CVE-2022-50780

When the opsinit() interface is invoked to initialize the net, but ops->init() fails, data is released. However, the ptr pointer in net->gen is invalid. In this case, when nfqnlnfhookdrop() is invoked to release the net, invalid address access occurs.

The process is as follows: setupnet() opsinit() data = kzalloc(...) ---> alloc "data" netassigngeneric() ---> assign "date" to ptr in net->gen ... ops->init() ---> failed ... kfree(data); ---> ptr in net->gen is invalid ... opsexitlist() ... nfqnlnfhookdrop() *q = nfnlqueue_pernet(net) ---> q is invalid

The following is the Call Trace information: BUG: KASAN: use-after-free in nfqnlnfhookdrop+0x264/0x280 Read of size 8 at addr ffff88810396b240 by task ip/15855 Call Trace: <TASK> dumpstacklvl+0x8e/0xd1 printreport+0x155/0x454 kasanreport+0xba/0x1f0 nfqnlnfhookdrop+0x264/0x280 nfqueuenfhookdrop+0x8b/0x1b0 __nfunregisternethook+0x1ae/0x5a0 nfunregisternethooks+0xde/0x130 opsexitlist+0xb0/0x170 setupnet+0x7ac/0xbd0 copynetns+0x2e6/0x6b0 createnewnamespaces+0x382/0xa50 unsharensproxynamespaces+0xa6/0x1c0 ksysunshare+0x3a4/0x7e0 __x64sysunshare+0x2d/0x40 dosyscall64+0x35/0x80 entrySYSCALL64afterhwframe+0x46/0xb0 </TASK>

Allocated by task 15855: kasansavestack+0x1e/0x40 kasansettrack+0x21/0x30 __kasan_kmalloc+0xa1/0xb0 __kmalloc+0x49/0xb0 opsinit+0xe7/0x410 setupnet+0x5aa/0xbd0 copynetns+0x2e6/0x6b0 create_newnamespaces+0x382/0xa50 unsharensproxynamespaces+0xa6/0x1c0 ksysunshare+0x3a4/0x7e0 __x64sysunshare+0x2d/0x40 dosyscall64+0x35/0x80 entrySYSCALL64afterhwframe+0x46/0xb0

Freed by task 15855: kasansavestack+0x1e/0x40 kasansettrack+0x21/0x30 kasansavefree_info+0x2a/0x40 ____kasanslabfree+0x155/0x1b0 slabfreefreelist_hook+0x11b/0x220 __kmemcachefree+0xa4/0x360 opsinit+0xb9/0x410 setupnet+0x5aa/0xbd0 copynetns+0x2e6/0x6b0 createnewnamespaces+0x382/0xa50 unsharensproxynamespaces+0xa6/0x1c0 ksys_unshare+0x3a4/0x7e0 __x64sysunshare+0x2d/0x40 dosyscall64+0x35/0x80 entrySYSCALL64afterhwframe+0x46/0xb0

Database specific

{
    "cna_assigner": "Linux",
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2022/50xxx/CVE-2022-50780.json"
}

References

Affected packages

Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git

Affected ranges

Type: GIT
Repo: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events: Introduced

f875bae065334907796da12523f9df85c89f5712

Fixed

5a2ea549be94924364f6911227d99be86e8cf34a

Fixed

97ad240fd9aa9214497d14af2b91608e20856cac

Fixed

c3edc6e808209aa705185f732e682a370981ced1

Fixed

a1e18acb0246bfb001b08b8b1b830b5ec92a0f13

Fixed

4a4df5e78712de39d6f90d6a64b5eb48dca03bd5

Fixed

d266935ac43d57586e311a087510fe6a084af742

Database specific

source

"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2022-50780.json"

Linux / Kernel

Package

Name: Kernel

Affected ranges

Type: ECOSYSTEM
Events: Introduced

2.6.33

Fixed

4.19.264

Type: ECOSYSTEM
Events: Introduced

4.20.0

Fixed

5.4.223

Type: ECOSYSTEM
Events: Introduced

5.5.0

Fixed

5.10.153

Type: ECOSYSTEM
Events: Introduced

5.11.0

Fixed

5.15.77

Type: ECOSYSTEM
Events: Introduced

5.16.0

Fixed

6.0.7

Database specific

source

"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2022-50780.json"