cve/published/2022/CVE-2022-49812.mbox - pub/scm/linux/security/vulns - Git at Google

 From bippy-1.1.0 Mon Sep 17 00:00:00 2001
 From: Greg Kroah-Hartman <gregkh@kernel.org>
 To: <linux-cve-announce@vger.kernel.org>
 Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
 Subject: CVE-2022-49812: bridge: switchdev: Fix memory leaks when changing VLAN protocol

 Description
 ===========

 In the Linux kernel, the following vulnerability has been resolved:

 bridge: switchdev: Fix memory leaks when changing VLAN protocol

 The bridge driver can offload VLANs to the underlying hardware either
 via switchdev or the 8021q driver. When the former is used, the VLAN is
 marked in the bridge driver with the 'BR_VLFLAG_ADDED_BY_SWITCHDEV'
 private flag.

 To avoid the memory leaks mentioned in the cited commit, the bridge
 driver will try to delete a VLAN via the 8021q driver if the VLAN is not
 marked with the previously mentioned flag.

 When the VLAN protocol of the bridge changes, switchdev drivers are
 notified via the 'SWITCHDEV_ATTR_ID_BRIDGE_VLAN_PROTOCOL' attribute, but
 the 8021q driver is also called to add the existing VLANs with the new
 protocol and delete them with the old protocol.

 In case the VLANs were offloaded via switchdev, the above behavior is
 both redundant and buggy. Redundant because the VLANs are already
 programmed in hardware and drivers that support VLAN protocol change
 (currently only mlx5) change the protocol upon the switchdev attribute
 notification. Buggy because the 8021q driver is called despite these
 VLANs being marked with 'BR_VLFLAG_ADDED_BY_SWITCHDEV'. This leads to
 memory leaks [1] when the VLANs are deleted.

 Fix by not calling the 8021q driver for VLANs that were already
 programmed via switchdev.

 [1]
 unreferenced object 0xffff8881f6771200 (size 256):
   comm "ip", pid 446855, jiffies 4298238841 (age 55.240s)
   hex dump (first 32 bytes):
     00 00 7f 0e 83 88 ff ff 00 00 00 00 00 00 00 00  ................
     00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
   backtrace:
     [<00000000012819ac>] vlan_vid_add+0x437/0x750
     [<00000000f2281fad>] __br_vlan_set_proto+0x289/0x920
     [<000000000632b56f>] br_changelink+0x3d6/0x13f0
     [<0000000089d25f04>] __rtnl_newlink+0x8ae/0x14c0
     [<00000000f6276baf>] rtnl_newlink+0x5f/0x90
     [<00000000746dc902>] rtnetlink_rcv_msg+0x336/0xa00
     [<000000001c2241c0>] netlink_rcv_skb+0x11d/0x340
     [<0000000010588814>] netlink_unicast+0x438/0x710
     [<00000000e1a4cd5c>] netlink_sendmsg+0x788/0xc40
     [<00000000e8992d4e>] sock_sendmsg+0xb0/0xe0
     [<00000000621b8f91>] ____sys_sendmsg+0x4ff/0x6d0
     [<000000000ea26996>] ___sys_sendmsg+0x12e/0x1b0
     [<00000000684f7e25>] __sys_sendmsg+0xab/0x130
     [<000000004538b104>] do_syscall_64+0x3d/0x90
     [<0000000091ed9678>] entry_SYSCALL_64_after_hwframe+0x46/0xb0

 The Linux kernel CVE team has assigned CVE-2022-49812 to this issue.


 Affected and fixed versions
 ===========================

 	Issue introduced in 5.0 with commit 279737939a8194f02fa352ab4476a1b241f44ef4 and fixed in 5.10.157 with commit 347f1793b573466424c550f2748ed837b6690fe7
 	Issue introduced in 5.0 with commit 279737939a8194f02fa352ab4476a1b241f44ef4 and fixed in 5.15.80 with commit fc16a2c81a3eb1cbba8775f5bdc67856df903a7c
 	Issue introduced in 5.0 with commit 279737939a8194f02fa352ab4476a1b241f44ef4 and fixed in 6.0.10 with commit f8926e2d2225eb7b7e11cd3fa266aaad9075b767
 	Issue introduced in 5.0 with commit 279737939a8194f02fa352ab4476a1b241f44ef4 and fixed in 6.1 with commit 9d45921ee4cb364910097e7d1b7558559c2f9fd2

 Please see https://www.kernel.org for a full list of currently supported
 kernel versions by the kernel community.

 Unaffected versions might change over time as fixes are backported to
 older supported kernel versions.  The official CVE entry at
 	https://cve.org/CVERecord/?id=CVE-2022-49812
 will be updated if fixes are backported, please check that for the most
 up to date information about this issue.


 Affected files
 ==============

 The file(s) affected by this issue are:
 	net/bridge/br_vlan.c


 Mitigation
 ==========

 The Linux kernel CVE team recommends that you update to the latest
 stable kernel version for this, and many other bugfixes.  Individual
 changes are never tested alone, but rather are part of a larger kernel
 release.  Cherry-picking individual commits is not recommended or
 supported by the Linux kernel community at all.  If however, updating to
 the latest release is impossible, the individual changes to resolve this
 issue can be found at these commits:
 	https://git.kernel.org/stable/c/347f1793b573466424c550f2748ed837b6690fe7
 	https://git.kernel.org/stable/c/fc16a2c81a3eb1cbba8775f5bdc67856df903a7c
 	https://git.kernel.org/stable/c/f8926e2d2225eb7b7e11cd3fa266aaad9075b767
 	https://git.kernel.org/stable/c/9d45921ee4cb364910097e7d1b7558559c2f9fd2
	From bippy-1.1.0 Mon Sep 17 00:00:00 2001
	From: Greg Kroah-Hartman <gregkh@kernel.org>
	To: <linux-cve-announce@vger.kernel.org>
	Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
	Subject: CVE-2022-49812: bridge: switchdev: Fix memory leaks when changing VLAN protocol

	Description
	===========

	In the Linux kernel, the following vulnerability has been resolved:

	bridge: switchdev: Fix memory leaks when changing VLAN protocol

	The bridge driver can offload VLANs to the underlying hardware either
	via switchdev or the 8021q driver. When the former is used, the VLAN is
	marked in the bridge driver with the 'BR_VLFLAG_ADDED_BY_SWITCHDEV'
	private flag.

