cve-2022-49916
Vulnerability from cvelistv5
Published
2025-05-01 14:10
Modified
2025-05-04 12:45
Severity ?
EPSS score ?
Summary
rose: Fix NULL pointer dereference in rose_send_frame()
References
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/rose/rose_link.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "01b9c68c121847d05a4ccef68244dadf82bfa331",
"status": "affected",
"version": "76885373129b13df35ecc9b4ee86ea5840f12133",
"versionType": "git"
},
{
"lessThan": "bbc03d74e641e824754443b908454ca9e203773e",
"status": "affected",
"version": "b8f9de195d6303f52bae16c7911f35ac14ba7e3d",
"versionType": "git"
},
{
"lessThan": "5b46adfbee1e429f33b10a88d6c00fa88f3d6c77",
"status": "affected",
"version": "0aae33feb7a56b28318f92c960a3d08d9c305984",
"versionType": "git"
},
{
"lessThan": "b13be5e852b03f376058027e462fad4230240891",
"status": "affected",
"version": "6e4b20d548fc97ecbdca15c8d96302ee5e3e6313",
"versionType": "git"
},
{
"lessThan": "f06186e5271b980bac03f5c97276ed0146ddc9b0",
"status": "affected",
"version": "de3deadd11987070788b48825bec4647458b988d",
"versionType": "git"
},
{
"lessThan": "3e2129c67daca21043a26575108f6286c85e71f6",
"status": "affected",
"version": "9cf85759e104d7e9c3fd8920a554195b715d6797",
"versionType": "git"
},
{
"lessThan": "a601e5eded33bb88b8a42743db8fef3ad41dd97e",
"status": "affected",
"version": "3c53cd65dece47dd1f9d3a809f32e59d1d87b2b8",
"versionType": "git"
},
{
"lessThan": "e97c089d7a49f67027395ddf70bf327eeac2611e",
"status": "affected",
"version": "3c53cd65dece47dd1f9d3a809f32e59d1d87b2b8",
"versionType": "git"
},
{
"status": "affected",
"version": "9197ca40fd9de265caedba70d0cb5814c4e45952",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/rose/rose_link.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "6.0"
},
{
"lessThan": "6.0",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.9.*",
"status": "unaffected",
"version": "4.9.333",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.14.*",
"status": "unaffected",
"version": "4.14.299",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.265",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.224",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.154",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.78",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.0.*",
"status": "unaffected",
"version": "6.0.8",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.9.333",
"versionStartIncluding": "4.9.327",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.14.299",
"versionStartIncluding": "4.14.292",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.265",
"versionStartIncluding": "4.19.257",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.224",
"versionStartIncluding": "5.4.212",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.154",
"versionStartIncluding": "5.10.140",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.78",
"versionStartIncluding": "5.15.64",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.0.8",
"versionStartIncluding": "6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1",
