CVE-2022-48925

Source
https://nvd.nist.gov/vuln/detail/CVE-2022-48925
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2022-48925.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2022-48925
Related
Published
2024-08-22T02:15:08Z
Modified
2024-09-11T04:57:06.157362Z
Severity
  • 7.8 (High) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
Summary
[none]
Details

In the Linux kernel, the following vulnerability has been resolved:

RDMA/cma: Do not change route.addr.src_addr outside state checks

If the state is not idle then resolvepreparesrc() should immediately fail and no change to global state should happen. However, it unconditionally overwrites the src_addr trying to build a temporary any address.

For instance if the state is already RDMACMLISTEN then this will corrupt the srcaddr and would cause the test in cmacancel_operation():

       if (cma_any_addr(cma_src_addr(id_priv)) && !id_priv->cma_dev)

Which would manifest as this trace from syzkaller:

BUG: KASAN: use-after-free in _listaddvalid+0x93/0xa0 lib/listdebug.c:26 Read of size 8 at addr ffff8881546491e0 by task syz-executor.1/32204

CPU: 1 PID: 32204 Comm: syz-executor.1 Not tainted 5.12.0-rc8-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: _dumpstack lib/dumpstack.c:79 [inline] dumpstack+0x141/0x1d7 lib/dumpstack.c:120 printaddressdescription.constprop.0.cold+0x5b/0x2f8 mm/kasan/report.c:232 _kasanreport mm/kasan/report.c:399 [inline] kasanreport.cold+0x7c/0xd8 mm/kasan/report.c:416 _listaddvalid+0x93/0xa0 lib/listdebug.c:26 _listadd include/linux/list.h:67 [inline] listaddtail include/linux/list.h:100 [inline] cmalistenonall drivers/infiniband/core/cma.c:2557 [inline] rdmalisten+0x787/0xe00 drivers/infiniband/core/cma.c:3751 ucmalisten+0x16a/0x210 drivers/infiniband/core/ucma.c:1102 ucmawrite+0x259/0x350 drivers/infiniband/core/ucma.c:1732 vfswrite+0x28e/0xa30 fs/readwrite.c:603 ksyswrite+0x1ee/0x250 fs/readwrite.c:658 dosyscall64+0x2d/0x70 arch/x86/entry/common.c:46 entrySYSCALL64afterhwframe+0x44/0xae

This is indicating that an rdmaidprivate was destroyed without doing cmacancellistens().

Instead of trying to re-use the srcaddr memory to indirectly create an any address derived from the dst build one explicitly on the stack and bind to that as any other normal flow would do. rdmabindaddr() will copy it over the srcaddr once it knows the state is valid.

This is similar to commit bc0bdc5afaa7 ("RDMA/cma: Do not change route.addr.srcaddr.ssfamily")

References

Affected packages

Debian:11 / linux

Package

Name
linux
Purl
pkg:deb/debian/linux?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
5.10.103-1

Affected versions

5.*

5.10.46-4
5.10.46-5
5.10.70-1~bpo10+1
5.10.70-1
5.10.84-1
5.10.92-1~bpo10+1
5.10.92-1
5.10.92-2
5.10.103-1~bpo10+1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:12 / linux

Package

Name
linux
Purl
pkg:deb/debian/linux?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
5.16.12-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:13 / linux

Package

Name
linux
Purl
pkg:deb/debian/linux?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
5.16.12-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}