cve/published/2022/CVE-2022-49636.mbox - pub/scm/linux/security/vulns - Git at Google

 From bippy-7c5fe7eed585 Mon Sep 17 00:00:00 2001
 From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 To: <linux-cve-announce@vger.kernel.org>
 Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
 Subject: CVE-2022-49636: vlan: fix memory leak in vlan_newlink()

 Description
 ===========

 In the Linux kernel, the following vulnerability has been resolved:

 vlan: fix memory leak in vlan_newlink()

 Blamed commit added back a bug I fixed in commit 9bbd917e0bec
 ("vlan: fix memory leak in vlan_dev_set_egress_priority")

 If a memory allocation fails in vlan_changelink() after other allocations
 succeeded, we need to call vlan_dev_free_egress_priority()
 to free all allocated memory because after a failed ->newlink()
 we do not call any methods like ndo_uninit() or dev->priv_destructor().

 In following example, if the allocation for last element 2000:2001 fails,
 we need to free eight prior allocations:

 ip link add link dummy0 dummy0.100 type vlan id 100 \
 	egress-qos-map 1:2 2:3 3:4 4:5 5:6 6:7 7:8 8:9 2000:2001

 syzbot report was:

 BUG: memory leak
 unreferenced object 0xffff888117bd1060 (size 32):
 comm "syz-executor408", pid 3759, jiffies 4294956555 (age 34.090s)
 hex dump (first 32 bytes):
 09 00 00 00 00 a0 00 00 00 00 00 00 00 00 00 00 ................
 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
 backtrace:
 [<ffffffff83fc60ad>] kmalloc include/linux/slab.h:600 [inline]
 [<ffffffff83fc60ad>] vlan_dev_set_egress_priority+0xed/0x170 net/8021q/vlan_dev.c:193
 [<ffffffff83fc6628>] vlan_changelink+0x178/0x1d0 net/8021q/vlan_netlink.c:128
 [<ffffffff83fc67c8>] vlan_newlink+0x148/0x260 net/8021q/vlan_netlink.c:185
 [<ffffffff838b1278>] rtnl_newlink_create net/core/rtnetlink.c:3363 [inline]
 [<ffffffff838b1278>] __rtnl_newlink+0xa58/0xdc0 net/core/rtnetlink.c:3580
 [<ffffffff838b1629>] rtnl_newlink+0x49/0x70 net/core/rtnetlink.c:3593
 [<ffffffff838ac66c>] rtnetlink_rcv_msg+0x21c/0x5c0 net/core/rtnetlink.c:6089
 [<ffffffff839f9c37>] netlink_rcv_skb+0x87/0x1d0 net/netlink/af_netlink.c:2501
 [<ffffffff839f8da7>] netlink_unicast_kernel net/netlink/af_netlink.c:1319 [inline]
 [<ffffffff839f8da7>] netlink_unicast+0x397/0x4c0 net/netlink/af_netlink.c:1345
 [<ffffffff839f9266>] netlink_sendmsg+0x396/0x710 net/netlink/af_netlink.c:1921
 [<ffffffff8384dbf6>] sock_sendmsg_nosec net/socket.c:714 [inline]
 [<ffffffff8384dbf6>] sock_sendmsg+0x56/0x80 net/socket.c:734
 [<ffffffff8384e15c>] ____sys_sendmsg+0x36c/0x390 net/socket.c:2488
 [<ffffffff838523cb>] ___sys_sendmsg+0x8b/0xd0 net/socket.c:2542
 [<ffffffff838525b8>] __sys_sendmsg net/socket.c:2571 [inline]
 [<ffffffff838525b8>] __do_sys_sendmsg net/socket.c:2580 [inline]
 [<ffffffff838525b8>] __se_sys_sendmsg net/socket.c:2578 [inline]
 [<ffffffff838525b8>] __x64_sys_sendmsg+0x78/0xf0 net/socket.c:2578
 [<ffffffff845ad8d5>] do_syscall_x64 arch/x86/entry/common.c:50 [inline]
 [<ffffffff845ad8d5>] do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80
 [<ffffffff8460006a>] entry_SYSCALL_64_after_hwframe+0x46/0xb0

 The Linux kernel CVE team has assigned CVE-2022-49636 to this issue.


