cve/published/2022/CVE-2022-49195.mbox - pub/scm/linux/security/vulns - Git at Google

 From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
 From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 To: <linux-cve-announce@vger.kernel.org>
 Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
 Subject: CVE-2022-49195: net: dsa: fix panic on shutdown if multi-chip tree failed to probe

 Description
 ===========

 In the Linux kernel, the following vulnerability has been resolved:

 net: dsa: fix panic on shutdown if multi-chip tree failed to probe

 DSA probing is atypical because a tree of devices must probe all at
 once, so out of N switches which call dsa_tree_setup_routing_table()
 during probe, for (N - 1) of them, "complete" will return false and they
 will exit probing early. The Nth switch will set up the whole tree on
 their behalf.

 The implication is that for (N - 1) switches, the driver binds to the
 device successfully, without doing anything. When the driver is bound,
 the ->shutdown() method may run. But if the Nth switch has failed to
 initialize the tree, there is nothing to do for the (N - 1) driver
 instances, since the slave devices have not been created, etc. Moreover,
 dsa_switch_shutdown() expects that the calling @ds has been in fact
 initialized, so it jumps at dereferencing the various data structures,
 which is incorrect.

 Avoid the ensuing NULL pointer dereferences by simply checking whether
 the Nth switch has previously set "ds->setup = true" for the switch
 which is currently shutting down. The entire setup is serialized under
 dsa2_mutex which we already hold.

 The Linux kernel CVE team has assigned CVE-2022-49195 to this issue.


 Affected and fixed versions
 ===========================

 	Issue introduced in 5.15 with commit 0650bf52b31ff35dc6430fc2e37969c36baba724 and fixed in 5.15.33 with commit 95df5cd5a446df6738d2d45872e08594819080e4
 	Issue introduced in 5.15 with commit 0650bf52b31ff35dc6430fc2e37969c36baba724 and fixed in 5.16.19 with commit b6e668ff43ebd87ccc8a19e5481345c428672295
 	Issue introduced in 5.15 with commit 0650bf52b31ff35dc6430fc2e37969c36baba724 and fixed in 5.17.2 with commit b864d5350c18bea9369d0bdd9e7eb6f6172cc283
 	Issue introduced in 5.15 with commit 0650bf52b31ff35dc6430fc2e37969c36baba724 and fixed in 5.18 with commit 8fd36358ce82382519b50b05f437493e1e00c4a9

 Please see https://www.kernel.org for a full list of currently supported
 kernel versions by the kernel community.

 Unaffected versions might change over time as fixes are backported to
 older supported kernel versions.  The official CVE entry at
 	https://cve.org/CVERecord/?id=CVE-2022-49195
 will be updated if fixes are backported, please check that for the most
 up to date information about this issue.


 Affected files
 ==============

 The file(s) affected by this issue are:
 	net/dsa/dsa2.c


 Mitigation
 ==========

 The Linux kernel CVE team recommends that you update to the latest
 stable kernel version for this, and many other bugfixes.  Individual
 changes are never tested alone, but rather are part of a larger kernel
 release.  Cherry-picking individual commits is not recommended or
 supported by the Linux kernel community at all.  If however, updating to
 the latest release is impossible, the individual changes to resolve this
 issue can be found at these commits:
 	https://git.kernel.org/stable/c/95df5cd5a446df6738d2d45872e08594819080e4
 	https://git.kernel.org/stable/c/b6e668ff43ebd87ccc8a19e5481345c428672295
 	https://git.kernel.org/stable/c/b864d5350c18bea9369d0bdd9e7eb6f6172cc283
 	https://git.kernel.org/stable/c/8fd36358ce82382519b50b05f437493e1e00c4a9
	From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
	From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	To: <linux-cve-announce@vger.kernel.org>
	Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
	Subject: CVE-2022-49195: net: dsa: fix panic on shutdown if multi-chip tree failed to probe

	Description
	===========

	In the Linux kernel, the following vulnerability has been resolved:

	net: dsa: fix panic on shutdown if multi-chip tree failed to probe

	DSA probing is atypical because a tree of devices must probe all at
	once, so out of N switches which call dsa_tree_setup_routing_table()
	during probe, for (N - 1) of them, "complete" will return false and they
	will exit probing early. The Nth switch will set up the whole tree on
	their behalf.

	The implication is that for (N - 1) switches, the driver binds to the
	device successfully, without doing anything. When the driver is bound,
	the ->shutdown() method may run. But if the Nth switch has failed to
	initialize the tree, there is nothing to do for the (N - 1) driver
	instances, since the slave devices have not been created, etc. Moreover,
	dsa_switch_shutdown() expects that the calling @ds has been in fact
	initialized, so it jumps at dereferencing the various data structures,
	which is incorrect.

	Avoid the ensuing NULL pointer dereferences by simply checking whether
	the Nth switch has previously set "ds->setup = true" for the switch
	which is currently shutting down. The entire setup is serialized under
	dsa2_mutex which we already hold.

	The Linux kernel CVE team has assigned CVE-2022-49195 to this issue.


	Affected and fixed versions
	===========================

	Issue introduced in 5.15 with commit 0650bf52b31ff35dc6430fc2e37969c36baba724 and fixed in 5.15.33 with commit 95df5cd5a446df6738d2d45872e08594819080e4
	Issue introduced in 5.15 with commit 0650bf52b31ff35dc6430fc2e37969c36baba724 and fixed in 5.16.19 with commit b6e668ff43ebd87ccc8a19e5481345c428672295
	Issue introduced in 5.15 with commit 0650bf52b31ff35dc6430fc2e37969c36baba724 and fixed in 5.17.2 with commit b864d5350c18bea9369d0bdd9e7eb6f6172cc283
	Issue introduced in 5.15 with commit 0650bf52b31ff35dc6430fc2e37969c36baba724 and fixed in 5.18 with commit 8fd36358ce82382519b50b05f437493e1e00c4a9

	Please see https://www.kernel.org for a full list of currently supported
	kernel versions by the kernel community.

	Unaffected versions might change over time as fixes are backported to
	older supported kernel versions. The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2022-49195
	will be updated if fixes are backported, please check that for the most
	up to date information about this issue.


	Affected files
	==============

	The file(s) affected by this issue are:
	net/dsa/dsa2.c


	Mitigation
	==========

	The Linux kernel CVE team recommends that you update to the latest
	stable kernel version for this, and many other bugfixes. Individual
	changes are never tested alone, but rather are part of a larger kernel
	release. Cherry-picking individual commits is not recommended or
	supported by the Linux kernel community at all. If however, updating to
	the latest release is impossible, the individual changes to resolve this
	issue can be found at these commits:
	https://git.kernel.org/stable/c/95df5cd5a446df6738d2d45872e08594819080e4
	https://git.kernel.org/stable/c/b6e668ff43ebd87ccc8a19e5481345c428672295
	https://git.kernel.org/stable/c/b864d5350c18bea9369d0bdd9e7eb6f6172cc283
	https://git.kernel.org/stable/c/8fd36358ce82382519b50b05f437493e1e00c4a9