CVE-2022-49017

BUG: KASAN: use-after-free in tipccryptorcvcomplete+0x1835/0x2240 [tipc] Call Trace: <IRQ> tipccryptorcvcomplete+0x1835/0x2240 [tipc] tipccryptorcv+0xd32/0x1ec0 [tipc] tipcrcv+0x744/0x1150 [tipc] ... Allocated by task 47078: kmemcacheallocnode+0x158/0x4d0 _allocskb+0x1c1/0x270 tipcbufacquire+0x1e/0xe0 [tipc] tipcmsgcreate+0x33/0x1c0 [tipc] tipclinkbuildprotomsg+0x38a/0x2100 [tipc] tipclinktimeout+0x8b8/0xef0 [tipc] tipcnodetimeout+0x2a1/0x960 [tipc] calltimerfn+0x2d/0x1c0 ... Freed by task 47078: tipcmsgvalidate+0x7b/0x440 [tipc] tipccryptorcvcomplete+0x4b5/0x2240 [tipc] tipccryptorcv+0xd32/0x1ec0 [tipc] tipcrcv+0x744/0x1150 [tipc]

This patch fixes it by re-fetching the skb cb from the new allocated skb after calling tipcmsgvalidate().

Database specific

{
    "cna_assigner": "Linux",
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2022/49xxx/CVE-2022-49017.json"
}

References

Affected packages

Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git

Affected ranges

Type: GIT
Repo: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events: Introduced

fc1b6d6de2208774efd2a20bf0daddb02d18b1e0

Fixed

a1ba595e35aa3afbe417ff0af353afb9f65559c0

Fixed

1daec0815655e110c6f206c5e777a4af8168ff58

Fixed

e128190adb2edfd5042105b5d1ed4553f295f5ef

Fixed

3067bc61fcfe3081bf4807ce65560f499e895e77

Database specific

source

"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2022-49017.json"

Linux / Kernel

Package

Name: Kernel

Affected ranges

Type: ECOSYSTEM
Events: Introduced

5.5.0

Fixed

5.10.158

Type: ECOSYSTEM
Events: Introduced

5.11.0

Fixed

5.15.82

Type: ECOSYSTEM
Events: Introduced

5.16.0

Fixed

6.0.12

Database specific

source

"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2022-49017.json"