CVE-2022-49501

EUVD-2022-54728
In the Linux kernel, the following vulnerability has been resolved:

usbnet: Run unregister_netdev() before unbind() again

Commit 2c9d6c2b871d ("usbnet: run unbind() before unregister_netdev()")
sought to fix a use-after-free on disconnect of USB Ethernet adapters.

It turns out that a different fix is necessary to address the issue:
https://lore.kernel.org/netdev/18b3541e5372bc9b9fc733d422f4e698c089077c.1650177997.git.lukas@wunner.de/

So the commit was not necessary.

The commit made binding and unbinding of USB Ethernet asymmetrical:
Before, usbnet_probe() first invoked the ->bind() callback and then
register_netdev().  usbnet_disconnect() mirrored that by first invoking
unregister_netdev() and then ->unbind().

Since the commit, the order in usbnet_disconnect() is reversed and no
longer mirrors usbnet_probe().

One consequence is that a PHY disconnected (and stopped) in ->unbind()
is afterwards stopped once more by unregister_netdev() as it closes the
netdev before unregistering.  That necessitates a contortion in ->stop()
because the PHY may only be stopped if it hasn't already been
disconnected.

Reverting the commit allows making the call to phy_stop() unconditional
in ->stop().
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
7.8 HIGH
LOCAL
LOW
LOW
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Base Score
CVSS 3.x
EPSS Score
Percentile: 33%
Affected Products (NVD)
VendorProductVersion
linuxlinux_kernel
𝑥
< 5.15.46
linuxlinux_kernel
5.16 ≤
𝑥
< 5.17.14
linuxlinux_kernel
5.18 ≤
𝑥
< 5.18.3
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
linux
bookworm
6.1.123-1
fixed
bookworm (security)
6.1.128-1
fixed
bullseye
vulnerable
bullseye (security)
vulnerable
sid
6.12.16-1
fixed
trixie
6.12.12-1
fixed
openSUSE logo
openSUSE / SLES Releases
openSUSE Product
Release
cluster-md-kmp-default
suse enterprise server 15 SP5
5.14.21-150500.55.100.1
fixed
dlm-kmp-default
suse enterprise server 15 SP5
5.14.21-150500.55.100.1
fixed
gfs2-kmp-default
suse enterprise server 15 SP5
5.14.21-150500.55.100.1
fixed
kernel-64kb
suse enterprise server 15 SP4
5.14.21-150400.24.158.1
fixed
suse enterprise server 15 SP5
5.14.21-150500.55.100.1
fixed
kernel-default
suse enterprise server 15 SP4
5.14.21-150400.24.158.1
fixed
suse enterprise server 15 SP5
5.14.21-150500.55.100.1
fixed
kernel-default-base
suse enterprise server 15 SP4
5.14.21-150400.24.158.1.150400.24.78.1
fixed
suse enterprise server 15 SP5
5.14.21-150500.55.100.1.150500.6.47.1
fixed
kernel-docs
suse enterprise server 15 SP4
5.14.21-150400.24.158.1
fixed
suse enterprise server 15 SP5
5.14.21-150500.55.100.1
fixed
kernel-macros
suse enterprise server 15 SP4
5.14.21-150400.24.158.1
fixed
suse enterprise server 15 SP5
5.14.21-150500.55.100.1
fixed
kernel-obs-build
suse enterprise server 15 SP4
5.14.21-150400.24.158.1
fixed
suse enterprise server 15 SP5
5.14.21-150500.55.100.1
fixed
kernel-source
suse enterprise server 15 SP4
5.14.21-150400.24.158.1
fixed
suse enterprise server 15 SP5
5.14.21-150500.55.100.1
fixed
kernel-syms
suse enterprise server 15 SP4
5.14.21-150400.24.158.1
fixed
suse enterprise server 15 SP5
5.14.21-150500.55.100.1
fixed
kernel-zfcpdump
suse enterprise server 15 SP4
5.14.21-150400.24.158.1
fixed
suse enterprise server 15 SP5
5.14.21-150500.55.100.1
fixed
ocfs2-kmp-default
suse enterprise server 15 SP5
5.14.21-150500.55.100.1
fixed
reiserfs-kmp-default
suse enterprise server 15 SP4
5.14.21-150400.24.158.1
fixed
suse enterprise server 15 SP5
5.14.21-150500.55.100.1
fixed
Common Weakness Enumeration
References
https://git.kernel.org/stable/c/6d5deb242874d924beccf7eb3cef04c1c3b0da79
https://git.kernel.org/stable/c/969a1b3ea3cb7d58a16fe12fd1b04bfc0ea40509
https://git.kernel.org/stable/c/d1408f6b4dd78fb1b9e26bcf64477984e5f85409
https://git.kernel.org/stable/c/fbda837107f9bd4ec658d2aa88c6856dba606f06