CVE-2022-49014

EUVD-2022-53898

21.10.2024, 20:15

In the Linux kernel, the following vulnerability has been resolved:

net: tun: Fix use-after-free in tun_detach()

syzbot reported use-after-free in tun_detach() [1].  This causes call
trace like below:

==================================================================
BUG: KASAN: use-after-free in notifier_call_chain+0x1ee/0x200 kernel/notifier.c:75
Read of size 8 at addr ffff88807324e2a8 by task syz-executor.0/3673

CPU: 0 PID: 3673 Comm: syz-executor.0 Not tainted 6.1.0-rc5-syzkaller-00044-gcc675d22e422 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022
Call Trace:
 <TASK>
 __dump_stack lib/dump_stack.c:88 [inline]
 dump_stack_lvl+0xd1/0x138 lib/dump_stack.c:106
 print_address_description mm/kasan/report.c:284 [inline]
 print_report+0x15e/0x461 mm/kasan/report.c:395
 kasan_report+0xbf/0x1f0 mm/kasan/report.c:495
 notifier_call_chain+0x1ee/0x200 kernel/notifier.c:75
 call_netdevice_notifiers_info+0x86/0x130 net/core/dev.c:1942
 call_netdevice_notifiers_extack net/core/dev.c:1983 [inline]
 call_netdevice_notifiers net/core/dev.c:1997 [inline]
 netdev_wait_allrefs_any net/core/dev.c:10237 [inline]
 netdev_run_todo+0xbc6/0x1100 net/core/dev.c:10351
 tun_detach drivers/net/tun.c:704 [inline]
 tun_chr_close+0xe4/0x190 drivers/net/tun.c:3467
 __fput+0x27c/0xa90 fs/file_table.c:320
 task_work_run+0x16f/0x270 kernel/task_work.c:179
 exit_task_work include/linux/task_work.h:38 [inline]
 do_exit+0xb3d/0x2a30 kernel/exit.c:820
 do_group_exit+0xd4/0x2a0 kernel/exit.c:950
 get_signal+0x21b1/0x2440 kernel/signal.c:2858
 arch_do_signal_or_restart+0x86/0x2300 arch/x86/kernel/signal.c:869
 exit_to_user_mode_loop kernel/entry/common.c:168 [inline]
 exit_to_user_mode_prepare+0x15f/0x250 kernel/entry/common.c:203
 __syscall_exit_to_user_mode_work kernel/entry/common.c:285 [inline]
 syscall_exit_to_user_mode+0x1d/0x50 kernel/entry/common.c:296
 do_syscall_64+0x46/0xb0 arch/x86/entry/common.c:86
 entry_SYSCALL_64_after_hwframe+0x63/0xcd

The cause of the issue is that sock_put() from __tun_detach() drops
last reference count for struct net, and then notifier_call_chain()
from netdev_state_change() accesses that struct net.

This patch fixes the issue by calling sock_put() from tun_detach()
after all necessary accesses for the struct net has done.

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	Primary	7.8 HIGH	LOCAL	LOW	LOW	CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Base Score

CVSS 3.x

EPSS Score

Percentile: 2%

Affected Products (NVD)

Vendor	Product	Version
linux	linux_kernel	4.17 ≤ 𝑥 < 4.19.268
linux	linux_kernel	4.20 ≤ 𝑥 < 5.4.226
linux	linux_kernel	5.5 ≤ 𝑥 < 5.10.158
linux	linux_kernel	5.11 ≤ 𝑥 < 5.15.82
linux	linux_kernel	5.16 ≤ 𝑥 < 6.0.12
linux	linux_kernel	6.1:rc1
linux	linux_kernel	6.1:rc2
linux	linux_kernel	6.1:rc3
linux	linux_kernel	6.1:rc4
linux	linux_kernel	6.1:rc5
linux	linux_kernel	6.1:rc6
linux	linux_kernel	6.1:rc7

