cve/published/2022/CVE-2022-49808.mbox - pub/scm/linux/security/vulns - Git at Google

 From bippy-1.1.0 Mon Sep 17 00:00:00 2001
 From: Greg Kroah-Hartman <gregkh@kernel.org>
 To: <linux-cve-announce@vger.kernel.org>
 Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
 Subject: CVE-2022-49808: net: dsa: don't leak tagger-owned storage on switch driver unbind

 Description
 ===========

 In the Linux kernel, the following vulnerability has been resolved:

 net: dsa: don't leak tagger-owned storage on switch driver unbind

 In the initial commit dc452a471dba ("net: dsa: introduce tagger-owned
 storage for private and shared data"), we had a call to
 tag_ops->disconnect(dst) issued from dsa_tree_free(), which is called at
 tree teardown time.

 There were problems with connecting to a switch tree as a whole, so this
 got reworked to connecting to individual switches within the tree. In
 this process, tag_ops->disconnect(ds) was made to be called only from
 switch.c (cross-chip notifiers emitted as a result of dynamic tag proto
 changes), but the normal driver teardown code path wasn't replaced with
 anything.

 Solve this problem by adding a function that does the opposite of
 dsa_switch_setup_tag_protocol(), which is called from the equivalent
 spot in dsa_switch_teardown(). The positioning here also ensures that we
 won't have any use-after-free in tagging protocol (*rcv) ops, since the
 teardown sequence is as follows:

 dsa_tree_teardown
 -> dsa_tree_teardown_master
    -> dsa_master_teardown
       -> unsets master->dsa_ptr, making no further packets match the
          ETH_P_XDSA packet type handler
 -> dsa_tree_teardown_ports
    -> dsa_port_teardown
       -> dsa_slave_destroy
          -> unregisters DSA net devices, there is even a synchronize_net()
             in unregister_netdevice_many()
 -> dsa_tree_teardown_switches
    -> dsa_switch_teardown
       -> dsa_switch_teardown_tag_protocol
          -> finally frees the tagger-owned storage

 The Linux kernel CVE team has assigned CVE-2022-49808 to this issue.


 Affected and fixed versions
 ===========================

 	Issue introduced in 5.17 with commit 7f2973149c22e7a6fee4c0c9fa6b8e4108e9c208 and fixed in 6.0.10 with commit 5809fb03942dbac25144db5bebea84fa003ecaca
 	Issue introduced in 5.17 with commit 7f2973149c22e7a6fee4c0c9fa6b8e4108e9c208 and fixed in 6.1 with commit 4e0c19fcb8b5323716140fa82b79aa9f60e60407

 Please see https://www.kernel.org for a full list of currently supported
 kernel versions by the kernel community.

 Unaffected versions might change over time as fixes are backported to
 older supported kernel versions.  The official CVE entry at
 	https://cve.org/CVERecord/?id=CVE-2022-49808
 will be updated if fixes are backported, please check that for the most
 up to date information about this issue.


 Affected files
 ==============

 The file(s) affected by this issue are:
 	net/dsa/dsa2.c


 Mitigation
 ==========

 The Linux kernel CVE team recommends that you update to the latest
 stable kernel version for this, and many other bugfixes.  Individual
 changes are never tested alone, but rather are part of a larger kernel
 release.  Cherry-picking individual commits is not recommended or
 supported by the Linux kernel community at all.  If however, updating to
 the latest release is impossible, the individual changes to resolve this
 issue can be found at these commits:
 	https://git.kernel.org/stable/c/5809fb03942dbac25144db5bebea84fa003ecaca
 	https://git.kernel.org/stable/c/4e0c19fcb8b5323716140fa82b79aa9f60e60407
	From bippy-1.1.0 Mon Sep 17 00:00:00 2001
	From: Greg Kroah-Hartman <gregkh@kernel.org>
	To: <linux-cve-announce@vger.kernel.org>
	Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
	Subject: CVE-2022-49808: net: dsa: don't leak tagger-owned storage on switch driver unbind

	Description
	===========

	In the Linux kernel, the following vulnerability has been resolved:

	net: dsa: don't leak tagger-owned storage on switch driver unbind

	In the initial commit dc452a471dba ("net: dsa: introduce tagger-owned
	storage for private and shared data"), we had a call to
	tag_ops->disconnect(dst) issued from dsa_tree_free(), which is called at
	tree teardown time.

	There were problems with connecting to a switch tree as a whole, so this
	got reworked to connecting to individual switches within the tree. In
	this process, tag_ops->disconnect(ds) was made to be called only from
	switch.c (cross-chip notifiers emitted as a result of dynamic tag proto
	changes), but the normal driver teardown code path wasn't replaced with
	anything.

	Solve this problem by adding a function that does the opposite of
	dsa_switch_setup_tag_protocol(), which is called from the equivalent
	spot in dsa_switch_teardown(). The positioning here also ensures that we
	won't have any use-after-free in tagging protocol (*rcv) ops, since the
	teardown sequence is as follows:

	dsa_tree_teardown
	-> dsa_tree_teardown_master
	-> dsa_master_teardown
	-> unsets master->dsa_ptr, making no further packets match the
	ETH_P_XDSA packet type handler
	-> dsa_tree_teardown_ports
	-> dsa_port_teardown
	-> dsa_slave_destroy
	-> unregisters DSA net devices, there is even a synchronize_net()
	in unregister_netdevice_many()
	-> dsa_tree_teardown_switches
	-> dsa_switch_teardown
	-> dsa_switch_teardown_tag_protocol
	-> finally frees the tagger-owned storage

	The Linux kernel CVE team has assigned CVE-2022-49808 to this issue.


	Affected and fixed versions
	===========================

	Issue introduced in 5.17 with commit 7f2973149c22e7a6fee4c0c9fa6b8e4108e9c208 and fixed in 6.0.10 with commit 5809fb03942dbac25144db5bebea84fa003ecaca
	Issue introduced in 5.17 with commit 7f2973149c22e7a6fee4c0c9fa6b8e4108e9c208 and fixed in 6.1 with commit 4e0c19fcb8b5323716140fa82b79aa9f60e60407

	Please see https://www.kernel.org for a full list of currently supported
	kernel versions by the kernel community.

	Unaffected versions might change over time as fixes are backported to
	older supported kernel versions. The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2022-49808
	will be updated if fixes are backported, please check that for the most
	up to date information about this issue.


	Affected files
	==============

	The file(s) affected by this issue are:
	net/dsa/dsa2.c


	Mitigation
	==========

	The Linux kernel CVE team recommends that you update to the latest
	stable kernel version for this, and many other bugfixes. Individual
	changes are never tested alone, but rather are part of a larger kernel
	release. Cherry-picking individual commits is not recommended or
	supported by the Linux kernel community at all. If however, updating to
	the latest release is impossible, the individual changes to resolve this
	issue can be found at these commits:
	https://git.kernel.org/stable/c/5809fb03942dbac25144db5bebea84fa003ecaca
	https://git.kernel.org/stable/c/4e0c19fcb8b5323716140fa82b79aa9f60e60407