CVE-2022-48914

Source
https://nvd.nist.gov/vuln/detail/CVE-2022-48914
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2022-48914.json
JSON Data
https://api.test.osv.dev/v1/vulns/CVE-2022-48914
Downstream
Related
Published
2024-08-22T01:32:07Z
Modified
2025-10-08T07:25:33.910115Z
Summary
xen/netfront: destroy queues before real_num_tx_queues is zeroed
Details

In the Linux kernel, the following vulnerability has been resolved:

xen/netfront: destroy queues before realnumtx_queues is zeroed

xennetdestroyqueues() relies on info->netdev->realnumtxqueues to delete queues. Since d7dac083414eb5bb99a6d2ed53dc2c1b405224e5 ("net-sysfs: update the queue counts in the unregistration path"), unregisternetdev() indirectly sets realnumtxqueues to 0. Those two facts together means, that xennetdestroyqueues() called from xennetremove() cannot do its job, because it's called after unregister_netdev(). This results in kfree-ing queues that are still linked in napi, which ultimately crashes:

BUG: kernel NULL pointer dereference, address: 0000000000000000
#PF: supervisor read access in kernel mode
#PF: error_code(0x0000) - not-present page
PGD 0 P4D 0
Oops: 0000 [#1] PREEMPT SMP PTI
CPU: 1 PID: 52 Comm: xenwatch Tainted: G        W         5.16.10-1.32.fc32.qubes.x86_64+ #226
RIP: 0010:free_netdev+0xa3/0x1a0
Code: ff 48 89 df e8 2e e9 00 00 48 8b 43 50 48 8b 08 48 8d b8 a0 fe ff ff 48 8d a9 a0 fe ff ff 49 39 c4 75 26 eb 47 e8 ed c1 66 ff <48> 8b 85 60 01 00 00 48 8d 95 60 01 00 00 48 89 ef 48 2d 60 01 00
RSP: 0000:ffffc90000bcfd00 EFLAGS: 00010286
RAX: 0000000000000000 RBX: ffff88800edad000 RCX: 0000000000000000
RDX: 0000000000000001 RSI: ffffc90000bcfc30 RDI: 00000000ffffffff
RBP: fffffffffffffea0 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000001 R12: ffff88800edad050
R13: ffff8880065f8f88 R14: 0000000000000000 R15: ffff8880066c6680
FS:  0000000000000000(0000) GS:ffff8880f3300000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000000000000 CR3: 00000000e998c006 CR4: 00000000003706e0
Call Trace:
 <TASK>
 xennet_remove+0x13d/0x300 [xen_netfront]
 xenbus_dev_remove+0x6d/0xf0
 __device_release_driver+0x17a/0x240
 device_release_driver+0x24/0x30
 bus_remove_device+0xd8/0x140
 device_del+0x18b/0x410
 ? _raw_spin_unlock+0x16/0x30
 ? klist_iter_exit+0x14/0x20
 ? xenbus_dev_request_and_reply+0x80/0x80
 device_unregister+0x13/0x60
 xenbus_dev_changed+0x18e/0x1f0
 xenwatch_thread+0xc0/0x1a0
 ? do_wait_intr_irq+0xa0/0xa0
 kthread+0x16b/0x190
 ? set_kthread_struct+0x40/0x40
 ret_from_fork+0x22/0x30
 </TASK>

Fix this by calling xennetdestroyqueues() from xennetuninit(), when realnumtxqueues is still available. This ensures that queues are destroyed when realnumtxqueues is set to 0, regardless of how unregisternetdev() was called.

Originally reported at https://github.com/QubesOS/qubes-issues/issues/7257

References

Affected packages

Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git

Affected ranges

Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
35cad2003b6447932cfe91f795090586306738e8
Fixed
198cdc287769c717dafff5887c6125cb7a373bf3
Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
a5d8e6189b134f5db61be5cd59cf5a74bb01edc7
Fixed
b40c912624775a21da32d1105e158db5f6d0554a
Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
443133330a5d4a3fd429179d460cc297724fefe8
Fixed
a1753d5c29a6fb9a8966dcf04cb4f3b71e303ae8
Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
0abd3f9903fae6ecf8db3c89a459971fe7925499
Fixed
a63eb1e4a2e1a191a90217871e67fba42fd39255
Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
c5eb468cbc1fa663bf0cc6c5360802dea4e611c2
Fixed
47e2f166ed9fe17f24561d6315be2228f6a90209
Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
d7dac083414eb5bb99a6d2ed53dc2c1b405224e5
Fixed
dcf4ff7a48e7598e6b10126cc02177abb8ae4f3f

