CVE-2022-50569

Summary

In the Linux kernel, the following vulnerability has been resolved:

xfrm: Update ipcomp_scratches with NULL when freed

Currently if ipcomp_alloc_scratches() fails to allocate memory ipcomp_scratches holds obsolete address. So when we try to free the percpu scratches using ipcomp_free_scratches() it tries to vfree non existent vm area. Described below:

static void * __percpu *ipcomp_alloc_scratches(void) { … scratches = alloc_percpu(void *); if (!scratches) return NULL; ipcomp_scratches does not know about this allocation failure. Therefore holding the old obsolete address. … }

So when we free,

static void ipcomp_free_scratches(void) { … scratches = ipcomp_scratches; Assigning obsolete address from ipcomp_scratches

    if (!scratches)
            return;

    for_each_possible_cpu(i)
           vfree(*per_cpu_ptr(scratches, i));

Trying to free non existent page, causing warning: trying to vfree existent vm area. … }

Fix this breakage by updating ipcomp_scrtches with NULL when scratches is freed

Affected Software

VendorProductVersion RangeStatus
LinuxLinux1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 < debca61df6bc2f65e020656c9c5b878d6b38d30faffected
LinuxLinux1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 < a39f456d62810c0efb43cead22f98d95b53e4b1aaffected
LinuxLinux1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 < 1e8abde895b3ac6a368cbdb372e8800c49e73a28affected
LinuxLinux1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 < 18373ed500f7cd53e24d9b0bd0f1c09d78dba87eaffected
LinuxLinux1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 < be81c44242b20fc3bdcc73480ef8aaee56f5d0b6affected
LinuxLinux1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 < 03155680191ef0f004b1d6a5714c5b8cd271ab61affected
LinuxLinux1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 < f3bdba4440d82e0da2b1bfc35d3836c8a8e00677affected
LinuxLinux1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 < 2c19945ce8095d065df550e7fe350cd5cc40c6e6affected
LinuxLinux1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 < 8a04d2fc700f717104bfb95b0f6694e448a4537faffected
LinuxLinux2.6.12affected
LinuxLinux0 < 2.6.12unaffected
LinuxLinux4.9.331 <= 4.9.*unaffected
LinuxLinux4.14.296 <= 4.14.*unaffected
LinuxLinux4.19.262 <= 4.19.*unaffected
LinuxLinux5.4.220 <= 5.4.*unaffected
LinuxLinux5.10.150 <= 5.10.*unaffected
LinuxLinux5.15.75 <= 5.15.*unaffected
LinuxLinux5.19.17 <= 5.19.*unaffected
LinuxLinux6.0.3 <= 6.0.*unaffected
LinuxLinux6.1 <= *unaffected

Weaknesses

References