 Affected and fixed versions
 ===========================

 	Issue introduced in 5.4.291 with commit b195d229de401377f70c04e0dff93b342464ec8e and fixed in 5.4.292 with commit 549de58dba4bf1b2adc72e9948b9c76fa88be9d2
 	Issue introduced in 5.10.235 with commit 62d7ad2c191122119c66361ba6d9f04974b51afe and fixed in 5.10.236 with commit df27729a4fe0002dfd80c96fe1c142829c672728
 	Issue introduced in 5.15.142 with commit 842801181864690fdcde73b017cce4c1353a7083 and fixed in 5.15.180 with commit f5dc10b910bdac523e5947336445a77066c51bf9
 	Issue introduced in 5.17 with commit 37aa50c539bcbcc01767e515bd170787fcfc0f33 and fixed in 5.18.13 with commit 4c43069bb1097dd6cc1cf0f7c43a36d1f7b3910b
 	Issue introduced in 5.17 with commit 37aa50c539bcbcc01767e515bd170787fcfc0f33 and fixed in 5.19 with commit 72a0b329114b1caa8e69dfa7cdad1dd3c69b8602

 Please see https://www.kernel.org for a full list of currently supported
 kernel versions by the kernel community.

 Unaffected versions might change over time as fixes are backported to
 older supported kernel versions.  The official CVE entry at
 	https://cve.org/CVERecord/?id=CVE-2022-49636
 will be updated if fixes are backported, please check that for the most
 up to date information about this issue.


 Affected files
 ==============

 The file(s) affected by this issue are:
 	net/8021q/vlan_netlink.c


 Mitigation
 ==========

 The Linux kernel CVE team recommends that you update to the latest
 stable kernel version for this, and many other bugfixes.  Individual
 changes are never tested alone, but rather are part of a larger kernel
 release.  Cherry-picking individual commits is not recommended or
 supported by the Linux kernel community at all.  If however, updating to
 the latest release is impossible, the individual changes to resolve this
 issue can be found at these commits:
 	https://git.kernel.org/stable/c/549de58dba4bf1b2adc72e9948b9c76fa88be9d2
 	https://git.kernel.org/stable/c/df27729a4fe0002dfd80c96fe1c142829c672728
 	https://git.kernel.org/stable/c/f5dc10b910bdac523e5947336445a77066c51bf9
 	https://git.kernel.org/stable/c/4c43069bb1097dd6cc1cf0f7c43a36d1f7b3910b
 	https://git.kernel.org/stable/c/72a0b329114b1caa8e69dfa7cdad1dd3c69b8602
	From bippy-7c5fe7eed585 Mon Sep 17 00:00:00 2001
	From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	To: <linux-cve-announce@vger.kernel.org>
	Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
	Subject: CVE-2022-49636: vlan: fix memory leak in vlan_newlink()

	Description
	===========

	In the Linux kernel, the following vulnerability has been resolved:

	vlan: fix memory leak in vlan_newlink()

	Blamed commit added back a bug I fixed in commit 9bbd917e0bec
	("vlan: fix memory leak in vlan_dev_set_egress_priority")

	If a memory allocation fails in vlan_changelink() after other allocations
	succeeded, we need to call vlan_dev_free_egress_priority()
	to free all allocated memory because after a failed ->newlink()
	we do not call any methods like ndo_uninit() or dev->priv_destructor().

	In following example, if the allocation for last element 2000:2001 fails,
	we need to free eight prior allocations:

	ip link add link dummy0 dummy0.100 type vlan id 100 \
	egress-qos-map 1:2 2:3 3:4 4:5 5:6 6:7 7:8 8:9 2000:2001

	syzbot report was:

