CVE-2022-48925
- Source
- https://nvd.nist.gov/vuln/detail/CVE-2022-48925
- Import Source
- https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2022-48925.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/CVE-2022-48925
- Downstream
- Related
- Published
- 2024-08-22T01:33:11Z
- Modified
- 2025-10-08T07:14:27.077809Z
- Summary
- RDMA/cma: Do not change route.addr.src_addr outside state checks
- Details
-
In the Linux kernel, the following vulnerability has been resolved:
RDMA/cma: Do not change route.addr.src_addr outside state checks
If the state is not idle then resolvepreparesrc() should immediately fail and no change to global state should happen. However, it unconditionally overwrites the src_addr trying to build a temporary any address.
For instance if the state is already RDMACMLISTEN then this will corrupt the srcaddr and would cause the test in cmacancel_operation():
if (cma_any_addr(cma_src_addr(id_priv)) && !id_priv->cma_dev)Which would manifest as this trace from syzkaller:
BUG: KASAN: use-after-free in _listaddvalid+0x93/0xa0 lib/listdebug.c:26 Read of size 8 at addr ffff8881546491e0 by task syz-executor.1/32204
CPU: 1 PID: 32204 Comm: syz-executor.1 Not tainted 5.12.0-rc8-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: _dumpstack lib/dumpstack.c:79 [inline] dumpstack+0x141/0x1d7 lib/dumpstack.c:120 printaddressdescription.constprop.0.cold+0x5b/0x2f8 mm/kasan/report.c:232 _kasanreport mm/kasan/report.c:399 [inline] kasanreport.cold+0x7c/0xd8 mm/kasan/report.c:416 _listaddvalid+0x93/0xa0 lib/listdebug.c:26 _listadd include/linux/list.h:67 [inline] listaddtail include/linux/list.h:100 [inline] cmalistenonall drivers/infiniband/core/cma.c:2557 [inline] rdmalisten+0x787/0xe00 drivers/infiniband/core/cma.c:3751 ucmalisten+0x16a/0x210 drivers/infiniband/core/ucma.c:1102 ucmawrite+0x259/0x350 drivers/infiniband/core/ucma.c:1732 vfswrite+0x28e/0xa30 fs/readwrite.c:603 ksyswrite+0x1ee/0x250 fs/readwrite.c:658 dosyscall64+0x2d/0x70 arch/x86/entry/common.c:46 entrySYSCALL64afterhwframe+0x44/0xae
This is indicating that an rdmaidprivate was destroyed without doing cmacancellistens().
Instead of trying to re-use the srcaddr memory to indirectly create an any address derived from the dst build one explicitly on the stack and bind to that as any other normal flow would do. rdmabindaddr() will copy it over the srcaddr once it knows the state is valid.
This is similar to commit bc0bdc5afaa7 ("RDMA/cma: Do not change route.addr.srcaddr.ssfamily")
- References
-
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- https://git.kernel.org/stable/c/00265efbd3e5705038c9492a434fda8cf960c8a2
- https://git.kernel.org/stable/c/22e9f71072fa605cbf033158db58e0790101928d
- https://git.kernel.org/stable/c/5b1cef5798b4fd6e4fd5522e7b8a26248beeacaa
- https://git.kernel.org/stable/c/d350724795c7a48b05bf921d94699fbfecf7da0b
Affected packages
Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Affected ranges
- Type
- GIT
- Repo
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- Events
-
Introduced732d41c545bb359cbb8c94698bdc1f8bcf82279cFixed5b1cef5798b4fd6e4fd5522e7b8a26248beeacaa
- Type
- GIT
- Repo
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- Events
-
Introduced732d41c545bb359cbb8c94698bdc1f8bcf82279cFixed00265efbd3e5705038c9492a434fda8cf960c8a2
- Type
- GIT
- Repo
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- Events
-
Introduced732d41c545bb359cbb8c94698bdc1f8bcf82279cFixedd350724795c7a48b05bf921d94699fbfecf7da0b
- Type
- GIT
- Repo
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- Events
-
Introduced732d41c545bb359cbb8c94698bdc1f8bcf82279cFixed22e9f71072fa605cbf033158db58e0790101928d
Affected versions
v5.*
v5.10
v5.10-rc1
v5.10-rc2
v5.10-rc3
v5.10-rc4
v5.10-rc5
v5.10-rc6
v5.10-rc7
v5.10.1
v5.10.10
v5.10.100
v5.10.101
v5.10.102
v5.10.11
v5.10.12
v5.10.13
v5.10.14
v5.10.15
v5.10.16
v5.10.17
