cve/published/2022/CVE-2022-49390.mbox - pub/scm/linux/security/vulns - Git at Google

 From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
 From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 To: <linux-cve-announce@vger.kernel.org>
 Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
 Subject: CVE-2022-49390: macsec: fix UAF bug for real_dev

 Description
 ===========

 In the Linux kernel, the following vulnerability has been resolved:

 macsec: fix UAF bug for real_dev

 Create a new macsec device but not get reference to real_dev. That can
 not ensure that real_dev is freed after macsec. That will trigger the
 UAF bug for real_dev as following:

 ==================================================================
 BUG: KASAN: use-after-free in macsec_get_iflink+0x5f/0x70 drivers/net/macsec.c:3662
 Call Trace:
  ...
  macsec_get_iflink+0x5f/0x70 drivers/net/macsec.c:3662
  dev_get_iflink+0x73/0xe0 net/core/dev.c:637
  default_operstate net/core/link_watch.c:42 [inline]
  rfc2863_policy+0x233/0x2d0 net/core/link_watch.c:54
  linkwatch_do_dev+0x2a/0x150 net/core/link_watch.c:161

 Allocated by task 22209:
  ...
  alloc_netdev_mqs+0x98/0x1100 net/core/dev.c:10549
  rtnl_create_link+0x9d7/0xc00 net/core/rtnetlink.c:3235
  veth_newlink+0x20e/0xa90 drivers/net/veth.c:1748

 Freed by task 8:
  ...
  kfree+0xd6/0x4d0 mm/slub.c:4552
  kvfree+0x42/0x50 mm/util.c:615
  device_release+0x9f/0x240 drivers/base/core.c:2229
  kobject_cleanup lib/kobject.c:673 [inline]
  kobject_release lib/kobject.c:704 [inline]
  kref_put include/linux/kref.h:65 [inline]
  kobject_put+0x1c8/0x540 lib/kobject.c:721
  netdev_run_todo+0x72e/0x10b0 net/core/dev.c:10327

 After commit faab39f63c1f ("net: allow out-of-order netdev unregistration")
 and commit e5f80fcf869a ("ipv6: give an IPv6 dev to blackhole_netdev"), we
 can add dev_hold_track() in macsec_dev_init() and dev_put_track() in
 macsec_free_netdev() to fix the problem.

 The Linux kernel CVE team has assigned CVE-2022-49390 to this issue.


 Affected and fixed versions
 ===========================

 	Issue introduced in 5.4 with commit 2bce1ebed17da54c65042ec2b962e3234bad5b47 and fixed in 5.17.15 with commit 78933cbc143b82d02330e00900d2fd08f2682f4e
 	Issue introduced in 5.4 with commit 2bce1ebed17da54c65042ec2b962e3234bad5b47 and fixed in 5.18.3 with commit d130282179aa6051449ac8f8df1115769998a665
 	Issue introduced in 5.4 with commit 2bce1ebed17da54c65042ec2b962e3234bad5b47 and fixed in 5.19 with commit 196a888ca6571deb344468e1d7138e3273206335
 	Issue introduced in 4.14.154 with commit 1861904a6092ed411203c6a02c75bfc45b27cc3c
 	Issue introduced in 4.19.84 with commit 3a2675a2d97a68332fa5c33043038bfeb31455a8
 	Issue introduced in 5.3.11 with commit b0add6db3d5ec4561cab257358871a9d3df7f0a3

 Please see https://www.kernel.org for a full list of currently supported
 kernel versions by the kernel community.

 Unaffected versions might change over time as fixes are backported to
 older supported kernel versions.  The official CVE entry at
 	https://cve.org/CVERecord/?id=CVE-2022-49390
 will be updated if fixes are backported, please check that for the most
 up to date information about this issue.


 Affected files
 ==============

 The file(s) affected by this issue are:
 	drivers/net/macsec.c


 Mitigation
 ==========

 The Linux kernel CVE team recommends that you update to the latest
 stable kernel version for this, and many other bugfixes.  Individual
 changes are never tested alone, but rather are part of a larger kernel
 release.  Cherry-picking individual commits is not recommended or
 supported by the Linux kernel community at all.  If however, updating to
 the latest release is impossible, the individual changes to resolve this
 issue can be found at these commits:
 	https://git.kernel.org/stable/c/78933cbc143b82d02330e00900d2fd08f2682f4e
 	https://git.kernel.org/stable/c/d130282179aa6051449ac8f8df1115769998a665
 	https://git.kernel.org/stable/c/196a888ca6571deb344468e1d7138e3273206335
	From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
	From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	To: <linux-cve-announce@vger.kernel.org>
	Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
	Subject: CVE-2022-49390: macsec: fix UAF bug for real_dev

