cve-2022-49808
Vulnerability from cvelistv5
Published
2025-05-01 14:09
Modified
2025-05-04 08:45
Severity ?
EPSS score ?
Summary
net: dsa: don't leak tagger-owned storage on switch driver unbind
References
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/dsa/dsa2.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "5809fb03942dbac25144db5bebea84fa003ecaca",
"status": "affected",
"version": "7f2973149c22e7a6fee4c0c9fa6b8e4108e9c208",
"versionType": "git"
},
{
"lessThan": "4e0c19fcb8b5323716140fa82b79aa9f60e60407",
"status": "affected",
"version": "7f2973149c22e7a6fee4c0c9fa6b8e4108e9c208",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/dsa/dsa2.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.17"
},
{
"lessThan": "5.17",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.0.*",
"status": "unaffected",
"version": "6.0.10",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.0.10",
"versionStartIncluding": "5.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1",
"versionStartIncluding": "5.17",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: dsa: don\u0027t leak tagger-owned storage on switch driver unbind\n\nIn the initial commit dc452a471dba (\"net: dsa: introduce tagger-owned\nstorage for private and shared data\"), we had a call to\ntag_ops-\u003edisconnect(dst) issued from dsa_tree_free(), which is called at\ntree teardown time.\n\nThere were problems with connecting to a switch tree as a whole, so this\ngot reworked to connecting to individual switches within the tree. In\nthis process, tag_ops-\u003edisconnect(ds) was made to be called only from\nswitch.c (cross-chip notifiers emitted as a result of dynamic tag proto\nchanges), but the normal driver teardown code path wasn\u0027t replaced with\nanything.\n\nSolve this problem by adding a function that does the opposite of\ndsa_switch_setup_tag_protocol(), which is called from the equivalent\nspot in dsa_switch_teardown(). The positioning here also ensures that we\nwon\u0027t have any use-after-free in tagging protocol (*rcv) ops, since the\nteardown sequence is as follows:\n\ndsa_tree_teardown\n-\u003e dsa_tree_teardown_master\n -\u003e dsa_master_teardown\n -\u003e unsets master-\u003edsa_ptr, making no further packets match the\n ETH_P_XDSA packet type handler\n-\u003e dsa_tree_teardown_ports\n -\u003e dsa_port_teardown\n -\u003e dsa_slave_destroy\n -\u003e unregisters DSA net devices, there is even a synchronize_net()\n in unregister_netdevice_many()\n-\u003e dsa_tree_teardown_switches\n -\u003e dsa_switch_teardown\n -\u003e dsa_switch_teardown_tag_protocol\n -\u003e finally frees the tagger-owned storage"
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T08:45:47.599Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/5809fb03942dbac25144db5bebea84fa003ecaca"
},
{
"url": "https://git.kernel.org/stable/c/4e0c19fcb8b5323716140fa82b79aa9f60e60407"
}
],
"title": "net: dsa: don\u0027t leak tagger-owned storage on switch driver unbind",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-49808",
"datePublished": "2025-05-01T14:09:34.130Z",
"dateReserved": "2025-05-01T14:05:17.226Z",
"dateUpdated": "2025-05-04T08:45:47.599Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1",
"meta": {
