CVE-2022-49017

Summary

In the Linux kernel, the following vulnerability has been resolved:

tipc: re-fetch skb cb after tipc_msg_validate

As the call trace shows, the original skb was freed in tipc_msg_validate(), and dereferencing the old skb cb would cause an use-after-free crash.

BUG: KASAN: use-after-free in tipc_crypto_rcv_complete+0x1835/0x2240 [tipc] Call Trace: <IRQ> tipc_crypto_rcv_complete+0x1835/0x2240 [tipc] tipc_crypto_rcv+0xd32/0x1ec0 [tipc] tipc_rcv+0x744/0x1150 [tipc] … Allocated by task 47078: kmem_cache_alloc_node+0x158/0x4d0 __alloc_skb+0x1c1/0x270 tipc_buf_acquire+0x1e/0xe0 [tipc] tipc_msg_create+0x33/0x1c0 [tipc] tipc_link_build_proto_msg+0x38a/0x2100 [tipc] tipc_link_timeout+0x8b8/0xef0 [tipc] tipc_node_timeout+0x2a1/0x960 [tipc] call_timer_fn+0x2d/0x1c0 … Freed by task 47078: tipc_msg_validate+0x7b/0x440 [tipc] tipc_crypto_rcv_complete+0x4b5/0x2240 [tipc] tipc_crypto_rcv+0xd32/0x1ec0 [tipc] tipc_rcv+0x744/0x1150 [tipc]

This patch fixes it by re-fetching the skb cb from the new allocated skb after calling tipc_msg_validate().

Affected Software

VendorProductVersion RangeStatus
LinuxLinuxfc1b6d6de2208774efd2a20bf0daddb02d18b1e0 < a1ba595e35aa3afbe417ff0af353afb9f65559c0affected
LinuxLinuxfc1b6d6de2208774efd2a20bf0daddb02d18b1e0 < 1daec0815655e110c6f206c5e777a4af8168ff58affected
LinuxLinuxfc1b6d6de2208774efd2a20bf0daddb02d18b1e0 < e128190adb2edfd5042105b5d1ed4553f295f5efaffected
LinuxLinuxfc1b6d6de2208774efd2a20bf0daddb02d18b1e0 < 3067bc61fcfe3081bf4807ce65560f499e895e77affected
LinuxLinux5.5affected
LinuxLinux0 < 5.5unaffected
LinuxLinux5.10.158 <= 5.10.*unaffected
LinuxLinux5.15.82 <= 5.15.*unaffected
LinuxLinux6.0.12 <= 6.0.*unaffected
LinuxLinux6.1 <= *unaffected

Weaknesses

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

References