| From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001 |
| From: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
| To: <linux-cve-announce@vger.kernel.org> |
| Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org> |
| Subject: CVE-2022-48914: xen/netfront: destroy queues before real_num_tx_queues is zeroed |
| |
| Description |
| =========== |
| |
| In the Linux kernel, the following vulnerability has been resolved: |
| |
| xen/netfront: destroy queues before real_num_tx_queues is zeroed |
| |
| xennet_destroy_queues() relies on info->netdev->real_num_tx_queues to |
| delete queues. Since d7dac083414eb5bb99a6d2ed53dc2c1b405224e5 |
| ("net-sysfs: update the queue counts in the unregistration path"), |
| unregister_netdev() indirectly sets real_num_tx_queues to 0. Those two |
| facts together means, that xennet_destroy_queues() called from |
| xennet_remove() cannot do its job, because it's called after |
| unregister_netdev(). This results in kfree-ing queues that are still |
| linked in napi, which ultimately crashes: |
| |
| BUG: kernel NULL pointer dereference, address: 0000000000000000 |
| #PF: supervisor read access in kernel mode |
| #PF: error_code(0x0000) - not-present page |
| PGD 0 P4D 0 |
| Oops: 0000 [#1] PREEMPT SMP PTI |
| CPU: 1 PID: 52 Comm: xenwatch Tainted: G W 5.16.10-1.32.fc32.qubes.x86_64+ #226 |
| RIP: 0010:free_netdev+0xa3/0x1a0 |
| Code: ff 48 89 df e8 2e e9 00 00 48 8b 43 50 48 8b 08 48 8d b8 a0 fe ff ff 48 8d a9 a0 fe ff ff 49 39 c4 75 26 eb 47 e8 ed c1 66 ff <48> 8b 85 60 01 00 00 48 8d 95 60 01 00 00 48 89 ef 48 2d 60 01 00 |
| RSP: 0000:ffffc90000bcfd00 EFLAGS: 00010286 |
| RAX: 0000000000000000 RBX: ffff88800edad000 RCX: 0000000000000000 |
| RDX: 0000000000000001 RSI: ffffc90000bcfc30 RDI: 00000000ffffffff |
| RBP: fffffffffffffea0 R08: 0000000000000000 R09: 0000000000000000 |
| R10: 0000000000000000 R11: 0000000000000001 R12: ffff88800edad050 |
| R13: ffff8880065f8f88 R14: 0000000000000000 R15: ffff8880066c6680 |
| FS: 0000000000000000(0000) GS:ffff8880f3300000(0000) knlGS:0000000000000000 |
| CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 |
| CR2: 0000000000000000 CR3: 00000000e998c006 CR4: 00000000003706e0 |
| Call Trace: |
| <TASK> |
| xennet_remove+0x13d/0x300 [xen_netfront] |
| xenbus_dev_remove+0x6d/0xf0 |
| __device_release_driver+0x17a/0x240 |
| device_release_driver+0x24/0x30 |
| bus_remove_device+0xd8/0x140 |
| device_del+0x18b/0x410 |
| ? _raw_spin_unlock+0x16/0x30 |
| ? klist_iter_exit+0x14/0x20 |
| ? xenbus_dev_request_and_reply+0x80/0x80 |
| device_unregister+0x13/0x60 |
| xenbus_dev_changed+0x18e/0x1f0 |
| xenwatch_thread+0xc0/0x1a0 |
| ? do_wait_intr_irq+0xa0/0xa0 |
| kthread+0x16b/0x190 |
| ? set_kthread_struct+0x40/0x40 |
| ret_from_fork+0x22/0x30 |
| </TASK> |
| |
| Fix this by calling xennet_destroy_queues() from xennet_uninit(), |
| when real_num_tx_queues is still available. This ensures that queues are |
| destroyed when real_num_tx_queues is set to 0, regardless of how |
| unregister_netdev() was called. |
| |
| Originally reported at |
| https://github.com/QubesOS/qubes-issues/issues/7257 |
| |
| The Linux kernel CVE team has assigned CVE-2022-48914 to this issue. |
| |
| |
| Affected and fixed versions |
| =========================== |
| |
| Issue introduced in 4.19.226 with commit 35cad2003b6447932cfe91f795090586306738e8 and fixed in 4.19.233 with commit 198cdc287769c717dafff5887c6125cb7a373bf3 |
| Issue introduced in 5.4.174 with commit a5d8e6189b134f5db61be5cd59cf5a74bb01edc7 and fixed in 5.4.183 with commit b40c912624775a21da32d1105e158db5f6d0554a |
| Issue introduced in 5.10.94 with commit 443133330a5d4a3fd429179d460cc297724fefe8 and fixed in 5.10.104 with commit a1753d5c29a6fb9a8966dcf04cb4f3b71e303ae8 |
| Issue introduced in 5.15.17 with commit 0abd3f9903fae6ecf8db3c89a459971fe7925499 and fixed in 5.15.27 with commit a63eb1e4a2e1a191a90217871e67fba42fd39255 |
| Issue introduced in 5.16.3 with commit c5eb468cbc1fa663bf0cc6c5360802dea4e611c2 and fixed in 5.16.13 with commit 47e2f166ed9fe17f24561d6315be2228f6a90209 |
| |
| Please see https://www.kernel.org for a full list of currently supported |
| kernel versions by the kernel community. |
| |
| Unaffected versions might change over time as fixes are backported to |
| older supported kernel versions. The official CVE entry at |
| https://cve.org/CVERecord/?id=CVE-2022-48914 |
| will be updated if fixes are backported, please check that for the most |
| up to date information about this issue. |
| |
| |
| Affected files |
| ============== |
| |
| The file(s) affected by this issue are: |
| drivers/net/xen-netfront.c |
| |
| |
| Mitigation |
| ========== |
| |
| The Linux kernel CVE team recommends that you update to the latest |
| stable kernel version for this, and many other bugfixes. Individual |
| changes are never tested alone, but rather are part of a larger kernel |
| release. Cherry-picking individual commits is not recommended or |
| supported by the Linux kernel community at all. If however, updating to |
| the latest release is impossible, the individual changes to resolve this |
| issue can be found at these commits: |
| https://git.kernel.org/stable/c/198cdc287769c717dafff5887c6125cb7a373bf3 |
| https://git.kernel.org/stable/c/b40c912624775a21da32d1105e158db5f6d0554a |
| https://git.kernel.org/stable/c/a1753d5c29a6fb9a8966dcf04cb4f3b71e303ae8 |
| https://git.kernel.org/stable/c/a63eb1e4a2e1a191a90217871e67fba42fd39255 |
| https://git.kernel.org/stable/c/47e2f166ed9fe17f24561d6315be2228f6a90209 |
| https://git.kernel.org/stable/c/dcf4ff7a48e7598e6b10126cc02177abb8ae4f3f |
