CVE-2022-48914
- Source
- https://nvd.nist.gov/vuln/detail/CVE-2022-48914
- Import Source
- https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2022-48914.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/CVE-2022-48914
- Downstream
- Related
- Published
- 2024-08-22T01:32:07Z
- Modified
- 2025-10-08T07:25:33.910115Z
- Summary
- xen/netfront: destroy queues before real_num_tx_queues is zeroed
- Details
-
In the Linux kernel, the following vulnerability has been resolved:
xen/netfront: destroy queues before realnumtx_queues is zeroed
xennetdestroyqueues() relies on info->netdev->realnumtxqueues to delete queues. Since d7dac083414eb5bb99a6d2ed53dc2c1b405224e5 ("net-sysfs: update the queue counts in the unregistration path"), unregisternetdev() indirectly sets realnumtxqueues to 0. Those two facts together means, that xennetdestroyqueues() called from xennetremove() cannot do its job, because it's called after unregister_netdev(). This results in kfree-ing queues that are still linked in napi, which ultimately crashes:
BUG: kernel NULL pointer dereference, address: 0000000000000000 #PF: supervisor read access in kernel mode #PF: error_code(0x0000) - not-present page PGD 0 P4D 0 Oops: 0000 [#1] PREEMPT SMP PTI CPU: 1 PID: 52 Comm: xenwatch Tainted: G W 5.16.10-1.32.fc32.qubes.x86_64+ #226 RIP: 0010:free_netdev+0xa3/0x1a0 Code: ff 48 89 df e8 2e e9 00 00 48 8b 43 50 48 8b 08 48 8d b8 a0 fe ff ff 48 8d a9 a0 fe ff ff 49 39 c4 75 26 eb 47 e8 ed c1 66 ff <48> 8b 85 60 01 00 00 48 8d 95 60 01 00 00 48 89 ef 48 2d 60 01 00 RSP: 0000:ffffc90000bcfd00 EFLAGS: 00010286 RAX: 0000000000000000 RBX: ffff88800edad000 RCX: 0000000000000000 RDX: 0000000000000001 RSI: ffffc90000bcfc30 RDI: 00000000ffffffff RBP: fffffffffffffea0 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000001 R12: ffff88800edad050 R13: ffff8880065f8f88 R14: 0000000000000000 R15: ffff8880066c6680 FS: 0000000000000000(0000) GS:ffff8880f3300000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000000000000 CR3: 00000000e998c006 CR4: 00000000003706e0 Call Trace: <TASK> xennet_remove+0x13d/0x300 [xen_netfront] xenbus_dev_remove+0x6d/0xf0 __device_release_driver+0x17a/0x240 device_release_driver+0x24/0x30 bus_remove_device+0xd8/0x140 device_del+0x18b/0x410 ? _raw_spin_unlock+0x16/0x30 ? klist_iter_exit+0x14/0x20 ? xenbus_dev_request_and_reply+0x80/0x80 device_unregister+0x13/0x60 xenbus_dev_changed+0x18e/0x1f0 xenwatch_thread+0xc0/0x1a0 ? do_wait_intr_irq+0xa0/0xa0 kthread+0x16b/0x190 ? set_kthread_struct+0x40/0x40 ret_from_fork+0x22/0x30 </TASK>Fix this by calling xennetdestroyqueues() from xennetuninit(), when realnumtxqueues is still available. This ensures that queues are destroyed when realnumtxqueues is set to 0, regardless of how unregisternetdev() was called.