𝑥

= Vulnerable software versions

Debian Releases

Debian Product

Codename

linux

bookworm	6.1.106-3 fixed
bookworm (security)	6.1.112-1 fixed
bullseye	5.10.223-1 fixed
bullseye (security)	5.10.226-1 fixed
sid	6.11.6-1 fixed
trixie	6.11.5-1 fixed

openSUSE / SLES Releases

openSUSE Product

Release

cluster-md-kmp-default

suse enterprise server 12 SP5

4.12.14-122.234.1

fixed

dlm-kmp-default

suse enterprise server 12 SP5

4.12.14-122.234.1

fixed

gfs2-kmp-default

suse enterprise server 12 SP5

4.12.14-122.234.1

fixed

kernel-64kb

suse enterprise desktop 15 SP5	5.14.21-150500.55.88.1 fixed
suse enterprise sap 15 SP5	5.14.21-150500.55.88.1 fixed
suse enterprise server 15 SP3	5.3.18-150300.59.182.1 fixed
suse enterprise server 15 SP4	5.14.21-150400.24.141.1 fixed
suse enterprise server 15 SP5	5.14.21-150500.55.88.1 fixed

kernel-azure

suse enterprise sap 15 SP5	5.14.21-150500.33.72.1 fixed
suse enterprise server 15 SP5	5.14.21-150500.33.72.1 fixed

kernel-default

suse enterprise desktop 15 SP5	5.14.21-150500.55.88.1 fixed
suse enterprise sap 15 SP5	5.14.21-150500.55.88.1 fixed
suse enterprise server 12 SP5	4.12.14-122.234.1 fixed
suse enterprise server 15 SP2	5.3.18-150200.24.209.1 fixed
suse enterprise server 15 SP3	5.3.18-150300.59.182.1 fixed
suse enterprise server 15 SP4	5.14.21-150400.24.141.1 fixed
suse enterprise server 15 SP5	5.14.21-150500.55.88.1 fixed

kernel-default-base

suse enterprise desktop 15 SP5	5.14.21-150500.55.88.1.150500.6.39.4 fixed
suse enterprise sap 15 SP5	5.14.21-150500.55.88.1.150500.6.39.4 fixed
suse enterprise server 12 SP5	4.12.14-122.234.1 fixed
suse enterprise server 15 SP2	5.3.18-150200.24.209.1.150200.9.109.1 fixed
suse enterprise server 15 SP3	5.3.18-150300.59.182.1.150300.18.107.1 fixed
suse enterprise server 15 SP4	5.14.21-150400.24.141.1.150400.24.68.2 fixed
suse enterprise server 15 SP5	5.14.21-150500.55.88.1.150500.6.39.4 fixed

kernel-default-man

suse enterprise server 12 SP5

4.12.14-122.234.1

fixed

kernel-docs

suse enterprise desktop 15 SP5	5.14.21-150500.55.88.1 fixed
suse enterprise sap 15 SP5	5.14.21-150500.55.88.1 fixed
suse enterprise server 15 SP2	5.3.18-150200.24.209.2 fixed
suse enterprise server 15 SP3	5.3.18-150300.59.182.2 fixed
suse enterprise server 15 SP4	5.14.21-150400.24.141.1 fixed
suse enterprise server 15 SP5	5.14.21-150500.55.88.1 fixed

kernel-macros

suse enterprise desktop 15 SP5	5.14.21-150500.55.88.1 fixed
suse enterprise sap 15 SP5	5.14.21-150500.55.88.1 fixed
suse enterprise server 12 SP5	4.12.14-122.234.1 fixed
suse enterprise server 15 SP2	5.3.18-150200.24.209.1 fixed
suse enterprise server 15 SP3	5.3.18-150300.59.182.1 fixed
suse enterprise server 15 SP4	5.14.21-150400.24.141.1 fixed
suse enterprise server 15 SP5	5.14.21-150500.55.88.1 fixed

