cve/published/2022/CVE-2022-49695.mbox - pub/scm/linux/security/vulns - Git at Google

 From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
 From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 To: <linux-cve-announce@vger.kernel.org>
 Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
 Subject: CVE-2022-49695: igb: fix a use-after-free issue in igb_clean_tx_ring

 Description
 ===========

 In the Linux kernel, the following vulnerability has been resolved:

 igb: fix a use-after-free issue in igb_clean_tx_ring

 Fix the following use-after-free bug in igb_clean_tx_ring routine when
 the NIC is running in XDP mode. The issue can be triggered redirecting
 traffic into the igb NIC and then closing the device while the traffic
 is flowing.

 [   73.322719] CPU: 1 PID: 487 Comm: xdp_redirect Not tainted 5.18.3-apu2 #9
 [   73.330639] Hardware name: PC Engines APU2/APU2, BIOS 4.0.7 02/28/2017
 [   73.337434] RIP: 0010:refcount_warn_saturate+0xa7/0xf0
 [   73.362283] RSP: 0018:ffffc9000081f798 EFLAGS: 00010282
 [   73.367761] RAX: 0000000000000000 RBX: ffffc90000420f80 RCX: 0000000000000000
 [   73.375200] RDX: ffff88811ad22d00 RSI: ffff88811ad171e0 RDI: ffff88811ad171e0
 [   73.382590] RBP: 0000000000000900 R08: ffffffff82298f28 R09: 0000000000000058
 [   73.390008] R10: 0000000000000219 R11: ffffffff82280f40 R12: 0000000000000090
 [   73.397356] R13: ffff888102343a40 R14: ffff88810359e0e4 R15: 0000000000000000
 [   73.404806] FS:  00007ff38d31d740(0000) GS:ffff88811ad00000(0000) knlGS:0000000000000000
 [   73.413129] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
 [   73.419096] CR2: 000055cff35f13f8 CR3: 0000000106391000 CR4: 00000000000406e0
 [   73.426565] Call Trace:
 [   73.429087]  <TASK>
 [   73.431314]  igb_clean_tx_ring+0x43/0x140 [igb]
 [   73.436002]  igb_down+0x1d7/0x220 [igb]
 [   73.439974]  __igb_close+0x3c/0x120 [igb]
 [   73.444118]  igb_xdp+0x10c/0x150 [igb]
 [   73.447983]  ? igb_pci_sriov_configure+0x70/0x70 [igb]
 [   73.453362]  dev_xdp_install+0xda/0x110
 [   73.457371]  dev_xdp_attach+0x1da/0x550
 [   73.461369]  do_setlink+0xfd0/0x10f0
 [   73.465166]  ? __nla_validate_parse+0x89/0xc70
 [   73.469714]  rtnl_setlink+0x11a/0x1e0
 [   73.473547]  rtnetlink_rcv_msg+0x145/0x3d0
 [   73.477709]  ? rtnl_calcit.isra.0+0x130/0x130
 [   73.482258]  netlink_rcv_skb+0x8d/0x110
 [   73.486229]  netlink_unicast+0x230/0x340
 [   73.490317]  netlink_sendmsg+0x215/0x470
 [   73.494395]  __sys_sendto+0x179/0x190
 [   73.498268]  ? move_addr_to_user+0x37/0x70
 [   73.502547]  ? __sys_getsockname+0x84/0xe0
 [   73.506853]  ? netlink_setsockopt+0x1c1/0x4a0
 [   73.511349]  ? __sys_setsockopt+0xc8/0x1d0
 [   73.515636]  __x64_sys_sendto+0x20/0x30
 [   73.519603]  do_syscall_64+0x3b/0x80
 [   73.523399]  entry_SYSCALL_64_after_hwframe+0x44/0xae
 [   73.528712] RIP: 0033:0x7ff38d41f20c
 [   73.551866] RSP: 002b:00007fff3b945a68 EFLAGS: 00000246 ORIG_RAX: 000000000000002c
 [   73.559640] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007ff38d41f20c
 [   73.567066] RDX: 0000000000000034 RSI: 00007fff3b945b30 RDI: 0000000000000003
 [   73.574457] RBP: 0000000000000003 R08: 0000000000000000 R09: 0000000000000000
 [   73.581852] R10: 0000000000000000 R11: 0000000000000246 R12: 00007fff3b945ab0
 [   73.589179] R13: 0000000000000000 R14: 0000000000000003 R15: 00007fff3b945b30
 [   73.596545]  </TASK>
 [   73.598842] ---[ end trace 0000000000000000 ]---

 The Linux kernel CVE team has assigned CVE-2022-49695 to this issue.


