CVE-2022-48850

Summary

In the Linux kernel, the following vulnerability has been resolved:

net-sysfs: add check for netdevice being present to speed_show

When bringing down the netdevice or system shutdown, a panic can be triggered while accessing the sysfs path because the device is already removed.

[  755.549084] mlx5_core 0000:12:00.1: Shutdown was called
[  756.404455] mlx5_core 0000:12:00.0: Shutdown was called
...
[  757.937260] BUG: unable to handle kernel NULL pointer dereference at           (null)
[  758.031397] IP: [<ffffffff8ee11acb>] dma_pool_alloc+0x1ab/0x280

crash> bt
...
PID: 12649  TASK: ffff8924108f2100  CPU: 1   COMMAND: "amsd"
...
 #9 [ffff89240e1a38b0] page_fault at ffffffff8f38c778
    [exception RIP: dma_pool_alloc+0x1ab]
    RIP: ffffffff8ee11acb  RSP: ffff89240e1a3968  RFLAGS: 00010046
    RAX: 0000000000000246  RBX: ffff89243d874100  RCX: 0000000000001000
    RDX: 0000000000000000  RSI: 0000000000000246  RDI: ffff89243d874090
    RBP: ffff89240e1a39c0   R8: 000000000001f080   R9: ffff8905ffc03c00
    R10: ffffffffc04680d4  R11: ffffffff8edde9fd  R12: 00000000000080d0
    R13: ffff89243d874090  R14: ffff89243d874080  R15: 0000000000000000
    ORIG_RAX: ffffffffffffffff  CS: 0010  SS: 0018
#10 [ffff89240e1a39c8] mlx5_alloc_cmd_msg at ffffffffc04680f3 [mlx5_core]
#11 [ffff89240e1a3a18] cmd_exec at ffffffffc046ad62 [mlx5_core]
#12 [ffff89240e1a3ab8] mlx5_cmd_exec at ffffffffc046b4fb [mlx5_core]
#13 [ffff89240e1a3ae8] mlx5_core_access_reg at ffffffffc0475434 [mlx5_core]
#14 [ffff89240e1a3b40] mlx5e_get_fec_caps at ffffffffc04a7348 [mlx5_core]
#15 [ffff89240e1a3bb0] get_fec_supported_advertised at ffffffffc04992bf [mlx5_core]
#16 [ffff89240e1a3c08] mlx5e_get_link_ksettings at ffffffffc049ab36 [mlx5_core]
#17 [ffff89240e1a3ce8] __ethtool_get_link_ksettings at ffffffff8f25db46
#18 [ffff89240e1a3d48] speed_show at ffffffff8f277208
#19 [ffff89240e1a3dd8] dev_attr_show at ffffffff8f0b70e3
#20 [ffff89240e1a3df8] sysfs_kf_seq_show at ffffffff8eedbedf
#21 [ffff89240e1a3e18] kernfs_seq_show at ffffffff8eeda596
#22 [ffff89240e1a3e28] seq_read at ffffffff8ee76d10
#23 [ffff89240e1a3e98] kernfs_fop_read at ffffffff8eedaef5
#24 [ffff89240e1a3ed8] vfs_read at ffffffff8ee4e3ff
#25 [ffff89240e1a3f08] sys_read at ffffffff8ee4f27f
#26 [ffff89240e1a3f50] system_call_fastpath at ffffffff8f395f92

crash> net_device.state ffff89443b0c0000
  state = 0x5  (__LINK_STATE_START| __LINK_STATE_NOCARRIER)

To prevent this scenario, we also make sure that the netdevice is present.

Affected Software

VendorProductVersion RangeStatus
LinuxLinuxd519e17e2d01a0ee9abe083019532061b4438065 < a7b9ab04c5932dee7ec95e0abc58b0df350c0dd2affected
LinuxLinuxd519e17e2d01a0ee9abe083019532061b4438065 < 081369ad088a76429984483b8a5f7e967a125aadaffected
LinuxLinuxd519e17e2d01a0ee9abe083019532061b4438065 < 75fc8363227a999e8f3d17e2eb28dce5600dcd3faffected
LinuxLinuxd519e17e2d01a0ee9abe083019532061b4438065 < 8879b5313e9fa5e0c6d6812a0d25d83aed0110e2affected
LinuxLinuxd519e17e2d01a0ee9abe083019532061b4438065 < d15c9f6e3335002fea1c33bc8f71a705fa96976caffected
LinuxLinuxd519e17e2d01a0ee9abe083019532061b4438065 < 8d5e69d8fbf3a35ab4fbe56b8f092802b43f3ef6affected
LinuxLinuxd519e17e2d01a0ee9abe083019532061b4438065 < 3a79f380b3e10edf6caa9aac90163a5d7a282204affected
LinuxLinuxd519e17e2d01a0ee9abe083019532061b4438065 < 4224cfd7fb6523f7a9d1c8bb91bb5df1e38eb624affected
LinuxLinux2.6.33affected
LinuxLinux0 < 2.6.33unaffected
LinuxLinux4.9.307 <= 4.9.*unaffected
LinuxLinux4.14.272 <= 4.14.*unaffected
LinuxLinux4.19.235 <= 4.19.*unaffected
LinuxLinux5.4.185 <= 5.4.*unaffected
LinuxLinux5.10.106 <= 5.10.*unaffected
LinuxLinux5.15.29 <= 5.15.*unaffected
LinuxLinux5.16.15 <= 5.16.*unaffected
LinuxLinux5.17 <= *unaffected

Weaknesses

ADP Enrichment

CVE Program Container

Additional References

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

References