kernel-obs-build

suse enterprise desktop 15 SP5	5.14.21-150500.55.88.1 fixed
suse enterprise sap 15 SP5	5.14.21-150500.55.88.1 fixed
suse enterprise server 15 SP2	5.3.18-150200.24.209.1 fixed
suse enterprise server 15 SP3	5.3.18-150300.59.182.1 fixed
suse enterprise server 15 SP4	5.14.21-150400.24.141.1 fixed
suse enterprise server 15 SP5	5.14.21-150500.55.88.1 fixed

kernel-preempt

suse enterprise server 15 SP2	5.3.18-150200.24.209.1 fixed
suse enterprise server 15 SP3	5.3.18-150300.59.182.1 fixed

kernel-source

suse enterprise desktop 15 SP5	5.14.21-150500.55.88.1 fixed
suse enterprise sap 15 SP5	5.14.21-150500.55.88.1 fixed
suse enterprise server 12 SP5	4.12.14-122.234.1 fixed
suse enterprise server 15 SP2	5.3.18-150200.24.209.1 fixed
suse enterprise server 15 SP3	5.3.18-150300.59.182.1 fixed
suse enterprise server 15 SP4	5.14.21-150400.24.141.1 fixed
suse enterprise server 15 SP5	5.14.21-150500.55.88.1 fixed

kernel-source-azure

suse enterprise sap 15 SP5	5.14.21-150500.33.72.1 fixed
suse enterprise server 15 SP5	5.14.21-150500.33.72.1 fixed

kernel-syms

suse enterprise desktop 15 SP5	5.14.21-150500.55.88.1 fixed
suse enterprise sap 15 SP5	5.14.21-150500.55.88.1 fixed
suse enterprise server 12 SP5	4.12.14-122.234.1 fixed
suse enterprise server 15 SP2	5.3.18-150200.24.209.1 fixed
suse enterprise server 15 SP3	5.3.18-150300.59.182.1 fixed
suse enterprise server 15 SP4	5.14.21-150400.24.141.1 fixed
suse enterprise server 15 SP5	5.14.21-150500.55.88.1 fixed

kernel-syms-azure

suse enterprise sap 15 SP5	5.14.21-150500.33.72.1 fixed
suse enterprise server 15 SP5	5.14.21-150500.33.72.1 fixed

kernel-zfcpdump

suse enterprise desktop 15 SP5	5.14.21-150500.55.88.1 fixed
suse enterprise sap 15 SP5	5.14.21-150500.55.88.1 fixed
suse enterprise server 15 SP3	5.3.18-150300.59.182.1 fixed
suse enterprise server 15 SP4	5.14.21-150400.24.141.1 fixed
suse enterprise server 15 SP5	5.14.21-150500.55.88.1 fixed

ocfs2-kmp-default

suse enterprise server 12 SP5

4.12.14-122.234.1

fixed

reiserfs-kmp-default

suse enterprise server 15 SP2	5.3.18-150200.24.209.1 fixed
suse enterprise server 15 SP3	5.3.18-150300.59.182.1 fixed
suse enterprise server 15 SP4	5.14.21-150400.24.141.1 fixed