 Affected and fixed versions
 ===========================

 	Issue introduced in 5.10 with commit 9cbc948b5a20c9c054d9631099c0426c16da546b and fixed in 5.10.127 with commit c12a2c9b1b460ed72e6b3c33aac1ef51b0329b66
 	Issue introduced in 5.10 with commit 9cbc948b5a20c9c054d9631099c0426c16da546b and fixed in 5.15.51 with commit 2af944210dc23d43d8208dafac4df7be7e3c168b
 	Issue introduced in 5.10 with commit 9cbc948b5a20c9c054d9631099c0426c16da546b and fixed in 5.18.8 with commit 68a0ed06dcd5d3ea732d011c0b83d66e4791f521
 	Issue introduced in 5.10 with commit 9cbc948b5a20c9c054d9631099c0426c16da546b and fixed in 5.19 with commit 3f6a57ee8544ec3982f8a3cbcbf4aea7d47eb9ec

 Please see https://www.kernel.org for a full list of currently supported
 kernel versions by the kernel community.

 Unaffected versions might change over time as fixes are backported to
 older supported kernel versions.  The official CVE entry at
 	https://cve.org/CVERecord/?id=CVE-2022-49695
 will be updated if fixes are backported, please check that for the most
 up to date information about this issue.


 Affected files
 ==============

 The file(s) affected by this issue are:
 	drivers/net/ethernet/intel/igb/igb_main.c


 Mitigation
 ==========

 The Linux kernel CVE team recommends that you update to the latest
 stable kernel version for this, and many other bugfixes.  Individual
 changes are never tested alone, but rather are part of a larger kernel
 release.  Cherry-picking individual commits is not recommended or
 supported by the Linux kernel community at all.  If however, updating to
 the latest release is impossible, the individual changes to resolve this
 issue can be found at these commits:
 	https://git.kernel.org/stable/c/c12a2c9b1b460ed72e6b3c33aac1ef51b0329b66
 	https://git.kernel.org/stable/c/2af944210dc23d43d8208dafac4df7be7e3c168b
 	https://git.kernel.org/stable/c/68a0ed06dcd5d3ea732d011c0b83d66e4791f521
 	https://git.kernel.org/stable/c/3f6a57ee8544ec3982f8a3cbcbf4aea7d47eb9ec
	From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
	From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	To: <linux-cve-announce@vger.kernel.org>
	Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
	Subject: CVE-2022-49695: igb: fix a use-after-free issue in igb_clean_tx_ring

	Description
	===========

	In the Linux kernel, the following vulnerability has been resolved:

	igb: fix a use-after-free issue in igb_clean_tx_ring

	Fix the following use-after-free bug in igb_clean_tx_ring routine when
	the NIC is running in XDP mode. The issue can be triggered redirecting
	traffic into the igb NIC and then closing the device while the traffic
	is flowing.

