fkie_cve-2022-49063
Vulnerability from fkie_nvd
Published
2025-02-26 07:00
Modified
2025-06-04 13:15
Severity ?
7.8 (High) - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Summary
In the Linux kernel, the following vulnerability has been resolved: ice: arfs: fix use-after-free when freeing @rx_cpu_rmap The CI testing bots triggered the following splat: [ 718.203054] BUG: KASAN: use-after-free in free_irq_cpu_rmap+0x53/0x80 [ 718.206349] Read of size 4 at addr ffff8881bd127e00 by task sh/20834 [ 718.212852] CPU: 28 PID: 20834 Comm: sh Kdump: loaded Tainted: G S W IOE 5.17.0-rc8_nextqueue-devqueue-02643-g23f3121aca93 #1 [ 718.219695] Hardware name: Intel Corporation S2600WFT/S2600WFT, BIOS SE5C620.86B.02.01.0012.070720200218 07/07/2020 [ 718.223418] Call Trace: [ 718.227139] [ 718.230783] dump_stack_lvl+0x33/0x42 [ 718.234431] print_address_description.constprop.9+0x21/0x170 [ 718.238177] ? free_irq_cpu_rmap+0x53/0x80 [ 718.241885] ? free_irq_cpu_rmap+0x53/0x80 [ 718.245539] kasan_report.cold.18+0x7f/0x11b [ 718.249197] ? free_irq_cpu_rmap+0x53/0x80 [ 718.252852] free_irq_cpu_rmap+0x53/0x80 [ 718.256471] ice_free_cpu_rx_rmap.part.11+0x37/0x50 [ice] [ 718.260174] ice_remove_arfs+0x5f/0x70 [ice] [ 718.263810] ice_rebuild_arfs+0x3b/0x70 [ice] [ 718.267419] ice_rebuild+0x39c/0xb60 [ice] [ 718.270974] ? asm_sysvec_apic_timer_interrupt+0x12/0x20 [ 718.274472] ? ice_init_phy_user_cfg+0x360/0x360 [ice] [ 718.278033] ? delay_tsc+0x4a/0xb0 [ 718.281513] ? preempt_count_sub+0x14/0xc0 [ 718.284984] ? delay_tsc+0x8f/0xb0 [ 718.288463] ice_do_reset+0x92/0xf0 [ice] [ 718.292014] ice_pci_err_resume+0x91/0xf0 [ice] [ 718.295561] pci_reset_function+0x53/0x80 <...> [ 718.393035] Allocated by task 690: [ 718.433497] Freed by task 20834: [ 718.495688] Last potentially related work creation: [ 718.568966] The buggy address belongs to the object at ffff8881bd127e00 which belongs to the cache kmalloc-96 of size 96 [ 718.574085] The buggy address is located 0 bytes inside of 96-byte region [ffff8881bd127e00, ffff8881bd127e60) [ 718.579265] The buggy address belongs to the page: [ 718.598905] Memory state around the buggy address: [ 718.601809] ffff8881bd127d00: fa fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc [ 718.604796] ffff8881bd127d80: 00 00 00 00 00 00 00 00 00 00 fc fc fc fc fc fc [ 718.607794] >ffff8881bd127e00: fa fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc [ 718.610811] ^ [ 718.613819] ffff8881bd127e80: 00 00 00 00 00 00 00 00 00 00 00 00 fc fc fc fc [ 718.617107] ffff8881bd127f00: fa fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc This is due to that free_irq_cpu_rmap() is always being called *after* (devm_)free_irq() and thus it tries to work with IRQ descs already freed. For example, on device reset the driver frees the rmap right before allocating a new one (the splat above). Make rmap creation and freeing function symmetrical with {request,free}_irq() calls i.e. do that on ifup/ifdown instead of device probe/remove/resume. These operations can be performed independently from the actual device aRFS configuration. Also, make sure ice_vsi_free_irq() clears IRQ affinity notifiers only when aRFS is disabled -- otherwise, CPU rmap sets and clears its own and they must not be touched manually.