"versionStartIncluding": "6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "5.19.6",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nrose: Fix NULL pointer dereference in rose_send_frame()\n\nThe syzkaller reported an issue:\n\nKASAN: null-ptr-deref in range [0x0000000000000380-0x0000000000000387]\nCPU: 0 PID: 4069 Comm: kworker/0:15 Not tainted 6.0.0-syzkaller-02734-g0326074ff465 #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/22/2022\nWorkqueue: rcu_gp srcu_invoke_callbacks\nRIP: 0010:rose_send_frame+0x1dd/0x2f0 net/rose/rose_link.c:101\nCall Trace:\n \u003cIRQ\u003e\n rose_transmit_clear_request+0x1d5/0x290 net/rose/rose_link.c:255\n rose_rx_call_request+0x4c0/0x1bc0 net/rose/af_rose.c:1009\n rose_loopback_timer+0x19e/0x590 net/rose/rose_loopback.c:111\n call_timer_fn+0x1a0/0x6b0 kernel/time/timer.c:1474\n expire_timers kernel/time/timer.c:1519 [inline]\n __run_timers.part.0+0x674/0xa80 kernel/time/timer.c:1790\n __run_timers kernel/time/timer.c:1768 [inline]\n run_timer_softirq+0xb3/0x1d0 kernel/time/timer.c:1803\n __do_softirq+0x1d0/0x9c8 kernel/softirq.c:571\n [...]\n \u003c/IRQ\u003e\n\nIt triggers NULL pointer dereference when \u0027neigh-\u003edev-\u003edev_addr\u0027 is\ncalled in the rose_send_frame(). It\u0027s the first occurrence of the\n`neigh` is in rose_loopback_timer() as `rose_loopback_neigh\u0027, and\nthe \u0027dev\u0027 in \u0027rose_loopback_neigh\u0027 is initialized sa nullptr.\n\nIt had been fixed by commit 3b3fd068c56e3fbea30090859216a368398e39bf\n(\"rose: Fix Null pointer dereference in rose_send_frame()\") ever.\nBut it\u0027s introduced by commit 3c53cd65dece47dd1f9d3a809f32e59d1d87b2b8\n(\"rose: check NULL rose_loopback_neigh-\u003eloopback\") again.\n\nWe fix it by add NULL check in rose_transmit_clear_request(). When\nthe \u0027dev\u0027 in \u0027neigh\u0027 is NULL, we don\u0027t reply the request and just\nclear it.\n\nsyzkaller don\u0027t provide repro, and I provide a syz repro like:\nr0 = syz_init_net_socket$bt_sco(0x1f, 0x5, 0x2)\nioctl$sock_inet_SIOCSIFFLAGS(r0, 0x8914, \u0026(0x7f0000000180)={\u0027rose0\\x00\u0027, 0x201})\nr1 = syz_init_net_socket$rose(0xb, 0x5, 0x0)\nbind$rose(r1, \u0026(0x7f00000000c0)=@full={0xb, @dev, @null, 0x0, [@null, @null, @netrom, @netrom, @default, @null]}, 0x40)\nconnect$rose(r1, \u0026(0x7f0000000240)=@short={0xb, @dev={0xbb, 0xbb, 0xbb, 0x1, 0x0}, @remote={0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0x1}, 0x1, @netrom={0xbb, 0xbb, 0xbb, 0xbb, 0xbb, 0x0, 0x0}}, 0x1c)"
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T12:45:26.225Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/01b9c68c121847d05a4ccef68244dadf82bfa331"
},
{
"url": "https://git.kernel.org/stable/c/bbc03d74e641e824754443b908454ca9e203773e"
},
{
"url": "https://git.kernel.org/stable/c/5b46adfbee1e429f33b10a88d6c00fa88f3d6c77"
},
{
"url": "https://git.kernel.org/stable/c/b13be5e852b03f376058027e462fad4230240891"
},
{
"url": "https://git.kernel.org/stable/c/f06186e5271b980bac03f5c97276ed0146ddc9b0"
},
{
"url": "https://git.kernel.org/stable/c/3e2129c67daca21043a26575108f6286c85e71f6"
},
{
"url": "https://git.kernel.org/stable/c/a601e5eded33bb88b8a42743db8fef3ad41dd97e"
},
{
"url": "https://git.kernel.org/stable/c/e97c089d7a49f67027395ddf70bf327eeac2611e"
}
],
"title": "rose: Fix NULL pointer dereference in rose_send_frame()",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-49916",