Affected versions

v4.*

v4.19.226
v4.19.227
v4.19.228
v4.19.229
v4.19.230
v4.19.231
v4.19.232

v5.*

v5.10.100
v5.10.101
v5.10.102
v5.10.103
v5.10.94
v5.10.95
v5.10.96
v5.10.97
v5.10.98
v5.10.99
v5.15.17
v5.15.18
v5.15.19
v5.15.20
v5.15.21
v5.15.22
v5.15.23
v5.15.24
v5.15.25
v5.15.26
v5.16
v5.16-rc4
v5.16-rc5
v5.16-rc6
v5.16-rc7
v5.16-rc8
v5.16.10
v5.16.11
v5.16.12
v5.16.3
v5.16.4
v5.16.5
v5.16.6
v5.16.7
v5.16.8
v5.16.9
v5.17-rc1
v5.17-rc2
v5.17-rc3
v5.17-rc4
v5.17-rc5
v5.4.174
v5.4.175
v5.4.176
v5.4.177
v5.4.178
v5.4.179
v5.4.180
v5.4.181
v5.4.182

Database specific

{
    "vanir_signatures": [
        {
            "signature_type": "Line",
            "deprecated": false,
            "signature_version": "v1",
            "target": {
                "file": "drivers/net/xen-netfront.c"
            },
            "id": "CVE-2022-48914-9823ddd0",
            "digest": {
                "threshold": 0.9,
                "line_hashes": [
                    "91282757165572618407145085428448562819",
                    "34835239244945355582512927240349772126",
                    "161581451454744350725754407621747362744",
                    "181709693611658306396183176077580589410",
                    "15167267701820294832925215675433920261",
                    "161625439809902087713147088331408132610",
                    "301293275020058625047435043520171353446",
                    "185475896819661913330866327776359799136",
                    "288555709398420854769930075497440632075",
                    "8471621246362709040295535000972160941",
                    "205014976149589910827175540409724297629",
                    "101307716898420235474301820347948946397",
                    "156172403437840850040802947769478902936",
                    "294279923599632567330581363453741477512",
                    "53773938510478671745444607482708569374",
                    "313356804132767249900706369334397787924",
                    "213594148351495149887047801261532321175",
                    "207219391615202565377495737911611470517",
                    "241718959110230583850114508765637118261",
                    "230126639208885231350011096512200113781",
                    "205375530805805371966674376904606287945",
                    "323290291815809918232876991619680003442"
                ]
            },
            "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@a1753d5c29a6fb9a8966dcf04cb4f3b71e303ae8"
        },
        {
            "signature_type": "Line",
            "deprecated": false,
            "signature_version": "v1",
            "target": {
                "file": "drivers/net/xen-netfront.c"
            },
            "id": "CVE-2022-48914-9bb61149",
            "digest": {
                "threshold": 0.9,
                "line_hashes": [
                    "91282757165572618407145085428448562819",
                    "34835239244945355582512927240349772126",
                    "161581451454744350725754407621747362744",
                    "181709693611658306396183176077580589410",
                    "15167267701820294832925215675433920261",
                    "161625439809902087713147088331408132610",
                    "301293275020058625047435043520171353446",
                    "185475896819661913330866327776359799136",
                    "288555709398420854769930075497440632075",
                    "8471621246362709040295535000972160941",
                    "205014976149589910827175540409724297629",
                    "101307716898420235474301820347948946397",
                    "156172403437840850040802947769478902936",
                    "294279923599632567330581363453741477512",
                    "53773938510478671745444607482708569374",
                    "313356804132767249900706369334397787924",
                    "213594148351495149887047801261532321175",
                    "207219391615202565377495737911611470517",
                    "241718959110230583850114508765637118261",
                    "230126639208885231350011096512200113781",
                    "205375530805805371966674376904606287945",
                    "323290291815809918232876991619680003442"
                ]
            },
            "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@dcf4ff7a48e7598e6b10126cc02177abb8ae4f3f"
        },
        {
            "signature_type": "Line",
            "deprecated": false,
            "signature_version": "v1",
            "target": {
                "file": "drivers/net/xen-netfront.c"
            },
            "id": "CVE-2022-48914-ad98e23b",
            "digest": {
                "threshold": 0.9,
                "line_hashes": [
                    "91282757165572618407145085428448562819",
                    "34835239244945355582512927240349772126",
                    "161581451454744350725754407621747362744",
                    "133367074515573985246870376643408537096",
                    "9037817855154853748241078396083020146",
                    "87865067507345152806811761145011746200",
                    "301293275020058625047435043520171353446",
                    "185475896819661913330866327776359799136",
                    "288555709398420854769930075497440632075",
                    "8471621246362709040295535000972160941",
                    "205014976149589910827175540409724297629",
                    "101307716898420235474301820347948946397",
                    "156172403437840850040802947769478902936",
                    "294279923599632567330581363453741477512",
                    "53773938510478671745444607482708569374",
                    "313356804132767249900706369334397787924",
                    "213594148351495149887047801261532321175",
                    "207219391615202565377495737911611470517",
                    "241718959110230583850114508765637118261",
                    "217537991165297481988044206633966611211",
                    "236851007899055756328737785217575441547",
                    "80038643841898276911449390652279571201"
                ]
