CVE-2022-48935
- Source
- https://cve.org/CVERecord?id=CVE-2022-48935
- Import Source
- https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2022-48935.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/CVE-2022-48935
- Downstream
- Related
- Published
- 2024-08-22T03:31:29.598Z
- Modified
- 2026-03-20T12:22:01.698016Z
- Summary
- netfilter: nf_tables: unregister flowtable hooks on netns exit
- Details
-
In the Linux kernel, the following vulnerability has been resolved:
netfilter: nf_tables: unregister flowtable hooks on netns exit
Unregister flowtable hooks before they are releases via nftablesflowtable_destroy() otherwise hook core reports UAF.
BUG: KASAN: use-after-free in nfhookentries_grow+0x5a7/0x700 net/netfilter/core.c:142 net/netfilter/core.c:142 Read of size 4 at addr ffff8880736f7438 by task syz-executor579/3666
CPU: 0 PID: 3666 Comm: syz-executor579 Not tainted 5.16.0-rc5-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: <TASK> __dumpstack lib/dumpstack.c:88 [inline] __dumpstack lib/dumpstack.c:88 [inline] lib/dumpstack.c:106 dumpstacklvl+0x1dc/0x2d8 lib/dumpstack.c:106 lib/dumpstack.c:106 printaddress_description+0x65/0x380 mm/kasan/report.c:247 mm/kasan/report.c:247 __kasan_report mm/kasan/report.c:433 [inline] __kasanreport mm/kasan/report.c:433 [inline] mm/kasan/report.c:450 kasanreport+0x19a/0x1f0 mm/kasan/report.c:450 mm/kasan/report.c:450 nfhookentries_grow+0x5a7/0x700 net/netfilter/core.c:142 net/netfilter/core.c:142 _nfregisternethook+0x27e/0x8d0 net/netfilter/core.c:429 net/netfilter/core.c:429 nfregisternethook+0xaa/0x180 net/netfilter/core.c:571 net/netfilter/core.c:571 nftregisterflowtablenethooks+0x3c5/0x730 net/netfilter/nftablesapi.c:7232 net/netfilter/nftablesapi.c:7232 nftablesnewflowtable+0x2022/0x2cf0 net/netfilter/nftablesapi.c:7430 net/netfilter/nftablesapi.c:7430 nfnetlinkrcvbatch net/netfilter/nfnetlink.c:513 [inline] nfnetlinkrcvskbbatch net/netfilter/nfnetlink.c:634 [inline] nfnetlinkrcvbatch net/netfilter/nfnetlink.c:513 [inline] net/netfilter/nfnetlink.c:652 nfnetlinkrcvskbbatch net/netfilter/nfnetlink.c:634 [inline] net/netfilter/nfnetlink.c:652 nfnetlinkrcv+0x10e6/0x2550 net/netfilter/nfnetlink.c:652 net/netfilter/nfnetlink.c:652
__nftreleasehook() calls nftunregisterflowtablenethooks() which only unregisters the hooks, then after RCU grace period, it is guaranteed that no packets add new entries to the flowtable (no flow offload rules and flowtable hooks are reachable from packet path), so it is safe to call nfflowtablefree() which cleans up the remaining entries from the flowtable (both software and hardware) and it unbinds the flowblock.
- Database specific
{ "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2022/48xxx/CVE-2022-48935.json", "cna_assigner": "Linux" }- References
-
- https://git.kernel.org/stable/c/6069da443bf65f513bb507bb21e2f87cfb1ad0b6
- https://git.kernel.org/stable/c/8ffb8ac3448845f65634889b051bd65e4dee484b
- https://git.kernel.org/stable/c/b4fcc081e527aa2ce12e956912fc47e251f6bd27
- https://git.kernel.org/stable/c/e51f30826bc5384801df98d76109c94953d1df64
- https://github.com/CVEProject/cvelistV5/tree/main/cves/2022/48xxx/CVE-2022-48935.json
- https://nvd.nist.gov/vuln/detail/CVE-2022-48935
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Affected packages
Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Affected ranges
- Type
- GIT
- Repo
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- Events
-
Introducedff4bf2f42a40e7dff28379f085b64df322c70b45Fixede51f30826bc5384801df98d76109c94953d1df64Fixed8ffb8ac3448845f65634889b051bd65e4dee484bFixedb4fcc081e527aa2ce12e956912fc47e251f6bd27Fixed6069da443bf65f513bb507bb21e2f87cfb1ad0b6