CVE-2022-49622

Summary

In the Linux kernel, the following vulnerability has been resolved:

netfilter: nf_tables: avoid skb access on nf_stolen

When verdict is NF_STOLEN, the skb might have been freed.

When tracing is enabled, this can result in a use-after-free:

  1. access to skb->nf_trace
  2. access to skb->mark
  3. computation of trace id
  4. dump of packet payload

To avoid 1, keep a cached copy of skb->nf_trace in the trace state struct. Refresh this copy whenever verdict is != STOLEN.

Avoid 2 by skipping skb->mark access if verdict is STOLEN.

3 is avoided by precomputing the trace id.

Only dump the packet when verdict is not "STOLEN".

Affected Software

VendorProductVersion RangeStatus
LinuxLinux5efa0fc6d7f7930b18801f07cefae8eeacd6ac02 < 0016d5d46d7440729a3132f61a8da3bf7f84e2baaffected
LinuxLinux5efa0fc6d7f7930b18801f07cefae8eeacd6ac02 < e34b9ed96ce3b06c79bf884009b16961ca478f87affected
LinuxLinux4.10affected
LinuxLinux0 < 4.10unaffected
LinuxLinux5.18.13 <= 5.18.*unaffected
LinuxLinux5.19 <= *unaffected

Weaknesses

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: total

References