CVE-2022-48912

In the Linux kernel, the following vulnerability has been resolved:

netfilter: fix use-after-free in _nfregisternethook()

We must not dereference @newhooks after nfhook_mutex has been released, because other threads might have freed our allocated hooks already.

BUG: KASAN: use-after-free in nfhookentriesgethookops include/linux/netfilter.h:130 [inline] BUG: KASAN: use-after-free in hooksvalidate net/netfilter/core.c:171 [inline] BUG: KASAN: use-after-free in _nfregisternethook+0x77a/0x820 net/netfilter/core.c:438 Read of size 2 at addr ffff88801c1a8000 by task syz-executor237/4430

CPU: 1 PID: 4430 Comm: syz-executor237 Not tainted 5.17.0-rc5-syzkaller-00306-g2293be58d6a1 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: <TASK> __dumpstack lib/dumpstack.c:88 [inline] dump_stacklvl+0xcd/0x134 lib/dumpstack.c:106 printaddressdescription.constprop.0.cold+0x8d/0x336 mm/kasan/report.c:255 __kasanreport mm/kasan/report.c:442 [inline] kasanreport.cold+0x83/0xdf mm/kasan/report.c:459 nfhookentriesgethookops include/linux/netfilter.h:130 [inline] hooksvalidate net/netfilter/core.c:171 [inline] __nfregisternethook+0x77a/0x820 net/netfilter/core.c:438 nfregisternethook+0x114/0x170 net/netfilter/core.c:571 nfregisternethooks+0x59/0xc0 net/netfilter/core.c:587 nfsynproxyipv6init+0x85/0xe0 net/netfilter/nfsynproxycore.c:1218 synproxytg6check+0x30d/0x560 net/ipv6/netfilter/ip6tSYNPROXY.c:81 xtchecktarget+0x26c/0x9e0 net/netfilter/xtables.c:1038 checktarget net/ipv6/netfilter/ip6tables.c:530 [inline] findcheckentry.constprop.0+0x7f1/0x9e0 net/ipv6/netfilter/ip6tables.c:573 translatetable+0xc8b/0x1750 net/ipv6/netfilter/ip6tables.c:735 doreplace net/ipv6/netfilter/ip6tables.c:1153 [inline] doip6tsetctl+0x56e/0xb90 net/ipv6/netfilter/ip6tables.c:1639 nfsetsockopt+0x83/0xe0 net/netfilter/nfsockopt.c:101 ipv6setsockopt+0x122/0x180 net/ipv6/ipv6sockglue.c:1024 rawv6setsockopt+0xd3/0x6a0 net/ipv6/raw.c:1084 __sys_setsockopt+0x2db/0x610 net/socket.c:2180 __dosyssetsockopt net/socket.c:2191 [inline] __sesyssetsockopt net/socket.c:2188 [inline] _x64syssetsockopt+0xba/0x150 net/socket.c:2188 dosyscallx64 arch/x86/entry/common.c:50 [inline] dosyscall64+0x35/0xb0 arch/x86/entry/common.c:80 entrySYSCALL64afterhwframe+0x44/0xae RIP: 0033:0x7f65a1ace7d9 Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 71 15 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007f65a1a7f308 EFLAGS: 00000246 ORIGRAX: 0000000000000036 RAX: ffffffffffffffda RBX: 0000000000000006 RCX: 00007f65a1ace7d9 RDX: 0000000000000040 RSI: 0000000000000029 RDI: 0000000000000003 RBP: 00007f65a1b574c8 R08: 0000000000000001 R09: 0000000000000000 R10: 0000000020000000 R11: 0000000000000246 R12: 00007f65a1b55130 R13: 00007f65a1b574c0 R14: 00007f65a1b24090 R15: 0000000000022000 </TASK>

The buggy address belongs to the page: page:ffffea0000706a00 refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1c1a8 flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff) raw: 00fff00000000000 ffffea0001c1b108 ffffea000046dd08 0000000000000000 raw: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000 page dumped because: kasan: bad access detected pageowner tracks the page as freed page last allocated via order 2, migratetype Unmovable, gfpmask 0x52dc0(GFP_KERNEL|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFPZERO), pid 4430, ts 1061781545818, freets 1061791488993 prepnewpage mm/pagealloc.c:2434 [inline] getpagefromfreelist+0xa72/0x2f50 mm/page_alloc.c:4165 __allocpages+0x1b2/0x500 mm/pagealloc.c:5389 __allocpagesnode include/linux/gfp.h:572 [inline] allocpagesnode include/linux/gfp.h:595 [inline] kmalloclargenode+0x62/0x130 mm/slub.c:4438 _kmallocnode+0x35a/0x4a0 mm/slub. ---truncated---