CVE-2022-50135
N/A
Summary
In the Linux kernel, the following vulnerability has been resolved:
RDMA/rxe: Fix BUG: KASAN: null-ptr-deref in rxe_qp_do_cleanup
The function rxe_create_qp calls rxe_qp_from_init. If some error occurs, the error handler of function rxe_qp_from_init will set both scq and rcq to NULL.
Then rxe_create_qp calls rxe_put to handle qp. In the end, rxe_qp_do_cleanup is called by rxe_put. rxe_qp_do_cleanup directly accesses scq and rcq before checking them. This will cause null-ptr-deref error.
The call graph is as below:
rxe_create_qp { … rxe_qp_from_init { … err1: … qp->rcq = NULL; <—rcq is set to NULL qp->scq = NULL; <—scq is set to NULL … }
qp_init: rxe_put{ … rxe_qp_do_cleanup { … atomic_dec(&qp->scq->num_wq); <— scq is accessed … atomic_dec(&qp->rcq->num_wq); <— rcq is accessed } }
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| Linux | Linux | 4703b4f0d94a5f887297713a2f6c2916a1ef08fd < 8598b9d0a364c1663c96fc0fab9df0d36c809aea | affected |
| Linux | Linux | 4703b4f0d94a5f887297713a2f6c2916a1ef08fd < 37da51efe6eaa0560f46803c8c436a48a2084da7 | affected |
| Linux | Linux | 5.19 | affected |
| Linux | Linux | 0 < 5.19 | unaffected |
| Linux | Linux | 5.19.2 <= 5.19.* | unaffected |
| Linux | Linux | 6.0 <= * | unaffected |
Weaknesses
References
- https://git.kernel.org/stable/c/8598b9d0a364c1663c96fc0fab9df0d36c809aea
- https://git.kernel.org/stable/c/37da51efe6eaa0560f46803c8c436a48a2084da7
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.