CVE-2022-49014

See a problem?
Please try reporting it to the source first.
Source
https://cve.org/CVERecord?id=CVE-2022-49014
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2022-49014.json
JSON Data
https://api.test.osv.dev/v1/vulns/CVE-2022-49014
Downstream
Related
Published
2024-10-21T20:06:24.020Z
Modified
2026-03-20T12:22:06.001312Z
Summary
net: tun: Fix use-after-free in tun_detach()
Details

In the Linux kernel, the following vulnerability has been resolved:

net: tun: Fix use-after-free in tun_detach()

syzbot reported use-after-free in tun_detach() [1]. This causes call trace like below:

================================================================== BUG: KASAN: use-after-free in notifiercallchain+0x1ee/0x200 kernel/notifier.c:75 Read of size 8 at addr ffff88807324e2a8 by task syz-executor.0/3673

CPU: 0 PID: 3673 Comm: syz-executor.0 Not tainted 6.1.0-rc5-syzkaller-00044-gcc675d22e422 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022 Call Trace: <TASK> __dumpstack lib/dumpstack.c:88 [inline] dump_stacklvl+0xd1/0x138 lib/dumpstack.c:106 printaddressdescription mm/kasan/report.c:284 [inline] printreport+0x15e/0x461 mm/kasan/report.c:395 kasanreport+0xbf/0x1f0 mm/kasan/report.c:495 notifiercallchain+0x1ee/0x200 kernel/notifier.c:75 callnetdevicenotifiersinfo+0x86/0x130 net/core/dev.c:1942 callnetdevicenotifiersextack net/core/dev.c:1983 [inline] callnetdevicenotifiers net/core/dev.c:1997 [inline] netdevwaitallrefsany net/core/dev.c:10237 [inline] netdevruntodo+0xbc6/0x1100 net/core/dev.c:10351 tundetach drivers/net/tun.c:704 [inline] tunchrclose+0xe4/0x190 drivers/net/tun.c:3467 __fput+0x27c/0xa90 fs/filetable.c:320 taskwork_run+0x16f/0x270 kernel/taskwork.c:179 exittaskwork include/linux/taskwork.h:38 [inline] doexit+0xb3d/0x2a30 kernel/exit.c:820 dogroupexit+0xd4/0x2a0 kernel/exit.c:950 getsignal+0x21b1/0x2440 kernel/signal.c:2858 archdosignalorrestart+0x86/0x2300 arch/x86/kernel/signal.c:869 exittousermodeloop kernel/entry/common.c:168 [inline] exittousermodeprepare+0x15f/0x250 kernel/entry/common.c:203 _syscallexittousermodework kernel/entry/common.c:285 [inline] syscallexittousermode+0x1d/0x50 kernel/entry/common.c:296 dosyscall64+0x46/0xb0 arch/x86/entry/common.c:86 entrySYSCALL64afterhwframe+0x63/0xcd

The cause of the issue is that sock_put() from _tundetach() drops last reference count for struct net, and then notifiercallchain() from netdevstatechange() accesses that struct net.

This patch fixes the issue by calling sockput() from tundetach() after all necessary accesses for the struct net has done.

Database specific 
{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2022/49xxx/CVE-2022-49014.json",
    "cna_assigner": "Linux"
}
References

Affected packages

Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git

Affected ranges

Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
83c1f36f9880814b24cdf6c2f91f66f61db65326
Fixed
1f23f1890d91812c35d32eab1b49621b6d32dc7b
Fixed
16c244bc65d1175775325ec0489a5a5c830e02c7
Fixed
5f442e1d403e0496bacb74a58e2be7f500695e6f
Fixed
04b995e963229501401810dab89dc73e7f12d054
Fixed
4cde8da2d814a3b7b176db81922d4ddaad7c0f0e
Fixed
5daadc86f27ea4d691e2131c04310d0418c6cd12

Database specific

source 
"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2022-49014.json"