CVE-2022-49916

Summary

In the Linux kernel, the following vulnerability has been resolved:

rose: Fix NULL pointer dereference in rose_send_frame()

The syzkaller reported an issue:

KASAN: null-ptr-deref in range [0x0000000000000380-0x0000000000000387] CPU: 0 PID: 4069 Comm: kworker/0:15 Not tainted 6.0.0-syzkaller-02734-g0326074ff465 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/22/2022 Workqueue: rcu_gp srcu_invoke_callbacks RIP: 0010:rose_send_frame+0x1dd/0x2f0 net/rose/rose_link.c:101 Call Trace: <IRQ> rose_transmit_clear_request+0x1d5/0x290 net/rose/rose_link.c:255 rose_rx_call_request+0x4c0/0x1bc0 net/rose/af_rose.c:1009 rose_loopback_timer+0x19e/0x590 net/rose/rose_loopback.c:111 call_timer_fn+0x1a0/0x6b0 kernel/time/timer.c:1474 expire_timers kernel/time/timer.c:1519 [inline] __run_timers.part.0+0x674/0xa80 kernel/time/timer.c:1790 __run_timers kernel/time/timer.c:1768 [inline] run_timer_softirq+0xb3/0x1d0 kernel/time/timer.c:1803 __do_softirq+0x1d0/0x9c8 kernel/softirq.c:571 […] </IRQ>

It triggers NULL pointer dereference when 'neigh->dev->dev_addr' is called in the rose_send_frame(). It's the first occurrence of the neigh is in rose_loopback_timer() as `rose_loopback_neigh', and the 'dev' in 'rose_loopback_neigh' is initialized sa nullptr.

It had been fixed by commit 3b3fd068c56e3fbea30090859216a368398e39bf ("rose: Fix Null pointer dereference in rose_send_frame()") ever. But it's introduced by commit 3c53cd65dece47dd1f9d3a809f32e59d1d87b2b8 ("rose: check NULL rose_loopback_neigh->loopback") again.

We fix it by add NULL check in rose_transmit_clear_request(). When the 'dev' in 'neigh' is NULL, we don't reply the request and just clear it.

syzkaller don't provide repro, and I provide a syz repro like: r0 = syz_init_net_socket$bt_sco(0x1f, 0x5, 0x2) ioctl$sock_inet_SIOCSIFFLAGS(r0, 0x8914, &(0x7f0000000180)={'rose0\x00', 0x201}) r1 = syz_init_net_socket$rose(0xb, 0x5, 0x0) bind$rose(r1, &(0x7f00000000c0)=@full={0xb, @dev, @null, 0x0, [@null, @null, @netrom, @netrom, @default, @null]}, 0x40) connect$rose(r1, &(0x7f0000000240)=@short={0xb, @dev={0xbb, 0xbb, 0xbb, 0x1, 0x0}, @remote={0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0x1}, 0x1, @netrom={0xbb, 0xbb, 0xbb, 0xbb, 0xbb, 0x0, 0x0}}, 0x1c)

Affected Software

VendorProductVersion RangeStatus
LinuxLinux76885373129b13df35ecc9b4ee86ea5840f12133 < 01b9c68c121847d05a4ccef68244dadf82bfa331affected
LinuxLinuxb8f9de195d6303f52bae16c7911f35ac14ba7e3d < bbc03d74e641e824754443b908454ca9e203773eaffected
LinuxLinux0aae33feb7a56b28318f92c960a3d08d9c305984 < 5b46adfbee1e429f33b10a88d6c00fa88f3d6c77affected
LinuxLinux6e4b20d548fc97ecbdca15c8d96302ee5e3e6313 < b13be5e852b03f376058027e462fad4230240891affected
LinuxLinuxde3deadd11987070788b48825bec4647458b988d < f06186e5271b980bac03f5c97276ed0146ddc9b0affected
LinuxLinux9cf85759e104d7e9c3fd8920a554195b715d6797 < 3e2129c67daca21043a26575108f6286c85e71f6affected
LinuxLinux3c53cd65dece47dd1f9d3a809f32e59d1d87b2b8 < a601e5eded33bb88b8a42743db8fef3ad41dd97eaffected
LinuxLinux3c53cd65dece47dd1f9d3a809f32e59d1d87b2b8 < e97c089d7a49f67027395ddf70bf327eeac2611eaffected
LinuxLinux9197ca40fd9de265caedba70d0cb5814c4e45952affected
LinuxLinux4.9.327 < 4.9.333affected
LinuxLinux4.14.292 < 4.14.299affected
LinuxLinux4.19.257 < 4.19.265affected
LinuxLinux5.4.212 < 5.4.224affected
LinuxLinux5.10.140 < 5.10.154affected
LinuxLinux5.15.64 < 5.15.78affected
LinuxLinux5.19.6 < 5.20affected
LinuxLinux6.0affected
LinuxLinux0 < 6.0unaffected
LinuxLinux4.9.333 <= 4.9.*unaffected
LinuxLinux4.14.299 <= 4.14.*unaffected
LinuxLinux4.19.265 <= 4.19.*unaffected
LinuxLinux5.4.224 <= 5.4.*unaffected
LinuxLinux5.10.154 <= 5.10.*unaffected
LinuxLinux5.15.78 <= 5.15.*unaffected
LinuxLinux6.0.8 <= 6.0.*unaffected
LinuxLinux6.1 <= *unaffected

Weaknesses

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

References