v5.10.18
v5.10.19
v5.10.2
v5.10.20
v5.10.21
v5.10.22
v5.10.23
v5.10.24
v5.10.25
v5.10.26
v5.10.27
v5.10.28
v5.10.29
v5.10.3
v5.10.30
v5.10.31
v5.10.32
v5.10.33
v5.10.34
v5.10.35
v5.10.36
v5.10.37
v5.10.38
v5.10.39
v5.10.4
v5.10.40
v5.10.41
v5.10.42
v5.10.43
v5.10.44
v5.10.45
v5.10.46
v5.10.47
v5.10.48
v5.10.49
v5.10.5
v5.10.50
v5.10.51
v5.10.52
v5.10.53
v5.10.54
v5.10.55
v5.10.56
v5.10.57
v5.10.58
v5.10.59
v5.10.6
v5.10.60
v5.10.61
v5.10.62
v5.10.63
v5.10.64
v5.10.65
v5.10.66
v5.10.67
v5.10.68
v5.10.69
v5.10.7
v5.10.70
v5.10.71
v5.10.72
v5.10.73
v5.10.74
v5.10.75
v5.10.76
v5.10.77
v5.10.78
v5.10.79
v5.10.8
v5.10.80
v5.10.81
v5.10.82
v5.10.83
v5.10.84
v5.10.85
v5.10.86
v5.10.87
v5.10.88
v5.10.89
v5.10.9
v5.10.90
v5.10.91
v5.10.92
v5.10.93
v5.10.94
v5.10.95
v5.10.96
v5.10.97
v5.10.98
v5.10.99
v5.11
v5.11-rc1
v5.11-rc2
v5.11-rc3
v5.11-rc4
v5.11-rc5
v5.11-rc6
v5.11-rc7
v5.12
v5.12-rc1
v5.12-rc1-dontuse
v5.12-rc2
v5.12-rc3
v5.12-rc4
v5.12-rc5
v5.12-rc6
v5.12-rc7
v5.12-rc8
v5.13
v5.13-rc1
v5.13-rc2
v5.13-rc3
v5.13-rc4
v5.13-rc5
v5.13-rc6
v5.13-rc7
v5.14
v5.14-rc1
v5.14-rc2
v5.14-rc3
v5.14-rc4
v5.14-rc5
v5.14-rc6
v5.14-rc7
v5.15
v5.15-rc1
v5.15-rc2
v5.15-rc3
v5.15-rc4
v5.15-rc5
v5.15-rc6
v5.15-rc7
v5.15.1
v5.15.10
v5.15.11
v5.15.12
v5.15.13
v5.15.14
v5.15.15
v5.15.16
v5.15.17
v5.15.18
v5.15.19
v5.15.2
v5.15.20
v5.15.21
v5.15.22
v5.15.23
v5.15.24
v5.15.25
v5.15.3
v5.15.4
v5.15.5
v5.15.6
v5.15.7
v5.15.8
v5.15.9
v5.16
v5.16-rc1
v5.16-rc2
v5.16-rc3
v5.16-rc4
v5.16-rc5
v5.16-rc6
v5.16-rc7
v5.16-rc8
v5.16.1
v5.16.10
v5.16.11
v5.16.2
v5.16.3
v5.16.4
v5.16.5
v5.16.6
v5.16.7
v5.16.8
v5.16.9
v5.17-rc1
v5.17-rc2
v5.17-rc3
v5.9
v5.9-rc4
v5.9-rc5
v5.9-rc6
v5.9-rc7
v5.9-rc8
Database specific
{
"vanir_signatures": [
{
"deprecated": false,
"id": "CVE-2022-48925-17d32f38",
"signature_version": "v1",
"digest": {
"line_hashes": [
"29980809410128521718690948901548488821",
"104577687223550638820341741440255229428",
"110613419025720835252798458496150475186",
"207066930395955274165719044249340053469",
"45017065489218138197858435820748866227",
"181829825336632435678631632952153914503",
"216267083771955681954574716260934505584",
"272215429500513444060508067739090307264",
"166027715952095404891054647265926105257",
"227818972767327800487555713842226577475",
"60852856789096039862023204869369175102",
"133827933670388082723029899483391124831",
"122760829706017791705035532672102621113",
"330145797815453774622152326397900051667",
"183428696247644358297550863238032744766",
"305864979702437133351261675167731929639",
"307004459834003339975828193839240741531",
"156125999633694764780733580098969297216",
"179568449244495653462022179264157011249"
],
"threshold": 0.9
},
"signature_type": "Line",
"target": {
"file": "drivers/infiniband/core/cma.c"
},
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@00265efbd3e5705038c9492a434fda8cf960c8a2"
},
{
"deprecated": false,
"id": "CVE-2022-48925-259a1a01",
"signature_version": "v1",
"digest": {
"length": 690.0,
"function_hash": "294985449835938570138190543338334315854"
},
"signature_type": "Function",
"target": {
"function": "cma_bind_addr",
"file": "drivers/infiniband/core/cma.c"
},
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@d350724795c7a48b05bf921d94699fbfecf7da0b"
},
{
"deprecated": false,
"id": "CVE-2022-48925-292fcea9",
"signature_version": "v1",
"digest": {
"length": 690.0,
"function_hash": "294985449835938570138190543338334315854"
},
"signature_type": "Function",
"target": {
"function": "cma_bind_addr",
"file": "drivers/infiniband/core/cma.c"
},
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@5b1cef5798b4fd6e4fd5522e7b8a26248beeacaa"
},
{
"deprecated": false,
"id": "CVE-2022-48925-3801419c",
"signature_version": "v1",
"digest": {
"line_hashes": [
"29980809410128521718690948901548488821",
"104577687223550638820341741440255229428",
"110613419025720835252798458496150475186",
"207066930395955274165719044249340053469",
