CVE-2022-48785

See a problem?
Please try reporting it to the source first.
Source
https://nvd.nist.gov/vuln/detail/CVE-2022-48785
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2022-48785.json
JSON Data
https://api.test.osv.dev/v1/vulns/CVE-2022-48785
Downstream
Related
Published
2024-07-16T11:13:21Z
Modified
2025-10-15T16:18:01.741337Z
Summary
ipv6: mcast: use rcu-safe version of ipv6_get_lladdr()
Details

In the Linux kernel, the following vulnerability has been resolved:

ipv6: mcast: use rcu-safe version of ipv6getlladdr()

Some time ago 8965779d2c0e ("ipv6,mcast: always hold idev->lock before mcalock") switched ipv6getlladdr() to _ipv6getlladdr(), which is rcu-unsafe version. That was OK, because idev->lock was held for these codepaths.

In 88e2ca308094 ("mld: convert ifmcaddr6 to RCU") these external locks were removed, so we probably need to restore the original rcu-safe call.

Otherwise, we occasionally get a machine crashed/stalled with the following in dmesg:

[ 3405.966610][T230589] general protection fault, probably for non-canonical address 0xdead00000000008c: 0000 [#1] SMP NOPTI [ 3405.982083][T230589] CPU: 44 PID: 230589 Comm: kworker/44:3 Tainted: G O 5.15.19-cloudflare-2022.2.1 #1 [ 3405.998061][T230589] Hardware name: SUPA-COOL-SERV [ 3406.009552][T230589] Workqueue: mld mldifcwork [ 3406.017224][T230589] RIP: 0010:_ipv6getlladdr+0x34/0x60 [ 3406.025780][T230589] Code: 57 10 48 83 c7 08 48 89 e5 48 39 d7 74 3e 48 8d 82 38 ff ff ff eb 13 48 8b 90 d0 00 00 00 48 8d 82 38 ff ff ff 48 39 d7 74 22 <66> 83 78 32 20 77 1b 75 e4 89 ca 23 50 2c 75 dd 48 8b 50 08 48 8b [ 3406.055748][T230589] RSP: 0018:ffff94e4b3fc3d10 EFLAGS: 00010202 [ 3406.065617][T230589] RAX: dead00000000005a RBX: ffff94e4b3fc3d30 RCX: 0000000000000040 [ 3406.077477][T230589] RDX: dead000000000122 RSI: ffff94e4b3fc3d30 RDI: ffff8c3a31431008 [ 3406.089389][T230589] RBP: ffff94e4b3fc3d10 R08: 0000000000000000 R09: 0000000000000000 [ 3406.101445][T230589] R10: ffff8c3a31430000 R11: 000000000000000b R12: ffff8c2c37887100 [ 3406.113553][T230589] R13: ffff8c3a39537000 R14: 00000000000005dc R15: ffff8c3a31431000 [ 3406.125730][T230589] FS: 0000000000000000(0000) GS:ffff8c3b9fc80000(0000) knlGS:0000000000000000 [ 3406.138992][T230589] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 3406.149895][T230589] CR2: 00007f0dfea1db60 CR3: 000000387b5f2000 CR4: 0000000000350ee0 [ 3406.162421][T230589] Call Trace: [ 3406.170235][T230589] <TASK> [ 3406.177736][T230589] mldnewpack+0xfe/0x1a0 [ 3406.186686][T230589] addgrhead+0x87/0xa0 [ 3406.195498][T230589] addgrec+0x485/0x4e0 [ 3406.204310][T230589] ? newidlebalance+0x126/0x3f0 [ 3406.214024][T230589] mldifcwork+0x15d/0x450 [ 3406.223279][T230589] processonework+0x1e6/0x380 [ 3406.232982][T230589] workerthread+0x50/0x3a0 [ 3406.242371][T230589] ? rescuerthread+0x360/0x360 [ 3406.252175][T230589] kthread+0x127/0x150 [ 3406.261197][T230589] ? setkthreadstruct+0x40/0x40 [ 3406.271287][T230589] retfrom_fork+0x22/0x30 [ 3406.280812][T230589] </TASK> [ 3406.288937][T230589] Modules linked in: ... [last unloaded: kheaders] [ 3406.476714][T230589] ---[ end trace 3525a7655f2f3b9e ]---

References

Affected packages

Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git

Affected ranges

Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
88e2ca3080947fe22eb520c1f8231e79a105d011
Fixed
3e11ef1903cf6c2fba35594b193a3570854d9e9e
Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
88e2ca3080947fe22eb520c1f8231e79a105d011
Fixed
27f567c84f446048670376827e356f9c92033bf9
Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
88e2ca3080947fe22eb520c1f8231e79a105d011
Fixed
26394fc118d6115390bd5b3a0fb17096271da227