References
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/618df75f2e30c7838a3e010ca32cd4893ec9fe33
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/ba2f6ec28733fb6b24ed086e676df3df4c138f3f
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/d08d2fb6d99d82da1c63aba5c0d1c6f237e150f3Patch
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/d7442f512b71fc63a99c8a801422dde4fbbf9f93Patch
Impacted products
Vendor Product Version
linux linux_kernel *
linux linux_kernel 5.18
linux linux_kernel 5.18


To clipboard 

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "FE6F929C-D6F1-42F9-9391-3FC3C81C7651",
              "versionEndExcluding": "5.17.4",
              "versionStartIncluding": "5.8",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:linux:linux_kernel:5.18:rc1:*:*:*:*:*:*",
              "matchCriteriaId": "6AD94161-84BB-42E6-9882-4FC0C42E9FC1",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:linux:linux_kernel:5.18:rc2:*:*:*:*:*:*",
              "matchCriteriaId": "7AB06DDF-3C2B-416D-B448-E990D8FF67A9",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nice: arfs: fix use-after-free when freeing @rx_cpu_rmap\n\nThe CI testing bots triggered the following splat:\n\n[  718.203054] BUG: KASAN: use-after-free in free_irq_cpu_rmap+0x53/0x80\n[  718.206349] Read of size 4 at addr ffff8881bd127e00 by task sh/20834\n[  718.212852] CPU: 28 PID: 20834 Comm: sh Kdump: loaded Tainted: G S      W IOE     5.17.0-rc8_nextqueue-devqueue-02643-g23f3121aca93 #1\n[  718.219695] Hardware name: Intel Corporation S2600WFT/S2600WFT, BIOS SE5C620.86B.02.01.0012.070720200218 07/07/2020\n[  718.223418] Call Trace:\n[  718.227139]\n[  718.230783]  dump_stack_lvl+0x33/0x42\n[  718.234431]  print_address_description.constprop.9+0x21/0x170\n[  718.238177]  ? free_irq_cpu_rmap+0x53/0x80\n[  718.241885]  ? free_irq_cpu_rmap+0x53/0x80\n[  718.245539]  kasan_report.cold.18+0x7f/0x11b\n[  718.249197]  ? free_irq_cpu_rmap+0x53/0x80\n[  718.252852]  free_irq_cpu_rmap+0x53/0x80\n[  718.256471]  ice_free_cpu_rx_rmap.part.11+0x37/0x50 [ice]\n[  718.260174]  ice_remove_arfs+0x5f/0x70 [ice]\n[  718.263810]  ice_rebuild_arfs+0x3b/0x70 [ice]\n[  718.267419]  ice_rebuild+0x39c/0xb60 [ice]\n[  718.270974]  ? asm_sysvec_apic_timer_interrupt+0x12/0x20\n[  718.274472]  ? ice_init_phy_user_cfg+0x360/0x360 [ice]\n[  718.278033]  ? delay_tsc+0x4a/0xb0\n[  718.281513]  ? preempt_count_sub+0x14/0xc0\n[  718.284984]  ? delay_tsc+0x8f/0xb0\n[  718.288463]  ice_do_reset+0x92/0xf0 [ice]\n[  718.292014]  ice_pci_err_resume+0x91/0xf0 [ice]\n[  718.295561]  pci_reset_function+0x53/0x80\n\u003c...\u003e\n[  718.393035] Allocated by task 690:\n[  718.433497] Freed by task 20834:\n[  718.495688] Last potentially related work creation:\n[  718.568966] The buggy address belongs to the object at ffff8881bd127e00\n                which belongs to the cache kmalloc-96 of size 96\n[  718.574085] The buggy address is located 0 bytes inside of\n                96-byte region [ffff8881bd127e00, ffff8881bd127e60)\n[  718.579265] The buggy address belongs to the page:\n[  718.598905] Memory state around the buggy address:\n[  718.601809]  ffff8881bd127d00: fa fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc\n[  718.604796]  ffff8881bd127d80: 00 00 00 00 00 00 00 00 00 00 fc fc fc fc fc fc\n[  718.607794] \u003effff8881bd127e00: fa fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc\n[  718.610811]                    ^\n[  718.613819]  ffff8881bd127e80: 00 00 00 00 00 00 00 00 00 00 00 00 fc fc fc fc\n[  718.617107]  ffff8881bd127f00: fa fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc\n\nThis is due to that free_irq_cpu_rmap() is always being called\n*after* (devm_)free_irq() and thus it tries to work with IRQ descs\nalready freed. For example, on device reset the driver frees the\nrmap right before allocating a new one (the splat above).\nMake rmap creation and freeing function symmetrical with\n{request,free}_irq() calls i.e. do that on ifup/ifdown instead\nof device probe/remove/resume. These operations can be performed\nindependently from the actual device aRFS configuration.\nAlso, make sure ice_vsi_free_irq() clears IRQ affinity notifiers\nonly when aRFS is disabled -- otherwise, CPU rmap sets and clears\nits own and they must not be touched manually."