Red Hat Enterprise Linux Releases

Red Hat Product

Release

kernel

RHEL 9

0:5.14.0-570.12.1.el9_6

fixed

kernel-64k

RHEL 9

0:5.14.0-570.12.1.el9_6

fixed

kernel-64k-core

RHEL 9

0:5.14.0-570.12.1.el9_6

fixed

kernel-64k-debug

RHEL 9

0:5.14.0-570.12.1.el9_6

fixed

kernel-64k-debug-core

RHEL 9

0:5.14.0-570.12.1.el9_6

fixed

kernel-64k-debug-devel

RHEL 9

0:5.14.0-570.12.1.el9_6

fixed

kernel-64k-debug-devel-matched

RHEL 9

0:5.14.0-570.12.1.el9_6

fixed

kernel-64k-debug-modules

RHEL 9

0:5.14.0-570.12.1.el9_6

fixed

kernel-64k-debug-modules-core

RHEL 9

0:5.14.0-570.12.1.el9_6

fixed

kernel-64k-debug-modules-extra

RHEL 9

0:5.14.0-570.12.1.el9_6

fixed

kernel-64k-devel

RHEL 9

0:5.14.0-570.12.1.el9_6

fixed

kernel-64k-devel-matched

RHEL 9

0:5.14.0-570.12.1.el9_6

fixed

kernel-64k-modules

RHEL 9

0:5.14.0-570.12.1.el9_6

fixed

kernel-64k-modules-core

RHEL 9

0:5.14.0-570.12.1.el9_6

fixed

kernel-64k-modules-extra

RHEL 9

0:5.14.0-570.12.1.el9_6

fixed

kernel-abi-stablelists

RHEL 9

0:5.14.0-570.12.1.el9_6

fixed

kernel-core

RHEL 9

0:5.14.0-570.12.1.el9_6

fixed

kernel-debug

RHEL 9

0:5.14.0-570.12.1.el9_6

fixed

kernel-debug-core

RHEL 9

0:5.14.0-570.12.1.el9_6

fixed

kernel-debug-devel

RHEL 9

0:5.14.0-570.12.1.el9_6

fixed

kernel-debug-devel-matched

RHEL 9

0:5.14.0-570.12.1.el9_6

fixed

kernel-debug-modules

RHEL 9

0:5.14.0-570.12.1.el9_6

fixed

kernel-debug-modules-core

RHEL 9

0:5.14.0-570.12.1.el9_6

fixed

kernel-debug-modules-extra

RHEL 9

0:5.14.0-570.12.1.el9_6

fixed

kernel-debug-uki-virt

RHEL 9

0:5.14.0-570.12.1.el9_6

fixed

kernel-devel

RHEL 9

0:5.14.0-570.12.1.el9_6

fixed

kernel-devel-matched

RHEL 9

0:5.14.0-570.12.1.el9_6

fixed

kernel-doc

RHEL 9

0:5.14.0-570.12.1.el9_6

fixed

kernel-modules

RHEL 9

0:5.14.0-570.12.1.el9_6

fixed

kernel-modules-core

RHEL 9

0:5.14.0-570.12.1.el9_6

fixed

kernel-modules-extra

RHEL 9

0:5.14.0-570.12.1.el9_6

fixed

kernel-rt

RHEL 9

0:5.14.0-570.12.1.el9_6

fixed

kernel-rt-64k

RHEL 9

0:5.14.0-570.12.1.el9_6

fixed

kernel-rt-64k-core

RHEL 9

0:5.14.0-570.12.1.el9_6

fixed

kernel-rt-64k-debug

RHEL 9

0:5.14.0-570.12.1.el9_6

fixed

kernel-rt-64k-debug-core

RHEL 9

0:5.14.0-570.12.1.el9_6

fixed

kernel-rt-64k-debug-devel

RHEL 9

0:5.14.0-570.12.1.el9_6

fixed

kernel-rt-64k-debug-modules

RHEL 9

0:5.14.0-570.12.1.el9_6

fixed

kernel-rt-64k-debug-modules-core

RHEL 9

0:5.14.0-570.12.1.el9_6

fixed

kernel-rt-64k-debug-modules-extra

RHEL 9

0:5.14.0-570.12.1.el9_6

fixed

kernel-rt-64k-devel

RHEL 9

0:5.14.0-570.12.1.el9_6

fixed

