UBUNTU-CVE-2022-49390

Description

In the Linux kernel, the following vulnerability has been resolved: macsec: fix UAF bug for real_dev Create a new macsec device but not get reference to real_dev. That can not ensure that real_dev is freed after macsec. That will trigger the UAF bug for real_dev as following: ================================================================== BUG: KASAN: use-after-free in macsec_get_iflink+0x5f/0x70 drivers/net/macsec.c:3662 Call Trace: ... macsec_get_iflink+0x5f/0x70 drivers/net/macsec.c:3662 dev_get_iflink+0x73/0xe0 net/core/dev.c:637 default_operstate net/core/link_watch.c:42 [inline] rfc2863_policy+0x233/0x2d0 net/core/link_watch.c:54 linkwatch_do_dev+0x2a/0x150 net/core/link_watch.c:161 Allocated by task 22209: ... alloc_netdev_mqs+0x98/0x1100 net/core/dev.c:10549 rtnl_create_link+0x9d7/0xc00 net/core/rtnetlink.c:3235 veth_newlink+0x20e/0xa90 drivers/net/veth.c:1748 Freed by task 8: ... kfree+0xd6/0x4d0 mm/slub.c:4552 kvfree+0x42/0x50 mm/util.c:615 device_release+0x9f/0x240 drivers/base/core.c:2229 kobject_cleanup lib/kobject.c:673 [inline] kobject_release lib/kobject.c:704 [inline] kref_put include/linux/kref.h:65 [inline] kobject_put+0x1c8/0x540 lib/kobject.c:721 netdev_run_todo+0x72e/0x10b0 net/core/dev.c:10327 After commit faab39f63c1f ("net: allow out-of-order netdev unregistration") and commit e5f80fcf869a ("ipv6: give an IPv6 dev to blackhole_netdev"), we can add dev_hold_track() in macsec_dev_init() and dev_put_track() in macsec_free_netdev() to fix the problem.

CVSS Metrics

• v3.1•HIGH•Score: 7.8CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Affected Systems

• ubuntu•linux

  < 4.15.0-245.257 | < 5.4.0-224.244 | < 5.15.0-164.174

• ubuntu•linux-allwinner-5.19

  all

• ubuntu•linux-aws

  < 4.15.0-1187.200 | < 5.4.0-1153.163 | < 5.15.0-1098.105

• ubuntu•linux-aws-5.0

  all

• ubuntu•linux-aws-5.11

  all

• ubuntu•linux-aws-5.13

  all

• ubuntu•linux-aws-5.15

  < 5.15.0-1098.105~20.04.1

• ubuntu•linux-aws-5.19

  all

• ubuntu•linux-aws-5.3

  all

• ubuntu•linux-aws-5.4

  < 5.4.0-1153.163~18.04.1

• ubuntu•linux-aws-5.8

  all

• ubuntu•linux-aws-6.2

  all

• ubuntu•linux-aws-6.5

  all

• ubuntu•linux-aws-fips

  < 4.15.0-2125.131 | < 5.4.0-1153.163+fips1 | all | < 5.15.0-1098.105+fips1

• ubuntu•linux-aws-hwe

  < 4.15.0-1187.200~16.04.1

• ubuntu•linux-azure

  < 4.15.0-1195.210~14.04.1 | < 4.15.0-1195.210~16.04.1 | all | < 5.4.0-1156.163 | < 5.15.0-1102.111

• ubuntu•linux-azure-4.15

  < 4.15.0-1195.210

• ubuntu•linux-azure-5.11

  all

• ubuntu•linux-azure-5.13

  all

• ubuntu•linux-azure-5.15

  < 5.15.0-1102.111~20.04.1

• ubuntu•linux-azure-5.19

  all

• ubuntu•linux-azure-5.3

  all

• ubuntu•linux-azure-5.4

  < 5.4.0-1156.163~18.04.1

• ubuntu•linux-azure-5.8

  all

• ubuntu•linux-azure-6.2

  all

• ubuntu•linux-azure-6.5

  all

• ubuntu•linux-azure-edge

  all

• ubuntu•linux-azure-fde

  all | all

• ubuntu•linux-azure-fde-5.19

  all

• ubuntu•linux-azure-fde-6.2

  all

• ubuntu•linux-azure-fips

  < 4.15.0-2104.110 | < 5.4.0-1157.164+fips1 | all | < 5.15.0-1102.111+fips1

• ubuntu•linux-bluefield

  < 5.15.0-1082.84 | all | < 5.4.0-1112.119 | < 5.15.0-1082.84 | all

• ubuntu•linux-fips

  < 4.15.0-1142.154 | all | < 5.4.0-1127.137 | < 5.15.0-164.174+fips1

• ubuntu•linux-gcp

  < 4.15.0-1180.197~16.04.1 | all | < 5.4.0-1156.165 | < 5.15.0-1098.107

• ubuntu•linux-gcp-4.15

  < 4.15.0-1180.197

• ubuntu•linux-gcp-5.11

  all

• ubuntu•linux-gcp-5.13

  all

• ubuntu•linux-gcp-5.15

  < 5.15.0-1098.107~20.04.1

• ubuntu•linux-gcp-5.19

  all

• ubuntu•linux-gcp-5.3

  all

• ubuntu•linux-gcp-5.4

  < 5.4.0-1156.165~18.04.1

• ubuntu•linux-gcp-5.8

  all

• ubuntu•linux-gcp-6.2

  all

• ubuntu•linux-gcp-6.5

  all

• ubuntu•linux-gcp-fips

  < 4.15.0-2088.94 | < 5.4.0-1156.165+fips1 | all | < 5.15.0-1098.107+fips1

• ubuntu•linux-gke

  all | < 5.15.0-1094.100

• ubuntu•linux-gke-4.15

  all

• ubuntu•linux-gke-5.15

  all

• ubuntu•linux-gke-5.4

  all

• ubuntu•linux-gkeop

  all | < 5.15.0-1081.89

Showing first 50 affected entries in server-rendered view.

References (25)

• https://ubuntu.com/security/CVE-2022-49390
• https://www.cve.org/CVERecord?id=CVE-2022-49390
• https://git.kernel.org/linus/196a888ca6571deb344468e1d7138e3273206335
• https://git.kernel.org/stable/c/196a888ca6571deb344468e1d7138e3273206335
• https://git.kernel.org/stable/c/78933cbc143b82d02330e00900d2fd08f2682f4e
• https://git.kernel.org/stable/c/d130282179aa6051449ac8f8df1115769998a665
• https://ubuntu.com/security/notices/USN-7907-1
• https://ubuntu.com/security/notices/USN-7907-2
• https://ubuntu.com/security/notices/USN-7907-3
• https://ubuntu.com/security/notices/USN-7907-4
• https://ubuntu.com/security/notices/USN-7922-1
• https://ubuntu.com/security/notices/USN-7922-2
• https://ubuntu.com/security/notices/USN-7928-1
• https://ubuntu.com/security/notices/USN-7928-2
• https://ubuntu.com/security/notices/USN-7928-3
• https://ubuntu.com/security/notices/USN-7907-5
• https://ubuntu.com/security/notices/USN-7937-1
• https://ubuntu.com/security/notices/USN-7938-1
• https://ubuntu.com/security/notices/USN-7939-1
• https://ubuntu.com/security/notices/USN-7939-2
• https://ubuntu.com/security/notices/USN-7922-3
• https://ubuntu.com/security/notices/USN-7928-4
• https://ubuntu.com/security/notices/USN-7922-4
• https://ubuntu.com/security/notices/USN-7928-5
• https://ubuntu.com/security/notices/USN-7922-5