            },
            "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@b40c912624775a21da32d1105e158db5f6d0554a"
        },
        {
            "signature_type": "Line",
            "deprecated": false,
            "signature_version": "v1",
            "target": {
                "file": "drivers/net/xen-netfront.c"
            },
            "id": "CVE-2022-48914-b79a796b",
            "digest": {
                "threshold": 0.9,
                "line_hashes": [
                    "91282757165572618407145085428448562819",
                    "34835239244945355582512927240349772126",
                    "161581451454744350725754407621747362744",
                    "181709693611658306396183176077580589410",
                    "15167267701820294832925215675433920261",
                    "161625439809902087713147088331408132610",
                    "301293275020058625047435043520171353446",
                    "185475896819661913330866327776359799136",
                    "288555709398420854769930075497440632075",
                    "8471621246362709040295535000972160941",
                    "205014976149589910827175540409724297629",
                    "101307716898420235474301820347948946397",
                    "156172403437840850040802947769478902936",
                    "294279923599632567330581363453741477512",
                    "53773938510478671745444607482708569374",
                    "313356804132767249900706369334397787924",
                    "213594148351495149887047801261532321175",
                    "207219391615202565377495737911611470517",
                    "241718959110230583850114508765637118261",
                    "230126639208885231350011096512200113781",
                    "205375530805805371966674376904606287945",
                    "323290291815809918232876991619680003442"
                ]
            },
            "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@47e2f166ed9fe17f24561d6315be2228f6a90209"
        },
        {
            "signature_type": "Line",
            "deprecated": false,
            "signature_version": "v1",
            "target": {
                "file": "drivers/net/xen-netfront.c"
            },
            "id": "CVE-2022-48914-d65449dd",
            "digest": {
                "threshold": 0.9,
                "line_hashes": [
                    "91282757165572618407145085428448562819",
                    "34835239244945355582512927240349772126",
                    "161581451454744350725754407621747362744",
                    "181709693611658306396183176077580589410",
                    "15167267701820294832925215675433920261",
                    "161625439809902087713147088331408132610",
                    "301293275020058625047435043520171353446",
                    "185475896819661913330866327776359799136",
                    "288555709398420854769930075497440632075",
                    "8471621246362709040295535000972160941",
                    "205014976149589910827175540409724297629",
                    "101307716898420235474301820347948946397",
                    "156172403437840850040802947769478902936",
                    "294279923599632567330581363453741477512",
                    "53773938510478671745444607482708569374",
                    "313356804132767249900706369334397787924",
                    "213594148351495149887047801261532321175",
                    "207219391615202565377495737911611470517",
                    "241718959110230583850114508765637118261",
                    "230126639208885231350011096512200113781",
                    "205375530805805371966674376904606287945",
                    "323290291815809918232876991619680003442"
                ]
            },
            "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@a63eb1e4a2e1a191a90217871e67fba42fd39255"
        },
        {
            "signature_type": "Line",
            "deprecated": false,
            "signature_version": "v1",
            "target": {
                "file": "drivers/net/xen-netfront.c"
            },
            "id": "CVE-2022-48914-f56c989f",
            "digest": {
                "threshold": 0.9,
                "line_hashes": [
                    "91282757165572618407145085428448562819",
                    "34835239244945355582512927240349772126",
                    "161581451454744350725754407621747362744",
                    "133367074515573985246870376643408537096",
                    "9037817855154853748241078396083020146",
                    "87865067507345152806811761145011746200",
                    "301293275020058625047435043520171353446",
                    "185475896819661913330866327776359799136",
                    "288555709398420854769930075497440632075",
                    "8471621246362709040295535000972160941",
                    "205014976149589910827175540409724297629",
                    "101307716898420235474301820347948946397",
                    "156172403437840850040802947769478902936",
                    "294279923599632567330581363453741477512",
                    "53773938510478671745444607482708569374",
                    "313356804132767249900706369334397787924",
                    "213594148351495149887047801261532321175",
                    "207219391615202565377495737911611470517",
                    "241718959110230583850114508765637118261",
                    "217537991165297481988044206633966611211",
                    "236851007899055756328737785217575441547",
                    "80038643841898276911449390652279571201"
                ]
            },
            "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@198cdc287769c717dafff5887c6125cb7a373bf3"
        }
    ]
}

Linux / Kernel

Package

Name
Kernel

Affected ranges

Type
ECOSYSTEM
Events
Introduced
4.19.226
Fixed
4.19.233
Type
ECOSYSTEM
Events
Introduced
5.4.174
Fixed
5.4.183
Type
ECOSYSTEM
Events
Introduced
5.10.94
Fixed
5.10.104
Type
ECOSYSTEM
Events
Introduced
5.15.17
Fixed
5.15.27
Type
ECOSYSTEM
Events
Introduced
5.16.3
Fixed
5.16.13