CVE-2022-48865
- Source
- https://nvd.nist.gov/vuln/detail/CVE-2022-48865
- Import Source
- https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2022-48865.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/CVE-2022-48865
- Downstream
- Related
- Published
- 2024-07-16T13:15:13Z
- Modified
- 2025-08-09T20:01:26Z
- Severity
-
- 5.5 (Medium) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVSS Calculator
- Summary
- [none]
- Details
-
In the Linux kernel, the following vulnerability has been resolved:
tipc: fix kernel panic when enabling bearer
When enabling a bearer on a node, a kernel panic is observed:
[ 4.498085] RIP: 0010:tipcmonprep+0x4e/0x130 [tipc] ... [ 4.520030] Call Trace: [ 4.520689] <IRQ> [ 4.521236] tipclinkbuildprotomsg+0x375/0x750 [tipc] [ 4.522654] tipclinkbuildstatemsg+0x48/0xc0 [tipc] [ 4.524034] _tipcnodelinkup+0xd7/0x290 [tipc] [ 4.525292] tipcrcv+0x5da/0x730 [tipc] [ 4.526346] ? _netifreceiveskbcore+0xb7/0xfc0 [ 4.527601] tipcl2rcvmsg+0x5e/0x90 [tipc] [ 4.528737] _netifreceiveskblistcore+0x20b/0x260 [ 4.530068] netifreceiveskblistinternal+0x1bf/0x2e0 [ 4.531450] ? devgroreceive+0x4c2/0x680 [ 4.532512] napicompletedone+0x6f/0x180 [ 4.533570] virtnetpoll+0x29c/0x42e [virtio_net] ...
The node in question is receiving activate messages in another thread after changing bearer status to allow message sending/ receiving in current thread:
thread 1 | thread 2 -------- | -------- |tipcenablebearer() | testandsetbitlock() | tipcbearerxmitskb() | | tipcl2rcvmsg() | tipcrcv() | _tipcnodelinkup() | tipclinkbuildstatemsg() | tipclinkbuildprotomsg() | tipcmonprep() | { | ... | // null-pointer dereference | u16 gen = mon->domgen; | ... | } // Not being executed yet | tipcmoncreate() | { | ... | // allocate | mon = kzalloc(); | ... | } |
Monitoring pointer in thread 2 is dereferenced before monitoring data is allocated in thread 1. This causes kernel panic.
This commit fixes it by allocating the monitoring data before enabling the bearer to receive messages.
- References