    },
    {
      "lang": "es",
      "value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: ice: arfs: corregir use-after-free al liberar @rx_cpu_rmap Los bots de prueba de CI activaron el siguiente splat: [ 718.203054] ERROR: KASAN: use-after-free en free_irq_cpu_rmap+0x53/0x80 [ 718.206349] Lectura de tama\u00f1o 4 en la direcci\u00f3n ffff8881bd127e00 por la tarea sh/20834 [ 718.212852] CPU: 28 PID: 20834 Comm: sh Kdump: cargado Tainted: GSW IOE 5.17.0-rc8_nextqueue-devqueue-02643-g23f3121aca93 #1 [ 718.219695] Hardware nombre: Intel Corporation S2600WFT/S2600WFT, BIOS SE5C620.86B.02.01.0012.070720200218 07/07/2020 [ 718.223418] Seguimiento de llamadas: [ 718.227139] [ 718.230783] dump_stack_lvl+0x33/0x42 [ 718.234431] print_address_description.constprop.9+0x21/0x170 [ 718.238177] ? free_irq_cpu_rmap+0x53/0x80 [ 718.241885] ? informe_kasan.cold.18+0x7f/0x11b [ 718.249197] ? free_irq_cpu_rmap+0x53/0x80 [ 718.252852] free_irq_cpu_rmap+0x53/0x80 [ 718.256471] ice_free_cpu_rx_rmap.part.11+0x37/0x50 [hielo] [ 718.260174] ice_remove_arfs+0x5f/0x70 [hielo] [ 718.263810] ice_rebuild_arfs+0x3b/0x70 [hielo] [ 718.267419] ice_rebuild+0x39c/0xb60 [hielo] [ 718.270974] ? preempt_count_sub+0x14/0xc0 [ 718.284984] ? delay_tsc+0x8f/0xb0 [ 718.288463] ice_do_reset+0x92/0xf0 [ice] [ 718.292014] ice_pci_err_resume+0x91/0xf0 [ice] [ 718.295561] pci_reset_function+0x53/0x80 \u0026lt;...\u0026gt; [ 718.393035] Asignado por la tarea 690: [ 718.433497] Liberado por la tarea 20834: [ 718.495688] \u00daltima creaci\u00f3n de trabajo potencialmente relacionada: [ 718.568966] La direcci\u00f3n con errores pertenece al objeto en ffff8881bd127e00 que pertenece a la cach\u00e9 kmalloc-96 de tama\u00f1o 96 [ 718.574085] La direcci\u00f3n con errores se encuentra a 0 bytes dentro de la regi\u00f3n de 96 bytes [ffff8881bd127e00, ffff8881bd127e60) [ 718.579265] La direcci\u00f3n con errores pertenece a la p\u00e1gina: [ 718.598905] Estado de la memoria alrededor de la direcci\u00f3n con errores: [ 718.601809] ffff8881bd127d00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc [ 718.604796] ffff8881bd127d80: 00 00 00 00 00 00 00 00 00 00 00 fc fc fc fc fc fc [ 718.607794] \u0026gt;ffff8881bd127e00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc [ 718.610811] ^ [ 718.613819] ffff8881bd127e80: 00 00 00 00 00 00 00 00 00 00 00 00 00 fc fc fc fc [ 718.617107] ffff8881bd127f00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc Esto se debe a que free_irq_cpu_rmap() siempre se llama *despu\u00e9s* de (devm_)free_irq() y, por lo tanto, intenta funcionar. con descripciones IRQ ya liberadas. Por ejemplo, al reiniciar el dispositivo, el controlador libera el rmap justo antes de asignar uno nuevo (el s\u00edmbolo de arriba). Haga que la creaci\u00f3n y liberaci\u00f3n de rmap sean sim\u00e9tricas con las llamadas {request,free}_irq(), es decir, h\u00e1galo en ifup/ifdown en lugar de en la prueba/eliminaci\u00f3n/reanudaci\u00f3n del dispositivo. Estas operaciones se pueden realizar independientemente de la configuraci\u00f3n aRFS del dispositivo real. Adem\u00e1s, aseg\u00farese de que ice_vsi_free_irq() borre los notificadores de afinidad IRQ solo cuando aRFS est\u00e9 deshabilitado; de lo contrario, el rmap de la CPU establece y borra los suyos propios y no se deben tocar manualmente."
    }
  ],
  "id": "CVE-2022-49063",
  "lastModified": "2025-06-04T13:15:24.193",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "LOCAL",
          "availabilityImpact": "HIGH",
          "baseScore": 7.8,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "LOW",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 1.8,
        "impactScore": 5.9,
        "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
        "type": "Secondary"
      }
    ]
  },
  "published": "2025-02-26T07:00:43.547",
  "references": [
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "url": "https://git.kernel.org/stable/c/618df75f2e30c7838a3e010ca32cd4893ec9fe33"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "url": "https://git.kernel.org/stable/c/ba2f6ec28733fb6b24ed086e676df3df4c138f3f"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "tags": [
        "Patch"
      ],
      "url": "https://git.kernel.org/stable/c/d08d2fb6d99d82da1c63aba5c0d1c6f237e150f3"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "tags": [
        "Patch"
      ],
      "url": "https://git.kernel.org/stable/c/d7442f512b71fc63a99c8a801422dde4fbbf9f93"
    }
  ],
  "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
  "vulnStatus": "Modified",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-416"
        }
      ],
      "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
      "type": "Secondary"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.