Originally reported at https://github.com/QubesOS/qubes-issues/issues/7257
- References
-
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- https://git.kernel.org/stable/c/198cdc287769c717dafff5887c6125cb7a373bf3
- https://git.kernel.org/stable/c/47e2f166ed9fe17f24561d6315be2228f6a90209
- https://git.kernel.org/stable/c/a1753d5c29a6fb9a8966dcf04cb4f3b71e303ae8
- https://git.kernel.org/stable/c/a63eb1e4a2e1a191a90217871e67fba42fd39255
- https://git.kernel.org/stable/c/b40c912624775a21da32d1105e158db5f6d0554a
- https://git.kernel.org/stable/c/dcf4ff7a48e7598e6b10126cc02177abb8ae4f3f
Affected packages
Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Affected ranges
- Type
- GIT
- Repo
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- Events
-
Introduced35cad2003b6447932cfe91f795090586306738e8Fixed198cdc287769c717dafff5887c6125cb7a373bf3
- Type
- GIT
- Repo
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- Events
-
Introduceda5d8e6189b134f5db61be5cd59cf5a74bb01edc7Fixedb40c912624775a21da32d1105e158db5f6d0554a
- Type
- GIT
- Repo
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- Events
-
Introduced443133330a5d4a3fd429179d460cc297724fefe8Fixeda1753d5c29a6fb9a8966dcf04cb4f3b71e303ae8
- Type
- GIT
- Repo
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- Events
-
Introduced0abd3f9903fae6ecf8db3c89a459971fe7925499Fixeda63eb1e4a2e1a191a90217871e67fba42fd39255
- Type
- GIT
- Repo
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- Events
-
Introducedc5eb468cbc1fa663bf0cc6c5360802dea4e611c2Fixed47e2f166ed9fe17f24561d6315be2228f6a90209
- Type
- GIT
- Repo
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- Events
-
Introducedd7dac083414eb5bb99a6d2ed53dc2c1b405224e5Fixeddcf4ff7a48e7598e6b10126cc02177abb8ae4f3f
Affected versions
v4.*
v4.19.226
v4.19.227
v4.19.228
v4.19.229
v4.19.230
v4.19.231
v4.19.232
v5.*
v5.10.100
v5.10.101
v5.10.102
v5.10.103
v5.10.94
v5.10.95
v5.10.96
v5.10.97
v5.10.98
v5.10.99
v5.15.17
v5.15.18
v5.15.19
v5.15.20
v5.15.21
v5.15.22
v5.15.23
v5.15.24
v5.15.25
v5.15.26
v5.16
v5.16-rc4
v5.16-rc5
v5.16-rc6
v5.16-rc7
v5.16-rc8
v5.16.10
v5.16.11
v5.16.12
v5.16.3
v5.16.4
v5.16.5
v5.16.6
v5.16.7
v5.16.8
v5.16.9
v5.17-rc1
v5.17-rc2
v5.17-rc3
v5.17-rc4
v5.17-rc5
v5.4.174
v5.4.175
v5.4.176
v5.4.177
v5.4.178
v5.4.179
v5.4.180
v5.4.181
v5.4.182
Database specific
{
"vanir_signatures": [
{
"signature_type": "Line",
"deprecated": false,
"signature_version": "v1",
"target": {
"file": "drivers/net/xen-netfront.c"
},
"id": "CVE-2022-48914-9823ddd0",
"digest": {
"threshold": 0.9,
"line_hashes": [
"91282757165572618407145085428448562819",
"34835239244945355582512927240349772126",
"161581451454744350725754407621747362744",
"181709693611658306396183176077580589410",
"15167267701820294832925215675433920261",
"161625439809902087713147088331408132610",
"301293275020058625047435043520171353446",
"185475896819661913330866327776359799136",
"288555709398420854769930075497440632075",
"8471621246362709040295535000972160941",
"205014976149589910827175540409724297629",
"101307716898420235474301820347948946397",
"156172403437840850040802947769478902936",
"294279923599632567330581363453741477512",
"53773938510478671745444607482708569374",
"313356804132767249900706369334397787924",
"213594148351495149887047801261532321175",
"207219391615202565377495737911611470517",
"241718959110230583850114508765637118261",
"230126639208885231350011096512200113781",
"205375530805805371966674376904606287945",
"323290291815809918232876991619680003442"
]
},
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@a1753d5c29a6fb9a8966dcf04cb4f3b71e303ae8"
},
{
"signature_type": "Line",
"deprecated": false,
"signature_version": "v1",
"target": {
"file": "drivers/net/xen-netfront.c"
},
"id": "CVE-2022-48914-9bb61149",
"digest": {
"threshold": 0.9,
"line_hashes": [
"91282757165572618407145085428448562819",
"34835239244945355582512927240349772126",
"161581451454744350725754407621747362744",
"181709693611658306396183176077580589410",
"15167267701820294832925215675433920261",
"161625439809902087713147088331408132610",
"301293275020058625047435043520171353446",
"185475896819661913330866327776359799136",
"288555709398420854769930075497440632075",
"8471621246362709040295535000972160941",
"205014976149589910827175540409724297629",
"101307716898420235474301820347948946397",
"156172403437840850040802947769478902936",
"294279923599632567330581363453741477512",
"53773938510478671745444607482708569374",
"313356804132767249900706369334397787924",
"213594148351495149887047801261532321175",
"207219391615202565377495737911611470517",
"241718959110230583850114508765637118261",
"230126639208885231350011096512200113781",
"205375530805805371966674376904606287945",
"323290291815809918232876991619680003442"
]
},
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@dcf4ff7a48e7598e6b10126cc02177abb8ae4f3f"
},
{
"signature_type": "Line",
"deprecated": false,
"signature_version": "v1",
"target": {