"nvd": "{\"cve\":{\"id\":\"CVE-2022-49808\",\"sourceIdentifier\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"published\":\"2025-05-01T15:16:04.130\",\"lastModified\":\"2025-05-02T13:53:20.943\",\"vulnStatus\":\"Awaiting Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"In the Linux kernel, the following vulnerability has been resolved:\\n\\nnet: dsa: don\u0027t leak tagger-owned storage on switch driver unbind\\n\\nIn the initial commit dc452a471dba (\\\"net: dsa: introduce tagger-owned\\nstorage for private and shared data\\\"), we had a call to\\ntag_ops-\u003edisconnect(dst) issued from dsa_tree_free(), which is called at\\ntree teardown time.\\n\\nThere were problems with connecting to a switch tree as a whole, so this\\ngot reworked to connecting to individual switches within the tree. In\\nthis process, tag_ops-\u003edisconnect(ds) was made to be called only from\\nswitch.c (cross-chip notifiers emitted as a result of dynamic tag proto\\nchanges), but the normal driver teardown code path wasn\u0027t replaced with\\nanything.\\n\\nSolve this problem by adding a function that does the opposite of\\ndsa_switch_setup_tag_protocol(), which is called from the equivalent\\nspot in dsa_switch_teardown(). The positioning here also ensures that we\\nwon\u0027t have any use-after-free in tagging protocol (*rcv) ops, since the\\nteardown sequence is as follows:\\n\\ndsa_tree_teardown\\n-\u003e dsa_tree_teardown_master\\n -\u003e dsa_master_teardown\\n -\u003e unsets master-\u003edsa_ptr, making no further packets match the\\n ETH_P_XDSA packet type handler\\n-\u003e dsa_tree_teardown_ports\\n -\u003e dsa_port_teardown\\n -\u003e dsa_slave_destroy\\n -\u003e unregisters DSA net devices, there is even a synchronize_net()\\n in unregister_netdevice_many()\\n-\u003e dsa_tree_teardown_switches\\n -\u003e dsa_switch_teardown\\n -\u003e dsa_switch_teardown_tag_protocol\\n -\u003e finally frees the tagger-owned storage\"},{\"lang\":\"es\",\"value\":\"En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: net: dsa: no filtrar almacenamiento propiedad del etiquetador al desvincular el controlador del conmutador. En la confirmaci\u00f3n inicial dc452a471dba (\\\"net: dsa: introducir almacenamiento propiedad del etiquetador para datos privados y compartidos\\\"), ten\u00edamos una llamada a tag_ops-\u0026gt;disconnect(dst) emitida desde dsa_tree_free(), que se llama en el momento del desmontaje del \u00e1rbol. Hab\u00eda problemas con la conexi\u00f3n a un \u00e1rbol de conmutadores como un todo, por lo que esto se modific\u00f3 para conectarse a conmutadores individuales dentro del \u00e1rbol. En este proceso, tag_ops-\u0026gt;disconnect(ds) se hizo para que se llamara solo desde switch.c (notificadores entre chips emitidos como resultado de cambios din\u00e1micos de protocolo de etiqueta), pero la ruta de c\u00f3digo normal para el desmontaje del controlador no se reemplaz\u00f3 con nada. Resuelva este problema a\u00f1adiendo una funci\u00f3n que haga lo contrario de dsa_switch_setup_tag_protocol(), que se llama desde el punto equivalente en dsa_switch_teardown(). El posicionamiento aqu\u00ed tambi\u00e9n asegura que no tendremos ning\u00fan use-after-free en las operaciones del protocolo de etiquetado (*rcv), ya que la secuencia de desmontaje es la siguiente: dsa_tree_teardown -\u0026gt; dsa_tree_teardown_master -\u0026gt; dsa_master_teardown -\u0026gt; anula el ajuste master-\u0026gt;dsa_ptr, lo que hace que no haya m\u00e1s paquetes que coincidan con el controlador de tipo de paquete ETH_P_XDSA -\u0026gt; dsa_tree_teardown_ports -\u0026gt; dsa_port_teardown -\u0026gt; dsa_slave_destroy -\u0026gt; anula el registro de los dispositivos de red DSA, incluso hay un synchronize_net() en unregister_netdevice_many() -\u0026gt; dsa_tree_teardown_switches -\u0026gt; dsa_switch_teardown -\u0026gt; dsa_switch_teardown_tag_protocol -\u0026gt; finalmente libera el almacenamiento propiedad del etiquetador\"}],\"metrics\":{},\"references\":[{\"url\":\"https://git.kernel.org/stable/c/4e0c19fcb8b5323716140fa82b79aa9f60e60407\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/5809fb03942dbac25144db5bebea84fa003ecaca\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"}]}}"
}
}
Loading...
Loading...
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.