"45017065489218138197858435820748866227",
"181829825336632435678631632952153914503",
"216267083771955681954574716260934505584",
"272215429500513444060508067739090307264",
"166027715952095404891054647265926105257",
"227818972767327800487555713842226577475",
"60852856789096039862023204869369175102",
"133827933670388082723029899483391124831",
"122760829706017791705035532672102621113",
"330145797815453774622152326397900051667",
"183428696247644358297550863238032744766",
"305864979702437133351261675167731929639",
"307004459834003339975828193839240741531",
"156125999633694764780733580098969297216",
"179568449244495653462022179264157011249"
],
"threshold": 0.9
},
"signature_type": "Line",
"target": {
"file": "drivers/infiniband/core/cma.c"
},
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@d350724795c7a48b05bf921d94699fbfecf7da0b"
},
{
"deprecated": false,
"id": "CVE-2022-48925-457eeed1",
"signature_version": "v1",
"digest": {
"line_hashes": [
"29980809410128521718690948901548488821",
"104577687223550638820341741440255229428",
"110613419025720835252798458496150475186",
"207066930395955274165719044249340053469",
"45017065489218138197858435820748866227",
"181829825336632435678631632952153914503",
"216267083771955681954574716260934505584",
"272215429500513444060508067739090307264",
"166027715952095404891054647265926105257",
"227818972767327800487555713842226577475",
"60852856789096039862023204869369175102",
"133827933670388082723029899483391124831",
"122760829706017791705035532672102621113",
"330145797815453774622152326397900051667",
"183428696247644358297550863238032744766",
"305864979702437133351261675167731929639",
"307004459834003339975828193839240741531",
"156125999633694764780733580098969297216",
"179568449244495653462022179264157011249"
],
"threshold": 0.9
},
"signature_type": "Line",
"target": {
"file": "drivers/infiniband/core/cma.c"
},
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@5b1cef5798b4fd6e4fd5522e7b8a26248beeacaa"
},
{
"deprecated": false,
"id": "CVE-2022-48925-7ee35375",
"signature_version": "v1",
"digest": {
"length": 690.0,
"function_hash": "294985449835938570138190543338334315854"
},
"signature_type": "Function",
"target": {
"function": "cma_bind_addr",
"file": "drivers/infiniband/core/cma.c"
},
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@00265efbd3e5705038c9492a434fda8cf960c8a2"
},
{
"deprecated": false,
"id": "CVE-2022-48925-94a420b8",
"signature_version": "v1",
"digest": {
"length": 690.0,
"function_hash": "294985449835938570138190543338334315854"
},
"signature_type": "Function",
"target": {
"function": "cma_bind_addr",
"file": "drivers/infiniband/core/cma.c"
},
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@22e9f71072fa605cbf033158db58e0790101928d"
},
{
"deprecated": false,
"id": "CVE-2022-48925-be8b5c3c",
"signature_version": "v1",
"digest": {
"line_hashes": [
"29980809410128521718690948901548488821",
"104577687223550638820341741440255229428",
"110613419025720835252798458496150475186",
"207066930395955274165719044249340053469",
"45017065489218138197858435820748866227",
"181829825336632435678631632952153914503",
"216267083771955681954574716260934505584",
"272215429500513444060508067739090307264",
"166027715952095404891054647265926105257",
"227818972767327800487555713842226577475",
"60852856789096039862023204869369175102",
"133827933670388082723029899483391124831",
"122760829706017791705035532672102621113",
"330145797815453774622152326397900051667",
"183428696247644358297550863238032744766",
"305864979702437133351261675167731929639",
"307004459834003339975828193839240741531",
"156125999633694764780733580098969297216",
"179568449244495653462022179264157011249"
],
"threshold": 0.9
},
"signature_type": "Line",
"target": {
"file": "drivers/infiniband/core/cma.c"
},
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@22e9f71072fa605cbf033158db58e0790101928d"
}
]
}