"datePublished": "2025-05-01T14:10:56.851Z",
"dateReserved": "2025-05-01T14:05:17.251Z",
"dateUpdated": "2025-05-04T12:45:26.225Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1",
"meta": {
"nvd": "{\"cve\":{\"id\":\"CVE-2022-49916\",\"sourceIdentifier\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"published\":\"2025-05-01T15:16:16.820\",\"lastModified\":\"2025-05-02T13:52:51.693\",\"vulnStatus\":\"Undergoing Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"In the Linux kernel, the following vulnerability has been resolved:\\n\\nrose: Fix NULL pointer dereference in rose_send_frame()\\n\\nThe syzkaller reported an issue:\\n\\nKASAN: null-ptr-deref in range [0x0000000000000380-0x0000000000000387]\\nCPU: 0 PID: 4069 Comm: kworker/0:15 Not tainted 6.0.0-syzkaller-02734-g0326074ff465 #0\\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/22/2022\\nWorkqueue: rcu_gp srcu_invoke_callbacks\\nRIP: 0010:rose_send_frame+0x1dd/0x2f0 net/rose/rose_link.c:101\\nCall Trace:\\n \u003cIRQ\u003e\\n rose_transmit_clear_request+0x1d5/0x290 net/rose/rose_link.c:255\\n rose_rx_call_request+0x4c0/0x1bc0 net/rose/af_rose.c:1009\\n rose_loopback_timer+0x19e/0x590 net/rose/rose_loopback.c:111\\n call_timer_fn+0x1a0/0x6b0 kernel/time/timer.c:1474\\n expire_timers kernel/time/timer.c:1519 [inline]\\n __run_timers.part.0+0x674/0xa80 kernel/time/timer.c:1790\\n __run_timers kernel/time/timer.c:1768 [inline]\\n run_timer_softirq+0xb3/0x1d0 kernel/time/timer.c:1803\\n __do_softirq+0x1d0/0x9c8 kernel/softirq.c:571\\n [...]\\n \u003c/IRQ\u003e\\n\\nIt triggers NULL pointer dereference when \u0027neigh-\u003edev-\u003edev_addr\u0027 is\\ncalled in the rose_send_frame(). It\u0027s the first occurrence of the\\n`neigh` is in rose_loopback_timer() as `rose_loopback_neigh\u0027, and\\nthe \u0027dev\u0027 in \u0027rose_loopback_neigh\u0027 is initialized sa nullptr.\\n\\nIt had been fixed by commit 3b3fd068c56e3fbea30090859216a368398e39bf\\n(\\\"rose: Fix Null pointer dereference in rose_send_frame()\\\") ever.\\nBut it\u0027s introduced by commit 3c53cd65dece47dd1f9d3a809f32e59d1d87b2b8\\n(\\\"rose: check NULL rose_loopback_neigh-\u003eloopback\\\") again.\\n\\nWe fix it by add NULL check in rose_transmit_clear_request(). When\\nthe \u0027dev\u0027 in \u0027neigh\u0027 is NULL, we don\u0027t reply the request and just\\nclear it.\\n\\nsyzkaller don\u0027t provide repro, and I provide a syz repro like:\\nr0 = syz_init_net_socket$bt_sco(0x1f, 0x5, 0x2)\\nioctl$sock_inet_SIOCSIFFLAGS(r0, 0x8914, \u0026(0x7f0000000180)={\u0027rose0\\\\x00\u0027, 0x201})\\nr1 = syz_init_net_socket$rose(0xb, 0x5, 0x0)\\nbind$rose(r1, \u0026(0x7f00000000c0)=@full={0xb, @dev, @null, 0x0, [@null, @null, @netrom, @netrom, @default, @null]}, 0x40)\\nconnect$rose(r1, \u0026(0x7f0000000240)=@short={0xb, @dev={0xbb, 0xbb, 0xbb, 0x1, 0x0}, @remote={0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0x1}, 0x1, @netrom={0xbb, 0xbb, 0xbb, 0xbb, 0xbb, 0x0, 0x0}}, 0x1c)\"},{\"lang\":\"es\",\"value\":\"En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: rose: Se corrige la desreferencia del puntero NULL en rose_send_frame() Syzkaller inform\u00f3 un problema: KASAN: null-ptr-deref en el rango [0x0000000000000380-0x0000000000000387] CPU: 0 PID: 4069 Comm: kworker/0:15 No contaminado 6.0.0-syzkaller-02734-g0326074ff465 #0 Nombre del hardware: Google Google Compute Engine/Google Compute Engine, BIOS Google 22/09/2022 Cola de trabajo: rcu_gp srcu_invoke_callbacks RIP: 0010:rose_send_frame+0x1dd/0x2f0 net/rose/rose_link.c:101 Rastreo de llamadas: rose_transmit_clear_request+0x1d5/0x290 net/rose/rose_link.c:255 rose_rx_call_request+0x4c0/0x1bc0 net/rose/af_rose.c:1009 rose_loopback_timer+0x19e/0x590 net/rose/rose_loopback.c:111 call_timer_fn+0x1a0/0x6b0 kernel/time/timer.c:1474 expire_timers kernel/time/timer.c:1519 [en l\u00ednea] __run_timers.part.0+0x674/0xa80 kernel/time/timer.c:1790 __run_timers kernel/time/timer.c:1768 [en l\u00ednea] run_timer_softirq+0xb3/0x1d0 kernel/time/timer.c:1803 __do_softirq+0x1d0/0x9c8 kernel/softirq.c:571 [...] Activa la desreferencia de puntero nulo cuando se llama a \u0027neigh-\u0026gt;dev-\u0026gt;dev_addr\u0027 en rose_send_frame(). Es la primera vez que `neigh` aparece en rose_loopback_timer() como `rose_loopback_neigh\u0027, y `dev\u0027 en `rose_loopback_neigh\u0027 se inicializa como nullptr. Se corrigi\u00f3 con el commit 3b3fd068c56e3fbea30090859216a368398e39bf (\\\"rose: Corregir la desreferencia de puntero nulo en rose_send_frame()\\\"). Pero esto se introduce de nuevo con el commit 3c53cd65dece47dd1f9d3a809f32e59d1d87b2b8 (\\\"rose: check NULL rose_loopback_neigh-\u0026gt;loopback\\\"). Lo solucionamos a\u00f1adiendo una comprobaci\u00f3n NULL en rose_transmit_clear_request(). Cuando el valor de \\\"dev\\\" en \\\"neigh\\\" es NULL, no respondemos a la solicitud y simplemente la borramos. syzkaller no proporciona reproducci\u00f3n, y yo proporciono una reproducci\u00f3n syz como: r0 = syz_init_net_socket$bt_sco(0x1f, 0x5, 0x2) ioctl$sock_inet_SIOCSIFFLAGS(r0, 0x8914, \u0026amp;(0x7f0000000180)={\u0027rose0\\\\x00\u0027, 0x201}) r1 = syz_init_net_socket$rose(0xb, 0x5, 0x0) bind$rose(r1, \u0026amp;(0x7f00000000c0)=@full={0xb, @dev, @null, 0x0, [@null, @null, @netrom, @netrom, @default, @null]}, 0x40) conectar$rosa(r1, \u0026amp;(0x7f0000000240)=@corto={0xb, @dev={0xbb, 0xbb, 0xbb, 0x1, 0x0}, @remoto={0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0x1}, 0x1, @netrom={0xbb, 0xbb, 0xbb, 0xbb, 0xbb, 0x0, 0x0}}, 0x1c)\"}],\"metrics\":{},\"references\":[{\"url\":\"https://git.kernel.org/stable/c/01b9c68c121847d05a4ccef68244dadf82bfa331\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/3e2129c67daca21043a26575108f6286c85e71f6\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/5b46adfbee1e429f33b10a88d6c00fa88f3d6c77\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/a601e5eded33bb88b8a42743db8fef3ad41dd97e\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/b13be5e852b03f376058027e462fad4230240891\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/bbc03d74e641e824754443b908454ca9e203773e\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/e97c089d7a49f67027395ddf70bf327eeac2611e\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/f06186e5271b980bac03f5c97276ed0146ddc9b0\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"}]}}"
}
}
Loading...
Loading...
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.