	[ 73.322719] CPU: 1 PID: 487 Comm: xdp_redirect Not tainted 5.18.3-apu2 #9
	[ 73.330639] Hardware name: PC Engines APU2/APU2, BIOS 4.0.7 02/28/2017
	[ 73.337434] RIP: 0010:refcount_warn_saturate+0xa7/0xf0
	[ 73.362283] RSP: 0018:ffffc9000081f798 EFLAGS: 00010282
	[ 73.367761] RAX: 0000000000000000 RBX: ffffc90000420f80 RCX: 0000000000000000
	[ 73.375200] RDX: ffff88811ad22d00 RSI: ffff88811ad171e0 RDI: ffff88811ad171e0
	[ 73.382590] RBP: 0000000000000900 R08: ffffffff82298f28 R09: 0000000000000058
	[ 73.390008] R10: 0000000000000219 R11: ffffffff82280f40 R12: 0000000000000090
	[ 73.397356] R13: ffff888102343a40 R14: ffff88810359e0e4 R15: 0000000000000000
	[ 73.404806] FS: 00007ff38d31d740(0000) GS:ffff88811ad00000(0000) knlGS:0000000000000000
	[ 73.413129] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
	[ 73.419096] CR2: 000055cff35f13f8 CR3: 0000000106391000 CR4: 00000000000406e0
	[ 73.426565] Call Trace:
	[ 73.429087] <TASK>
	[ 73.431314] igb_clean_tx_ring+0x43/0x140 [igb]
	[ 73.436002] igb_down+0x1d7/0x220 [igb]
	[ 73.439974] __igb_close+0x3c/0x120 [igb]
	[ 73.444118] igb_xdp+0x10c/0x150 [igb]
	[ 73.447983] ? igb_pci_sriov_configure+0x70/0x70 [igb]
	[ 73.453362] dev_xdp_install+0xda/0x110
	[ 73.457371] dev_xdp_attach+0x1da/0x550
	[ 73.461369] do_setlink+0xfd0/0x10f0
	[ 73.465166] ? __nla_validate_parse+0x89/0xc70
	[ 73.469714] rtnl_setlink+0x11a/0x1e0
	[ 73.473547] rtnetlink_rcv_msg+0x145/0x3d0
	[ 73.477709] ? rtnl_calcit.isra.0+0x130/0x130
	[ 73.482258] netlink_rcv_skb+0x8d/0x110
	[ 73.486229] netlink_unicast+0x230/0x340
	[ 73.490317] netlink_sendmsg+0x215/0x470
	[ 73.494395] __sys_sendto+0x179/0x190
	[ 73.498268] ? move_addr_to_user+0x37/0x70
	[ 73.502547] ? __sys_getsockname+0x84/0xe0
	[ 73.506853] ? netlink_setsockopt+0x1c1/0x4a0
	[ 73.511349] ? __sys_setsockopt+0xc8/0x1d0
	[ 73.515636] __x64_sys_sendto+0x20/0x30
	[ 73.519603] do_syscall_64+0x3b/0x80
	[ 73.523399] entry_SYSCALL_64_after_hwframe+0x44/0xae
	[ 73.528712] RIP: 0033:0x7ff38d41f20c
	[ 73.551866] RSP: 002b:00007fff3b945a68 EFLAGS: 00000246 ORIG_RAX: 000000000000002c
	[ 73.559640] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007ff38d41f20c
	[ 73.567066] RDX: 0000000000000034 RSI: 00007fff3b945b30 RDI: 0000000000000003
	[ 73.574457] RBP: 0000000000000003 R08: 0000000000000000 R09: 0000000000000000
	[ 73.581852] R10: 0000000000000000 R11: 0000000000000246 R12: 00007fff3b945ab0
	[ 73.589179] R13: 0000000000000000 R14: 0000000000000003 R15: 00007fff3b945b30
	[ 73.596545] </TASK>
	[ 73.598842] ---[ end trace 0000000000000000 ]---

	The Linux kernel CVE team has assigned CVE-2022-49695 to this issue.


	Affected and fixed versions
	===========================

	Issue introduced in 5.10 with commit 9cbc948b5a20c9c054d9631099c0426c16da546b and fixed in 5.10.127 with commit c12a2c9b1b460ed72e6b3c33aac1ef51b0329b66
	Issue introduced in 5.10 with commit 9cbc948b5a20c9c054d9631099c0426c16da546b and fixed in 5.15.51 with commit 2af944210dc23d43d8208dafac4df7be7e3c168b
	Issue introduced in 5.10 with commit 9cbc948b5a20c9c054d9631099c0426c16da546b and fixed in 5.18.8 with commit 68a0ed06dcd5d3ea732d011c0b83d66e4791f521
	Issue introduced in 5.10 with commit 9cbc948b5a20c9c054d9631099c0426c16da546b and fixed in 5.19 with commit 3f6a57ee8544ec3982f8a3cbcbf4aea7d47eb9ec

	Please see https://www.kernel.org for a full list of currently supported
	kernel versions by the kernel community.

	Unaffected versions might change over time as fixes are backported to
	older supported kernel versions. The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2022-49695
	will be updated if fixes are backported, please check that for the most
	up to date information about this issue.


	Affected files
	==============

	The file(s) affected by this issue are:
	drivers/net/ethernet/intel/igb/igb_main.c


	Mitigation
	==========

	The Linux kernel CVE team recommends that you update to the latest
	stable kernel version for this, and many other bugfixes. Individual
	changes are never tested alone, but rather are part of a larger kernel
	release. Cherry-picking individual commits is not recommended or
	supported by the Linux kernel community at all. If however, updating to
	the latest release is impossible, the individual changes to resolve this
	issue can be found at these commits:
	https://git.kernel.org/stable/c/c12a2c9b1b460ed72e6b3c33aac1ef51b0329b66
	https://git.kernel.org/stable/c/2af944210dc23d43d8208dafac4df7be7e3c168b
	https://git.kernel.org/stable/c/68a0ed06dcd5d3ea732d011c0b83d66e4791f521
	https://git.kernel.org/stable/c/3f6a57ee8544ec3982f8a3cbcbf4aea7d47eb9ec