	Description
	===========

	In the Linux kernel, the following vulnerability has been resolved:

	macsec: fix UAF bug for real_dev

	Create a new macsec device but not get reference to real_dev. That can
	not ensure that real_dev is freed after macsec. That will trigger the
	UAF bug for real_dev as following:

	==================================================================
	BUG: KASAN: use-after-free in macsec_get_iflink+0x5f/0x70 drivers/net/macsec.c:3662
	Call Trace:
	...
	macsec_get_iflink+0x5f/0x70 drivers/net/macsec.c:3662
	dev_get_iflink+0x73/0xe0 net/core/dev.c:637
	default_operstate net/core/link_watch.c:42 [inline]
	rfc2863_policy+0x233/0x2d0 net/core/link_watch.c:54
	linkwatch_do_dev+0x2a/0x150 net/core/link_watch.c:161

	Allocated by task 22209:
	...
	alloc_netdev_mqs+0x98/0x1100 net/core/dev.c:10549
	rtnl_create_link+0x9d7/0xc00 net/core/rtnetlink.c:3235
	veth_newlink+0x20e/0xa90 drivers/net/veth.c:1748

	Freed by task 8:
	...
	kfree+0xd6/0x4d0 mm/slub.c:4552
	kvfree+0x42/0x50 mm/util.c:615
	device_release+0x9f/0x240 drivers/base/core.c:2229
	kobject_cleanup lib/kobject.c:673 [inline]
	kobject_release lib/kobject.c:704 [inline]
	kref_put include/linux/kref.h:65 [inline]
	kobject_put+0x1c8/0x540 lib/kobject.c:721
	netdev_run_todo+0x72e/0x10b0 net/core/dev.c:10327

	After commit faab39f63c1f ("net: allow out-of-order netdev unregistration")
	and commit e5f80fcf869a ("ipv6: give an IPv6 dev to blackhole_netdev"), we
	can add dev_hold_track() in macsec_dev_init() and dev_put_track() in
	macsec_free_netdev() to fix the problem.

	The Linux kernel CVE team has assigned CVE-2022-49390 to this issue.


	Affected and fixed versions
	===========================

	Issue introduced in 5.4 with commit 2bce1ebed17da54c65042ec2b962e3234bad5b47 and fixed in 5.17.15 with commit 78933cbc143b82d02330e00900d2fd08f2682f4e
	Issue introduced in 5.4 with commit 2bce1ebed17da54c65042ec2b962e3234bad5b47 and fixed in 5.18.3 with commit d130282179aa6051449ac8f8df1115769998a665
	Issue introduced in 5.4 with commit 2bce1ebed17da54c65042ec2b962e3234bad5b47 and fixed in 5.19 with commit 196a888ca6571deb344468e1d7138e3273206335
	Issue introduced in 4.14.154 with commit 1861904a6092ed411203c6a02c75bfc45b27cc3c
	Issue introduced in 4.19.84 with commit 3a2675a2d97a68332fa5c33043038bfeb31455a8
	Issue introduced in 5.3.11 with commit b0add6db3d5ec4561cab257358871a9d3df7f0a3

	Please see https://www.kernel.org for a full list of currently supported
	kernel versions by the kernel community.

	Unaffected versions might change over time as fixes are backported to
	older supported kernel versions. The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2022-49390
	will be updated if fixes are backported, please check that for the most
	up to date information about this issue.


	Affected files
	==============

	The file(s) affected by this issue are:
	drivers/net/macsec.c


	Mitigation
	==========

	The Linux kernel CVE team recommends that you update to the latest
	stable kernel version for this, and many other bugfixes. Individual
	changes are never tested alone, but rather are part of a larger kernel
	release. Cherry-picking individual commits is not recommended or
	supported by the Linux kernel community at all. If however, updating to
	the latest release is impossible, the individual changes to resolve this
	issue can be found at these commits:
	https://git.kernel.org/stable/c/78933cbc143b82d02330e00900d2fd08f2682f4e
	https://git.kernel.org/stable/c/d130282179aa6051449ac8f8df1115769998a665
	https://git.kernel.org/stable/c/196a888ca6571deb344468e1d7138e3273206335