Affected versions

v5.*

v5.12
v5.12-rc5
v5.12-rc6
v5.12-rc7
v5.12-rc8
v5.13
v5.13-rc1
v5.13-rc2
v5.13-rc3
v5.13-rc4
v5.13-rc5
v5.13-rc6
v5.13-rc7
v5.14
v5.14-rc1
v5.14-rc2
v5.14-rc3
v5.14-rc4
v5.14-rc5
v5.14-rc6
v5.14-rc7
v5.15
v5.15-rc1
v5.15-rc2
v5.15-rc3
v5.15-rc4
v5.15-rc5
v5.15-rc6
v5.15-rc7
v5.15.1
v5.15.10
v5.15.11
v5.15.12
v5.15.13
v5.15.14
v5.15.15
v5.15.16
v5.15.17
v5.15.18
v5.15.19
v5.15.2
v5.15.20
v5.15.21
v5.15.22
v5.15.23
v5.15.24
v5.15.3
v5.15.4
v5.15.5
v5.15.6
v5.15.7
v5.15.8
v5.15.9
v5.16
v5.16-rc1
v5.16-rc2
v5.16-rc3
v5.16-rc4
v5.16-rc5
v5.16-rc6
v5.16-rc7
v5.16-rc8
v5.16.1
v5.16.10
v5.16.2
v5.16.3
v5.16.4
v5.16.5
v5.16.6
v5.16.7
v5.16.8
v5.16.9
v5.17-rc1
v5.17-rc2
v5.17-rc3

Database specific

vanir_signatures

[
    {
        "id": "CVE-2022-48785-20d7128e",
        "target": {
            "file": "net/ipv6/mcast.c"
        },
        "signature_version": "v1",
        "signature_type": "Line",
        "digest": {
            "line_hashes": [
                "40653712254989641594234236244037735207",
                "238007517148589186219207721809937533408",
                "253420495470509044589602489838035824280",
                "273511798866190077439995157987207297699"
            ],
            "threshold": 0.9
        },
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@3e11ef1903cf6c2fba35594b193a3570854d9e9e",
        "deprecated": false
    },
    {
        "id": "CVE-2022-48785-47242d55",
        "target": {
            "function": "__ipv6_get_lladdr",
            "file": "net/ipv6/addrconf.c"
        },
        "signature_version": "v1",
        "signature_type": "Function",
        "digest": {
            "length": 344.0,
            "function_hash": "297302465527607157517678668957698727085"
        },
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@3e11ef1903cf6c2fba35594b193a3570854d9e9e",
        "deprecated": false
    },
    {
        "id": "CVE-2022-48785-760f935b",
        "target": {
            "function": "mld_newpack",
            "file": "net/ipv6/mcast.c"
        },
        "signature_version": "v1",
        "signature_type": "Function",
        "digest": {
            "length": 1152.0,
            "function_hash": "92505584319248027045909026370685921871"
        },
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@3e11ef1903cf6c2fba35594b193a3570854d9e9e",
        "deprecated": false
    },
    {
        "id": "CVE-2022-48785-e1591033",
        "target": {
            "file": "include/net/addrconf.h"
        },
        "signature_version": "v1",
        "signature_type": "Line",
        "digest": {
            "line_hashes": [
                "258117306401324633991060989842757972169",
                "134832973798457406624375574544345472407",
                "299297097347730558157844384149272942217",
                "169742984028108258654556588069681950401",
                "291484938288010993338059038116738678005"
            ],
            "threshold": 0.9
        },
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@3e11ef1903cf6c2fba35594b193a3570854d9e9e",
        "deprecated": false
    },
    {
        "id": "CVE-2022-48785-f1ba1bee",
        "target": {
            "file": "net/ipv6/addrconf.c"
        },
        "signature_version": "v1",
        "signature_type": "Line",
        "digest": {
            "line_hashes": [
                "18992354224684932018235014467441935886",
                "82698098157465074822774396694608384255",
                "231614383394803367035360936642503827350",
                "258085497144734691184437504685581564939",
                "306075777558137300662298318470624004778"
            ],
            "threshold": 0.9
        },
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@3e11ef1903cf6c2fba35594b193a3570854d9e9e",
        "deprecated": false
    }
]

Linux / Kernel

Package

Name
Kernel

Affected ranges

Type
ECOSYSTEM
Events
Introduced
5.13.0
Fixed
5.15.25
Type
ECOSYSTEM
Events
Introduced
5.16.0
Fixed
5.16.11