kernel-rt-64k-modules

RHEL 9

0:5.14.0-570.12.1.el9_6

fixed

kernel-rt-64k-modules-core

RHEL 9

0:5.14.0-570.12.1.el9_6

fixed

kernel-rt-64k-modules-extra

RHEL 9

0:5.14.0-570.12.1.el9_6

fixed

kernel-rt-core

RHEL 9

0:5.14.0-570.12.1.el9_6

fixed

kernel-rt-debug

RHEL 9

0:5.14.0-570.12.1.el9_6

fixed

kernel-rt-debug-core

RHEL 9

0:5.14.0-570.12.1.el9_6

fixed

kernel-rt-debug-devel

RHEL 9

0:5.14.0-570.12.1.el9_6

fixed

kernel-rt-debug-kvm

RHEL 9

0:5.14.0-570.12.1.el9_6

fixed

kernel-rt-debug-modules

RHEL 9

0:5.14.0-570.12.1.el9_6

fixed

kernel-rt-debug-modules-core

RHEL 9

0:5.14.0-570.12.1.el9_6

fixed

kernel-rt-debug-modules-extra

RHEL 9

0:5.14.0-570.12.1.el9_6

fixed

kernel-rt-devel

RHEL 9

0:5.14.0-570.12.1.el9_6

fixed

kernel-rt-kvm

RHEL 9

0:5.14.0-570.12.1.el9_6

fixed

kernel-rt-modules

RHEL 9

0:5.14.0-570.12.1.el9_6

fixed

kernel-rt-modules-core

RHEL 9

0:5.14.0-570.12.1.el9_6

fixed

kernel-rt-modules-extra

RHEL 9

0:5.14.0-570.12.1.el9_6

fixed

kernel-tools

RHEL 9

0:5.14.0-570.12.1.el9_6

fixed

kernel-tools-libs

RHEL 9

0:5.14.0-570.12.1.el9_6

fixed

kernel-tools-libs-devel

RHEL 9

0:5.14.0-570.12.1.el9_6

fixed

kernel-uki-virt

RHEL 9

0:5.14.0-570.12.1.el9_6

fixed

kernel-uki-virt-addons

RHEL 9

0:5.14.0-570.12.1.el9_6

fixed

kernel-zfcpdump

RHEL 9

0:5.14.0-570.12.1.el9_6

fixed

kernel-zfcpdump-core

RHEL 9

0:5.14.0-570.12.1.el9_6

fixed

kernel-zfcpdump-devel

RHEL 9

0:5.14.0-570.12.1.el9_6

fixed

kernel-zfcpdump-devel-matched

RHEL 9

0:5.14.0-570.12.1.el9_6

fixed

kernel-zfcpdump-modules

RHEL 9

0:5.14.0-570.12.1.el9_6

fixed

kernel-zfcpdump-modules-core

RHEL 9

0:5.14.0-570.12.1.el9_6

fixed

kernel-zfcpdump-modules-extra

RHEL 9

0:5.14.0-570.12.1.el9_6

fixed

libperf

RHEL 9

0:5.14.0-570.12.1.el9_6

fixed

perf

RHEL 9

0:5.14.0-570.12.1.el9_6

fixed

python3-perf

RHEL 9

0:5.14.0-570.12.1.el9_6

fixed

rtla

RHEL 9

0:5.14.0-570.12.1.el9_6

fixed

RHEL 9

0:5.14.0-570.12.1.el9_6

fixed

Common Weakness Enumeration

CWE-416 - Use After Free
Referencing memory after it has been freed can cause a program to crash, use unexpected values, or execute code.

References

https://git.kernel.org/stable/c/04b995e963229501401810dab89dc73e7f12d054

https://git.kernel.org/stable/c/16c244bc65d1175775325ec0489a5a5c830e02c7

https://git.kernel.org/stable/c/1f23f1890d91812c35d32eab1b49621b6d32dc7b

https://git.kernel.org/stable/c/4cde8da2d814a3b7b176db81922d4ddaad7c0f0e

https://git.kernel.org/stable/c/5daadc86f27ea4d691e2131c04310d0418c6cd12

https://git.kernel.org/stable/c/5f442e1d403e0496bacb74a58e2be7f500695e6f