"file": "drivers/net/xen-netfront.c"
},
"id": "CVE-2022-48914-ad98e23b",
"digest": {
"threshold": 0.9,
"line_hashes": [
"91282757165572618407145085428448562819",
"34835239244945355582512927240349772126",
"161581451454744350725754407621747362744",
"133367074515573985246870376643408537096",
"9037817855154853748241078396083020146",
"87865067507345152806811761145011746200",
"301293275020058625047435043520171353446",
"185475896819661913330866327776359799136",
"288555709398420854769930075497440632075",
"8471621246362709040295535000972160941",
"205014976149589910827175540409724297629",
"101307716898420235474301820347948946397",
"156172403437840850040802947769478902936",
"294279923599632567330581363453741477512",
"53773938510478671745444607482708569374",
"313356804132767249900706369334397787924",
"213594148351495149887047801261532321175",
"207219391615202565377495737911611470517",
"241718959110230583850114508765637118261",
"217537991165297481988044206633966611211",
"236851007899055756328737785217575441547",
"80038643841898276911449390652279571201"
]
},
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@b40c912624775a21da32d1105e158db5f6d0554a"
},
{
"signature_type": "Line",
"deprecated": false,
"signature_version": "v1",
"target": {
"file": "drivers/net/xen-netfront.c"
},
"id": "CVE-2022-48914-b79a796b",
"digest": {
"threshold": 0.9,
"line_hashes": [
"91282757165572618407145085428448562819",
"34835239244945355582512927240349772126",
"161581451454744350725754407621747362744",
"181709693611658306396183176077580589410",
"15167267701820294832925215675433920261",
"161625439809902087713147088331408132610",
"301293275020058625047435043520171353446",
"185475896819661913330866327776359799136",
"288555709398420854769930075497440632075",
"8471621246362709040295535000972160941",
"205014976149589910827175540409724297629",
"101307716898420235474301820347948946397",
"156172403437840850040802947769478902936",
"294279923599632567330581363453741477512",
"53773938510478671745444607482708569374",
"313356804132767249900706369334397787924",
"213594148351495149887047801261532321175",
"207219391615202565377495737911611470517",
"241718959110230583850114508765637118261",
"230126639208885231350011096512200113781",
"205375530805805371966674376904606287945",
"323290291815809918232876991619680003442"
]
},
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@47e2f166ed9fe17f24561d6315be2228f6a90209"
},
{
"signature_type": "Line",
"deprecated": false,
"signature_version": "v1",
"target": {
"file": "drivers/net/xen-netfront.c"
},
"id": "CVE-2022-48914-d65449dd",
"digest": {
"threshold": 0.9,
"line_hashes": [
"91282757165572618407145085428448562819",
"34835239244945355582512927240349772126",
"161581451454744350725754407621747362744",
"181709693611658306396183176077580589410",
"15167267701820294832925215675433920261",
"161625439809902087713147088331408132610",
"301293275020058625047435043520171353446",
"185475896819661913330866327776359799136",
"288555709398420854769930075497440632075",
"8471621246362709040295535000972160941",
"205014976149589910827175540409724297629",
"101307716898420235474301820347948946397",
"156172403437840850040802947769478902936",
"294279923599632567330581363453741477512",
"53773938510478671745444607482708569374",
"313356804132767249900706369334397787924",
"213594148351495149887047801261532321175",
"207219391615202565377495737911611470517",
"241718959110230583850114508765637118261",
"230126639208885231350011096512200113781",
"205375530805805371966674376904606287945",
"323290291815809918232876991619680003442"
]
},
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@a63eb1e4a2e1a191a90217871e67fba42fd39255"
},
{
"signature_type": "Line",
"deprecated": false,
"signature_version": "v1",
"target": {
"file": "drivers/net/xen-netfront.c"
},
"id": "CVE-2022-48914-f56c989f",
"digest": {
"threshold": 0.9,
"line_hashes": [
"91282757165572618407145085428448562819",
"34835239244945355582512927240349772126",
"161581451454744350725754407621747362744",
"133367074515573985246870376643408537096",
"9037817855154853748241078396083020146",
"87865067507345152806811761145011746200",
"301293275020058625047435043520171353446",
"185475896819661913330866327776359799136",
"288555709398420854769930075497440632075",
"8471621246362709040295535000972160941",
"205014976149589910827175540409724297629",
"101307716898420235474301820347948946397",
"156172403437840850040802947769478902936",
"294279923599632567330581363453741477512",
"53773938510478671745444607482708569374",
"313356804132767249900706369334397787924",
"213594148351495149887047801261532321175",
"207219391615202565377495737911611470517",
"241718959110230583850114508765637118261",
"217537991165297481988044206633966611211",
"236851007899055756328737785217575441547",
"80038643841898276911449390652279571201"
]
},
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@198cdc287769c717dafff5887c6125cb7a373bf3"
}
]
}
Linux / Kernel
Package
- Name
- Kernel