	BUG: memory leak
	unreferenced object 0xffff888117bd1060 (size 32):
	comm "syz-executor408", pid 3759, jiffies 4294956555 (age 34.090s)
	hex dump (first 32 bytes):
	09 00 00 00 00 a0 00 00 00 00 00 00 00 00 00 00 ................
	00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
	backtrace:
	[<ffffffff83fc60ad>] kmalloc include/linux/slab.h:600 [inline]
	[<ffffffff83fc60ad>] vlan_dev_set_egress_priority+0xed/0x170 net/8021q/vlan_dev.c:193
	[<ffffffff83fc6628>] vlan_changelink+0x178/0x1d0 net/8021q/vlan_netlink.c:128
	[<ffffffff83fc67c8>] vlan_newlink+0x148/0x260 net/8021q/vlan_netlink.c:185
	[<ffffffff838b1278>] rtnl_newlink_create net/core/rtnetlink.c:3363 [inline]
	[<ffffffff838b1278>] __rtnl_newlink+0xa58/0xdc0 net/core/rtnetlink.c:3580
	[<ffffffff838b1629>] rtnl_newlink+0x49/0x70 net/core/rtnetlink.c:3593
	[<ffffffff838ac66c>] rtnetlink_rcv_msg+0x21c/0x5c0 net/core/rtnetlink.c:6089
	[<ffffffff839f9c37>] netlink_rcv_skb+0x87/0x1d0 net/netlink/af_netlink.c:2501
	[<ffffffff839f8da7>] netlink_unicast_kernel net/netlink/af_netlink.c:1319 [inline]
	[<ffffffff839f8da7>] netlink_unicast+0x397/0x4c0 net/netlink/af_netlink.c:1345
	[<ffffffff839f9266>] netlink_sendmsg+0x396/0x710 net/netlink/af_netlink.c:1921
	[<ffffffff8384dbf6>] sock_sendmsg_nosec net/socket.c:714 [inline]
	[<ffffffff8384dbf6>] sock_sendmsg+0x56/0x80 net/socket.c:734
	[<ffffffff8384e15c>] ____sys_sendmsg+0x36c/0x390 net/socket.c:2488
	[<ffffffff838523cb>] ___sys_sendmsg+0x8b/0xd0 net/socket.c:2542
	[<ffffffff838525b8>] __sys_sendmsg net/socket.c:2571 [inline]
	[<ffffffff838525b8>] __do_sys_sendmsg net/socket.c:2580 [inline]
	[<ffffffff838525b8>] __se_sys_sendmsg net/socket.c:2578 [inline]
	[<ffffffff838525b8>] __x64_sys_sendmsg+0x78/0xf0 net/socket.c:2578
	[<ffffffff845ad8d5>] do_syscall_x64 arch/x86/entry/common.c:50 [inline]
	[<ffffffff845ad8d5>] do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80
	[<ffffffff8460006a>] entry_SYSCALL_64_after_hwframe+0x46/0xb0

	The Linux kernel CVE team has assigned CVE-2022-49636 to this issue.


	Affected and fixed versions
	===========================

	Issue introduced in 5.4.291 with commit b195d229de401377f70c04e0dff93b342464ec8e and fixed in 5.4.292 with commit 549de58dba4bf1b2adc72e9948b9c76fa88be9d2
	Issue introduced in 5.10.235 with commit 62d7ad2c191122119c66361ba6d9f04974b51afe and fixed in 5.10.236 with commit df27729a4fe0002dfd80c96fe1c142829c672728
	Issue introduced in 5.15.142 with commit 842801181864690fdcde73b017cce4c1353a7083 and fixed in 5.15.180 with commit f5dc10b910bdac523e5947336445a77066c51bf9
	Issue introduced in 5.17 with commit 37aa50c539bcbcc01767e515bd170787fcfc0f33 and fixed in 5.18.13 with commit 4c43069bb1097dd6cc1cf0f7c43a36d1f7b3910b
	Issue introduced in 5.17 with commit 37aa50c539bcbcc01767e515bd170787fcfc0f33 and fixed in 5.19 with commit 72a0b329114b1caa8e69dfa7cdad1dd3c69b8602

	Please see https://www.kernel.org for a full list of currently supported
	kernel versions by the kernel community.

	Unaffected versions might change over time as fixes are backported to
	older supported kernel versions. The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2022-49636
	will be updated if fixes are backported, please check that for the most
	up to date information about this issue.


	Affected files
	==============

	The file(s) affected by this issue are:
	net/8021q/vlan_netlink.c


	Mitigation
	==========

	The Linux kernel CVE team recommends that you update to the latest
	stable kernel version for this, and many other bugfixes. Individual
	changes are never tested alone, but rather are part of a larger kernel
	release. Cherry-picking individual commits is not recommended or
	supported by the Linux kernel community at all. If however, updating to
	the latest release is impossible, the individual changes to resolve this
	issue can be found at these commits:
	https://git.kernel.org/stable/c/549de58dba4bf1b2adc72e9948b9c76fa88be9d2
	https://git.kernel.org/stable/c/df27729a4fe0002dfd80c96fe1c142829c672728
	https://git.kernel.org/stable/c/f5dc10b910bdac523e5947336445a77066c51bf9
	https://git.kernel.org/stable/c/4c43069bb1097dd6cc1cf0f7c43a36d1f7b3910b
	https://git.kernel.org/stable/c/72a0b329114b1caa8e69dfa7cdad1dd3c69b8602