	To avoid the memory leaks mentioned in the cited commit, the bridge
	driver will try to delete a VLAN via the 8021q driver if the VLAN is not
	marked with the previously mentioned flag.

	When the VLAN protocol of the bridge changes, switchdev drivers are
	notified via the 'SWITCHDEV_ATTR_ID_BRIDGE_VLAN_PROTOCOL' attribute, but
	the 8021q driver is also called to add the existing VLANs with the new
	protocol and delete them with the old protocol.

	In case the VLANs were offloaded via switchdev, the above behavior is
	both redundant and buggy. Redundant because the VLANs are already
	programmed in hardware and drivers that support VLAN protocol change
	(currently only mlx5) change the protocol upon the switchdev attribute
	notification. Buggy because the 8021q driver is called despite these
	VLANs being marked with 'BR_VLFLAG_ADDED_BY_SWITCHDEV'. This leads to
	memory leaks [1] when the VLANs are deleted.

	Fix by not calling the 8021q driver for VLANs that were already
	programmed via switchdev.

	[1]
	unreferenced object 0xffff8881f6771200 (size 256):
	comm "ip", pid 446855, jiffies 4298238841 (age 55.240s)
	hex dump (first 32 bytes):
	00 00 7f 0e 83 88 ff ff 00 00 00 00 00 00 00 00 ................
	00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
	backtrace:
	[<00000000012819ac>] vlan_vid_add+0x437/0x750
	[<00000000f2281fad>] __br_vlan_set_proto+0x289/0x920
	[<000000000632b56f>] br_changelink+0x3d6/0x13f0
	[<0000000089d25f04>] __rtnl_newlink+0x8ae/0x14c0
	[<00000000f6276baf>] rtnl_newlink+0x5f/0x90
	[<00000000746dc902>] rtnetlink_rcv_msg+0x336/0xa00
	[<000000001c2241c0>] netlink_rcv_skb+0x11d/0x340
	[<0000000010588814>] netlink_unicast+0x438/0x710
	[<00000000e1a4cd5c>] netlink_sendmsg+0x788/0xc40
	[<00000000e8992d4e>] sock_sendmsg+0xb0/0xe0
	[<00000000621b8f91>] ____sys_sendmsg+0x4ff/0x6d0
	[<000000000ea26996>] ___sys_sendmsg+0x12e/0x1b0
	[<00000000684f7e25>] __sys_sendmsg+0xab/0x130
	[<000000004538b104>] do_syscall_64+0x3d/0x90
	[<0000000091ed9678>] entry_SYSCALL_64_after_hwframe+0x46/0xb0

	The Linux kernel CVE team has assigned CVE-2022-49812 to this issue.


	Affected and fixed versions
	===========================

	Issue introduced in 5.0 with commit 279737939a8194f02fa352ab4476a1b241f44ef4 and fixed in 5.10.157 with commit 347f1793b573466424c550f2748ed837b6690fe7
	Issue introduced in 5.0 with commit 279737939a8194f02fa352ab4476a1b241f44ef4 and fixed in 5.15.80 with commit fc16a2c81a3eb1cbba8775f5bdc67856df903a7c
	Issue introduced in 5.0 with commit 279737939a8194f02fa352ab4476a1b241f44ef4 and fixed in 6.0.10 with commit f8926e2d2225eb7b7e11cd3fa266aaad9075b767
	Issue introduced in 5.0 with commit 279737939a8194f02fa352ab4476a1b241f44ef4 and fixed in 6.1 with commit 9d45921ee4cb364910097e7d1b7558559c2f9fd2

	Please see https://www.kernel.org for a full list of currently supported
	kernel versions by the kernel community.

	Unaffected versions might change over time as fixes are backported to
	older supported kernel versions. The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2022-49812
	will be updated if fixes are backported, please check that for the most
	up to date information about this issue.


	Affected files
	==============

	The file(s) affected by this issue are:
	net/bridge/br_vlan.c


	Mitigation
	==========

	The Linux kernel CVE team recommends that you update to the latest
	stable kernel version for this, and many other bugfixes. Individual
	changes are never tested alone, but rather are part of a larger kernel
	release. Cherry-picking individual commits is not recommended or
	supported by the Linux kernel community at all. If however, updating to
	the latest release is impossible, the individual changes to resolve this
	issue can be found at these commits:
	https://git.kernel.org/stable/c/347f1793b573466424c550f2748ed837b6690fe7
	https://git.kernel.org/stable/c/fc16a2c81a3eb1cbba8775f5bdc67856df903a7c
	https://git.kernel.org/stable/c/f8926e2d2225eb7b7e11cd3fa266aaad9075b767
	https://git.kernel.org/stable/c/9d45921ee4cb364910097e7d1b7558559c2f9fd2