/report.c:247 mm/kasan/report.c:247 _kasanreport mm/kasan/report.c:433 [inline] _kasanreport mm/kasan/report.c:433 [inline] mm/kasan/report.c:450 kasanreport+0x19a/0x1f0 mm/kasan/report.c:450 mm/kasan/report.c:450 nfhookentriesgrow+0x5a7/0x700 net/netfilter/core.c:142 net/netfilter/core.c:142 _nfregisternethook+0x27e/0x8d0 net/netfilter/core.c:429 net/netfilter/core.c:429 nfregisternethook+0xaa/0x180 net/netfilter/core.c:571 net/netfilter/core.c:571 nftregisterflowtablenethooks+0x3c5/0x730 net/netfilter/nftablesapi.c:7232 net/netfilter/nftablesapi.c:7232 nftablesnewflowtable+0x2022/0x2cf0 net/netfilter/nftablesapi.c:7430 net/netfilter/nftablesapi.c:7430 nfnetlinkrcvbatch net/netfilter/nfnetlink.c:513 [inline] nfnetlinkrcvskbbatch net/netfilter/nfnetlink.c:634 [inline] nfnetlinkrcvbatch net/netfilter/nfnetlink.c:513 [inline] net/netfilter/nfnetlink.c:652 nfnetlinkrcvskbbatch net/netfilter/nfnetlink.c:634 [inline] net/netfilter/nfnetlink.c:652 nfnetlink_rcv+0x10e6/0x2550 net/netfilter/nfnetlink.c:652 net/netfilter/nfnetlink.c:652

_nftreleasehook() calls nftunregisterflowtablenethooks() which only unregisters the hooks, then after RCU grace period, it is guaranteed that no packets add new entries to the flowtable (no flow offload rules and flowtable hooks are reachable from packet path), so it is safe to call nfflowtablefree() which cleans up the remaining entries from the flowtable (both software and hardware) and it unbinds the flow_block.

References

Affected packages

Debian:11 / linux

Package

Name
linux
Purl
pkg:deb/debian/linux?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
5.10.205-1

Affected versions

5.*

5.10.46-4
5.10.46-5
5.10.70-1~bpo10+1
5.10.70-1
5.10.84-1
5.10.92-1~bpo10+1
5.10.92-1
5.10.92-2
5.10.103-1~bpo10+1
5.10.103-1
5.10.106-1
5.10.113-1
5.10.120-1~bpo10+1
5.10.120-1
5.10.127-1
5.10.127-2~bpo10+1
5.10.127-2
5.10.136-1
5.10.140-1
5.10.148-1
5.10.149-1
5.10.149-2
5.10.158-1
5.10.158-2
5.10.162-1
5.10.178-1
5.10.178-2
5.10.178-3
5.10.179-1
5.10.179-2
5.10.179-3
5.10.179-4
5.10.179-5
5.10.191-1
5.10.197-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:12 / linux

Package

Name
linux
Purl
pkg:deb/debian/linux?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
5.16.12-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:13 / linux

Package

Name
linux
Purl
pkg:deb/debian/linux?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
5.16.12-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}