NVD Vulnerability Detail
Search Exploit, PoC
CVE-2022-48925
Summary

In the Linux kernel, the following vulnerability has been resolved:

RDMA/cma: Do not change route.addr.src_addr outside state checks

If the state is not idle then resolve_prepare_src() should immediately
fail and no change to global state should happen. However, it
unconditionally overwrites the src_addr trying to build a temporary any
address.

For instance if the state is already RDMA_CM_LISTEN then this will corrupt
the src_addr and would cause the test in cma_cancel_operation():

if (cma_any_addr(cma_src_addr(id_priv)) && !id_priv->cma_dev)

Which would manifest as this trace from syzkaller:

BUG: KASAN: use-after-free in __list_add_valid+0x93/0xa0 lib/list_debug.c:26
Read of size 8 at addr ffff8881546491e0 by task syz-executor.1/32204

CPU: 1 PID: 32204 Comm: syz-executor.1 Not tainted 5.12.0-rc8-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:79 [inline]
dump_stack+0x141/0x1d7 lib/dump_stack.c:120
print_address_description.constprop.0.cold+0x5b/0x2f8 mm/kasan/report.c:232
__kasan_report mm/kasan/report.c:399 [inline]
kasan_report.cold+0x7c/0xd8 mm/kasan/report.c:416
__list_add_valid+0x93/0xa0 lib/list_debug.c:26
__list_add include/linux/list.h:67 [inline]
list_add_tail include/linux/list.h:100 [inline]
cma_listen_on_all drivers/infiniband/core/cma.c:2557 [inline]
rdma_listen+0x787/0xe00 drivers/infiniband/core/cma.c:3751
ucma_listen+0x16a/0x210 drivers/infiniband/core/ucma.c:1102
ucma_write+0x259/0x350 drivers/infiniband/core/ucma.c:1732
vfs_write+0x28e/0xa30 fs/read_write.c:603
ksys_write+0x1ee/0x250 fs/read_write.c:658
do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46
entry_SYSCALL_64_after_hwframe+0x44/0xae

This is indicating that an rdma_id_private was destroyed without doing
cma_cancel_listens().

Instead of trying to re-use the src_addr memory to indirectly create an
any address derived from the dst build one explicitly on the stack and
bind to that as any other normal flow would do. rdma_bind_addr() will copy
it over the src_addr once it knows the state is valid.

This is similar to commit bc0bdc5afaa7 ("RDMA/cma: Do not change
route.addr.src_addr.ss_family")

Publication Date Aug. 22, 2024, 11:15 a.m.
Registration Date Aug. 26, 2024, 4:57 p.m.
Last Update Aug. 23, 2024, 11:07 a.m.
CVSS3.1 : HIGH
スコア 7.8
Vector CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
攻撃元区分(AV) ローカル
攻撃条件の複雑さ(AC)
攻撃に必要な特権レベル(PR)
利用者の関与(UI) 不要
影響の想定範囲(S) 変更なし
機密性への影響(C)
完全性への影響(I)
可用性への影響(A)
Affected software configurations
Configuration1 or higher or less more than less than
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 5.16 5.16.12
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 5.11 5.15.26
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 5.10 5.10.103
Related information, measures and tools
Common Vulnerabilities List
JVN Vulnerability Information
Linux の Linux Kernel における解放済みメモリの使用に関する脆弱性
Title Linux の Linux Kernel における解放済みメモリの使用に関する脆弱性
Summary

Linux の Linux Kernel には、解放済みメモリの使用に関する脆弱性が存在します。

Possible impacts 情報を取得される、情報を改ざんされる、およびサービス運用妨害 (DoS) 状態にされる可能性があります。 
Solution

ベンダより正式な対策が公開されています。ベンダ情報を参照して適切な対策を実施してください。
Publication Date Feb. 25, 2022, midnight
Registration Date Aug. 26, 2024, 4:48 p.m.
Last Update Aug. 26, 2024, 4:48 p.m.
Affected System
Linux
Linux Kernel 5.10 以上 5.10.103 未満
Linux Kernel 5.11 以上 5.15.26 未満
Linux Kernel 5.16 以上 5.16.12 未満
CVE (情報セキュリティ 共通脆弱性識別子)
CWE (共通脆弱性タイプ一覧)
ベンダー情報
Change Log
No Changed Details Date of change
1 [2024年08月26日]   掲載 Aug. 26, 2024, 1:51 p.m.