CVE-2022-49667

EPSS 0.03%
Veröffentlicht 26.02.2025 07:01:41
Zuletzt bearbeitet 24.03.2025 19:07:43
Quelle 416baaa9-dc9f-4396-8d5f-8c081f
CVE-Watchlists
Login
Unerledigt
Login

In the Linux kernel, the following vulnerability has been resolved:

net: bonding: fix use-after-free after 802.3ad slave unbind

commit 0622cab0341c ("bonding: fix 802.3ad aggregator reselection"),
resolve case, when there is several aggregation groups in the same bond.
bond_3ad_unbind_slave will invalidate (clear) aggregator when
__agg_active_ports return zero. So, ad_clear_agg can be executed even, when
num_of_ports!=0. Than bond_3ad_unbind_slave can be executed again for,
previously cleared aggregator. NOTE: at this time bond_3ad_unbind_slave
will not update slave ports list, because lag_ports==NULL. So, here we
got slave ports, pointing to freed aggregator memory.

Fix with checking actual number of ports in group (as was before
commit 0622cab0341c ("bonding: fix 802.3ad aggregator reselection") ),
before ad_clear_agg().

The KASAN logs are as follows:

[  767.617392] ==================================================================
[  767.630776] BUG: KASAN: use-after-free in bond_3ad_state_machine_handler+0x13dc/0x1470
[  767.638764] Read of size 2 at addr ffff00011ba9d430 by task kworker/u8:7/767
[  767.647361] CPU: 3 PID: 767 Comm: kworker/u8:7 Tainted: G           O 5.15.11 #15
[  767.655329] Hardware name: DNI AmazonGo1 A7040 board (DT)
[  767.660760] Workqueue: lacp_1 bond_3ad_state_machine_handler
[  767.666468] Call trace:
[  767.668930]  dump_backtrace+0x0/0x2d0
[  767.672625]  show_stack+0x24/0x30
[  767.675965]  dump_stack_lvl+0x68/0x84
[  767.679659]  print_address_description.constprop.0+0x74/0x2b8
[  767.685451]  kasan_report+0x1f0/0x260
[  767.689148]  __asan_load2+0x94/0xd0
[  767.692667]  bond_3ad_state_machine_handler+0x13dc/0x1470

Betroffene Produkte Warnungen 0 Metriken 2 CWE 1 Referenzen 11

Verknüpft mit AI von unstrukturierten Daten zu bestehenden CPE der NVD

Diese Information steht angemeldeten Benutzern zur Verfügung.

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Linux ≫ Linux Kernel Version >= 4.7 < 4.9.322

Linux ≫ Linux Kernel Version >= 4.10 < 4.14.287

Linux ≫ Linux Kernel Version >= 4.15 < 4.19.251

Linux ≫ Linux Kernel Version >= 4.20 < 5.4.204

Linux ≫ Linux Kernel Version >= 5.5 < 5.10.129

Linux ≫ Linux Kernel Version >= 5.11 < 5.15.53

Linux ≫ Linux Kernel Version >= 5.16 < 5.18.10

Linux ≫ Linux Kernel Version5.19 Updaterc1

Linux ≫ Linux Kernel Version5.19 Updaterc2

Linux ≫ Linux Kernel Version5.19 Updaterc3

Linux ≫ Linux Kernel Version5.19 Updaterc4

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.03%	0.093

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
134c704f-9b21-4f2e-91b3-4a467353bcc0	7.8	1.8	5.9	CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE-416 Use After Free

The product reuses or references memory after it has been freed. At some point afterward, the memory may be allocated again and saved in another pointer, while the original pointer references a location somewhere within the new allocation. Any operations using the original pointer are no longer valid because the memory "belongs" to the code that operates on the new pointer.

https://git.kernel.org/stable/c/050133e1aa2cb49bb17be847d48a4431598ef562

Patch

https://git.kernel.org/stable/c/2765749def4765c5052a4c66445cf4c96fcccdbc

Patch

https://git.kernel.org/stable/c/63b2fe509f69b90168a75e04e14573dccf7984e6

Patch

https://git.kernel.org/stable/c/893825289ba840afd86bfffcb6f7f363c73efff8

Patch

https://git.kernel.org/stable/c/a853b7a3a9fd1d74a4ccdd9cd73512b7dace2f1e

Patch

https://git.kernel.org/stable/c/b90ac60303063a43e17dd4aec159067599d255e6

Patch