CVE-2022-49092

In the Linux kernel, the following vulnerability has been resolved:

net: ipv4: fix route with nexthop object delete warning

FRR folks have hit a kernel warning[1] while deleting routes[2] which is caused by trying to delete a route pointing to a nexthop id without specifying nhid but matching on an interface. That is, a route is found but we hit a warning while matching it. The warning is from fibinfonh() in include/net/nexthop.h because we run it on a fibinfo with nexthop object. The call chain is: inetrtmdelroute -> fibtabledelete -> fibnhmatch (called with a nexthop fibinfo and also with fcoif set thus calling fibinfonh on the fibinfo and triggering the warning). The fix is to not do any matching in that branch if the fi has a nexthop object because those are managed separately. I.e. we should match when deleting without nh spec and should fail when deleting a nexthop route with old-style nh spec because nexthop objects are managed separately, e.g.: $ ip r show 1.2.3.4/32 1.2.3.4 nhid 12 via 192.168.11.2 dev dummy0

$ ip r del 1.2.3.4/32 $ ip r del 1.2.3.4/32 nhid 12 <both should work>

$ ip r del 1.2.3.4/32 dev dummy0 <should fail with ESRCH>

[1] [ 523.462226] ------------[ cut here ]------------ [ 523.462230] WARNING: CPU: 14 PID: 22893 at include/net/nexthop.h:468 fibnhmatch+0x210/0x460 [ 523.462236] Modules linked in: dummy rpcsecgsskrb5 xtsocket nfsocketipv4 nfsocketipv6 ip6tableraw iptableraw bpfpreload xtstatistic ipset ipvssh ipvswrr ipvsrr ipvs xtmark nftables xtnat veth nfconntracknetlink nfnetlink xtaddrtype brnetfilter overlay dmcrypt nfsv3 nfs fscache netfs vhostnet vhost vhostiotlb tap tun xtCHECKSUM xtMASQUERADE xtconntrack 8021q garp mrp iptREJECT nfrejectipv4 ip6tablemangle ip6tablenat iptablemangle iptablenat nfnat nfconntrack nfdefragipv6 nfdefragipv4 iptablefilter bridge stp llc rfcomm sndseqdummy sndhrtimer rpcrdma rdmacm iwcm ibcm ibcore ip6tablefilter xtcomment ip6tables vboxnetadp(OE) vboxnetflt(OE) vboxdrv(OE) qrtr bnep binfmtmisc xfs vfat fat squashfs loop nvidiadrm(POE) nvidiamodeset(POE) nvidiauvm(POE) nvidia(POE) intelraplmsr intelraplcommon sndhdacodecrealtek sndhdacodecgeneric ledtrigaudio sndhdacodechdmi btusb btrtl iwlmvm uvcvideo btbcm sndhdaintel edacmceamd [ 523.462274] videobuf2vmalloc videobuf2memops btintel sndinteldspcfg videobuf2v4l2 sndintelsdwacpi bluetooth sndusbaudio sndhdacodec mac80211 sndusbmidilib joydev sndhdacore videobuf2common kvmamd sndrawmidi sndhwdep sndseq videodev ccp sndseqdevice libarc4 ecdhgeneric mc sndpcm kvm iwlwifi sndtimer drmkmshelper snd cfg80211 cec soundcore irqbypass rapl wmibmof i2cpiix4 rfkill k10temp pcspkr acpicpufreq nfsd authrpcgss nfsacl lockd grace sunrpc drm zram iptables crct10difpclmul crc32pclmul crc32cintel ghashclmulniintel nvme sp5100tco r8169 nvmecore wmi ipmidevintf ipmimsghandler fuse [ 523.462300] CPU: 14 PID: 22893 Comm: ip Tainted: P OE 5.16.18-200.fc35.x8664 #1 [ 523.462302] Hardware name: Micro-Star International Co., Ltd. MS-7C37/MPG X570 GAMING EDGE WIFI (MS-7C37), BIOS 1.C0 10/29/2020 [ 523.462303] RIP: 0010:fibnhmatch+0x210/0x460 [ 523.462304] Code: 7c 24 20 48 8b b5 90 00 00 00 e8 bb ee f4 ff 48 8b 7c 24 20 41 89 c4 e8 ee eb f4 ff 45 85 e4 0f 85 2e fe ff ff e9 4c ff ff ff <0f> 0b e9 17 ff ff ff 3c 0a 0f 85 61 fe ff ff 48 8b b5 98 00 00 00 [ 523.462306] RSP: 0018:ffffaa53d4d87928 EFLAGS: 00010286 [ 523.462307] RAX: 0000000000000000 RBX: ffffaa53d4d87a90 RCX: ffffaa53d4d87bb0 [ 523.462308] RDX: ffff9e3d2ee6be80 RSI: ffffaa53d4d87a90 RDI: ffffffff920ed380 [ 523.462309] RBP: ffff9e3d2ee6be80 R08: 0000000000000064 R09: 0000000000000000 [ 523.462310] R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000031 [ 523.462310] R13: 0000000000000020 R14: 0000000000000000 R15: ffff9e3d331054e0 [ 523.462311] FS: 00007f2455 ---truncated---