CVE-2022-48969

See a problem?
Please try reporting it to the source first.

Source

https://nvd.nist.gov/vuln/detail/CVE-2022-48969

Import Source

https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2022-48969.json

JSON Data

https://api.test.osv.dev/v1/vulns/CVE-2022-48969

Related

Published

2024-10-21T20:15:09Z

Modified

2024-10-25T22:45:52.875564Z

Severity

5.5 (Medium) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVSS Calculator

Summary

[none]

Details

In the Linux kernel, the following vulnerability has been resolved:

xen-netfront: Fix NULL sring after live migration

A NAPI is setup for each network sring to poll data to kernel The sring with source host is destroyed before live migration and new sring with target host is setup after live migration. The NAPI for the old sring is not deleted until setup new sring with target host after migration. With busypoll/busyread enabled, the NAPI can be polled before got deleted when resume VM.

BUG: unable to handle kernel NULL pointer dereference at 0000000000000008 IP: xennetpoll+0xae/0xd20 PGD 0 P4D 0 Oops: 0000 [#1] SMP PTI Call Trace: finishtaskswitch+0x71/0x230 timerqueuedel+0x1d/0x40 hrtimertrytocancel+0xb5/0x110 xennetallocrxbuffers+0x2a0/0x2a0 napibusyloop+0xdb/0x270 sockpoll+0x87/0x90 dosyspoll+0x26f/0x580 tracingmapinsert+0x1d4/0x2f0 eventhist_trigger+0x14a/0x260

finishtaskswitch+0x71/0x230 _schedule+0x256/0x890 recalcsigpending+0x1b/0x50 xenschedclock+0x15/0x20 _rbreservenext+0x12d/0x140 ringbufferlockreserve+0x123/0x3d0 eventtriggerscall+0x87/0xb0 traceeventbuffercommit+0x1c4/0x210 xenclocksourcegetcycles+0x15/0x20 ktimegetts64+0x51/0xf0 SySppoll+0x160/0x1a0 SySppoll+0x160/0x1a0 dosyscall64+0x73/0x130 entrySYSCALL64afterhwframe+0x41/0xa6 ... RIP: xennet_poll+0xae/0xd20 RSP: ffffb4f041933900 CR2: 0000000000000008 ---[ end trace f8601785b354351c ]---

xen frontend should remove the NAPIs for the old srings before live migration as the bond srings are destroyed

There is a tiny window between the srings are set to NULL and the NAPIs are disabled, It is safe as the NAPI threads are still frozen at that time

References

Affected packages

Debian:11 / linux

Package

Name: linux
Purl: pkg:deb/debian/linux?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

5.10.162-1

Affected versions

5.*

5.10.46-4

5.10.46-5

5.10.70-1~bpo10+1

5.10.70-1

5.10.84-1

5.10.92-1~bpo10+1

5.10.92-1

5.10.92-2

5.10.103-1~bpo10+1

5.10.103-1

5.10.106-1

5.10.113-1

5.10.120-1~bpo10+1

5.10.120-1

5.10.127-1

5.10.127-2~bpo10+1

5.10.127-2

5.10.136-1

5.10.140-1

5.10.148-1

5.10.149-1

5.10.149-2

5.10.158-1

5.10.158-2

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:12 / linux

Package

Name: linux
Purl: pkg:deb/debian/linux?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

6.1.4-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:13 / linux

Package

Name: linux
Purl: pkg:deb/debian/linux?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

6.1.4-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}