CVE-2022-48640
Vulnerability from cvelistv5
Published
2024-04-28 12:59
Modified
2024-11-04 12:13
Severity ?
Summary
bonding: fix NULL deref in bond_rr_gen_slave_id
Impacted products
LinuxLinux
LinuxLinux
Show details on NVD website


{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2022-48640",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-06-17T17:41:02.395748Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-06-17T17:47:18.002Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      },
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-03T15:17:55.245Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/ec3a6f4ffe556a28f6f5028bf7c4412557e7051b"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/2c8e8ab53acfc78da0b4a65f30cb5d306e7d78f7"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/0e400d602f46360752e4b32ce842dba3808e15e6"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/net/bonding/bond_main.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "ec3a6f4ffe55",
              "status": "affected",
              "version": "848ca9182a7d",
              "versionType": "git"
            },
            {
              "lessThan": "2c8e8ab53acf",
              "status": "affected",
              "version": "848ca9182a7d",
              "versionType": "git"
            },
            {
              "lessThan": "0e400d602f46",
              "status": "affected",
              "version": "848ca9182a7d",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/net/bonding/bond_main.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "5.14"
            },
            {
              "lessThan": "5.14",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.71",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.19.*",
              "status": "unaffected",
              "version": "5.19.12",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.0",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbonding: fix NULL deref in bond_rr_gen_slave_id\n\nFix a NULL dereference of the struct bonding.rr_tx_counter member because\nif a bond is initially created with an initial mode != zero (Round Robin)\nthe memory required for the counter is never created and when the mode is\nchanged there is never any attempt to verify the memory is allocated upon\nswitching modes.\n\nThis causes the following Oops on an aarch64 machine:\n    [  334.686773] Unable to handle kernel paging request at virtual address ffff2c91ac905000\n    [  334.694703] Mem abort info:\n    [  334.697486]   ESR = 0x0000000096000004\n    [  334.701234]   EC = 0x25: DABT (current EL), IL = 32 bits\n    [  334.706536]   SET = 0, FnV = 0\n    [  334.709579]   EA = 0, S1PTW = 0\n    [  334.712719]   FSC = 0x04: level 0 translation fault\n    [  334.717586] Data abort info:\n    [  334.720454]   ISV = 0, ISS = 0x00000004\n    [  334.724288]   CM = 0, WnR = 0\n    [  334.727244] swapper pgtable: 4k pages, 48-bit VAs, pgdp=000008044d662000\n    [  334.733944] [ffff2c91ac905000] pgd=0000000000000000, p4d=0000000000000000\n    [  334.740734] Internal error: Oops: 96000004 [#1] SMP\n    [  334.745602] Modules linked in: bonding tls veth rfkill sunrpc arm_spe_pmu vfat fat acpi_ipmi ipmi_ssif ixgbe igb i40e mdio ipmi_devintf ipmi_msghandler arm_cmn arm_dsu_pmu cppc_cpufreq acpi_tad fuse zram crct10dif_ce ast ghash_ce sbsa_gwdt nvme drm_vram_helper drm_ttm_helper nvme_core ttm xgene_hwmon\n    [  334.772217] CPU: 7 PID: 2214 Comm: ping Not tainted 6.0.0-rc4-00133-g64ae13ed4784 #4\n    [  334.779950] Hardware name: GIGABYTE R272-P31-00/MP32-AR1-00, BIOS F18v (SCP: 1.08.20211002) 12/01/2021\n    [  334.789244] pstate: 60400009 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)\n    [  334.796196] pc : bond_rr_gen_slave_id+0x40/0x124 [bonding]\n    [  334.801691] lr : bond_xmit_roundrobin_slave_get+0x38/0xdc [bonding]\n    [  334.807962] sp : ffff8000221733e0\n    [  334.811265] x29: ffff8000221733e0 x28: ffffdbac8572d198 x27: ffff80002217357c\n    [  334.818392] x26: 000000000000002a x25: ffffdbacb33ee000 x24: ffff07ff980fa000\n    [  334.825519] x23: ffffdbacb2e398ba x22: ffff07ff98102000 x21: ffff07ff981029c0\n    [  334.832646] x20: 0000000000000001 x19: ffff07ff981029c0 x18: 0000000000000014\n    [  334.839773] x17: 0000000000000000 x16: ffffdbacb1004364 x15: 0000aaaabe2f5a62\n    [  334.846899] x14: ffff07ff8e55d968 x13: ffff07ff8e55db30 x12: 0000000000000000\n    [  334.854026] x11: ffffdbacb21532e8 x10: 0000000000000001 x9 : ffffdbac857178ec\n    [  334.861153] x8 : ffff07ff9f6e5a28 x7 : 0000000000000000 x6 : 000000007c2b3742\n    [  334.868279] x5 : ffff2c91ac905000 x4 : ffff2c91ac905000 x3 : ffff07ff9f554400\n    [  334.875406] x2 : ffff2c91ac905000 x1 : 0000000000000001 x0 : ffff07ff981029c0\n    [  334.882532] Call trace:\n    [  334.884967]  bond_rr_gen_slave_id+0x40/0x124 [bonding]\n    [  334.890109]  bond_xmit_roundrobin_slave_get+0x38/0xdc [bonding]\n    [  334.896033]  __bond_start_xmit+0x128/0x3a0 [bonding]\n    [  334.901001]  bond_start_xmit+0x54/0xb0 [bonding]\n    [  334.905622]  dev_hard_start_xmit+0xb4/0x220\n    [  334.909798]  __dev_queue_xmit+0x1a0/0x720\n    [  334.913799]  arp_xmit+0x3c/0xbc\n    [  334.916932]  arp_send_dst+0x98/0xd0\n    [  334.920410]  arp_solicit+0xe8/0x230\n    [  334.923888]  neigh_probe+0x60/0xb0\n    [  334.927279]  __neigh_event_send+0x3b0/0x470\n    [  334.931453]  neigh_resolve_output+0x70/0x90\n    [  334.935626]  ip_finish_output2+0x158/0x514\n    [  334.939714]  __ip_finish_output+0xac/0x1a4\n    [  334.943800]  ip_finish_output+0x40/0xfc\n    [  334.947626]  ip_output+0xf8/0x1a4\n    [  334.950931]  ip_send_skb+0x5c/0x100\n    [  334.954410]  ip_push_pending_frames+0x3c/0x60\n    [  334.958758]  raw_sendmsg+0x458/0x6d0\n    [  334.962325]  inet_sendmsg+0x50/0x80\n    [  334.965805]  sock_sendmsg+0x60/0x6c\n    [  334.969286]  __sys_sendto+0xc8/0x134\n    [  334.972853]  __arm64_sys_sendto+0x34/0x4c\n---truncated---"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2024-11-04T12:13:47.136Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/ec3a6f4ffe556a28f6f5028bf7c4412557e7051b"
        },
        {
          "url": "https://git.kernel.org/stable/c/2c8e8ab53acfc78da0b4a65f30cb5d306e7d78f7"
        },
        {
          "url": "https://git.kernel.org/stable/c/0e400d602f46360752e4b32ce842dba3808e15e6"
        }
      ],
      "title": "bonding: fix NULL deref in bond_rr_gen_slave_id",
      "x_generator": {
        "engine": "bippy-9e1c9544281a"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2022-48640",
    "datePublished": "2024-04-28T12:59:48.510Z",
    "dateReserved": "2024-02-25T13:44:28.316Z",
    "dateUpdated": "2024-11-04T12:13:47.136Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2022-48640\",\"sourceIdentifier\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"published\":\"2024-04-28T13:15:06.903\",\"lastModified\":\"2024-04-29T12:42:03.667\",\"vulnStatus\":\"Awaiting Analysis\",\"descriptions\":[{\"lang\":\"en\",\"value\":\"In the Linux kernel, the following vulnerability has been resolved:\\n\\nbonding: fix NULL deref in bond_rr_gen_slave_id\\n\\nFix a NULL dereference of the struct bonding.rr_tx_counter member because\\nif a bond is initially created with an initial mode != zero (Round Robin)\\nthe memory required for the counter is never created and when the mode is\\nchanged there is never any attempt to verify the memory is allocated upon\\nswitching modes.\\n\\nThis causes the following Oops on an aarch64 machine:\\n    [  334.686773] Unable to handle kernel paging request at virtual address ffff2c91ac905000\\n    [  334.694703] Mem abort info:\\n    [  334.697486]   ESR = 0x0000000096000004\\n    [  334.701234]   EC = 0x25: DABT (current EL), IL = 32 bits\\n    [  334.706536]   SET = 0, FnV = 0\\n    [  334.709579]   EA = 0, S1PTW = 0\\n    [  334.712719]   FSC = 0x04: level 0 translation fault\\n    [  334.717586] Data abort info:\\n    [  334.720454]   ISV = 0, ISS = 0x00000004\\n    [  334.724288]   CM = 0, WnR = 0\\n    [  334.727244] swapper pgtable: 4k pages, 48-bit VAs, pgdp=000008044d662000\\n    [  334.733944] [ffff2c91ac905000] pgd=0000000000000000, p4d=0000000000000000\\n    [  334.740734] Internal error: Oops: 96000004 [#1] SMP\\n    [  334.745602] Modules linked in: bonding tls veth rfkill sunrpc arm_spe_pmu vfat fat acpi_ipmi ipmi_ssif ixgbe igb i40e mdio ipmi_devintf ipmi_msghandler arm_cmn arm_dsu_pmu cppc_cpufreq acpi_tad fuse zram crct10dif_ce ast ghash_ce sbsa_gwdt nvme drm_vram_helper drm_ttm_helper nvme_core ttm xgene_hwmon\\n    [  334.772217] CPU: 7 PID: 2214 Comm: ping Not tainted 6.0.0-rc4-00133-g64ae13ed4784 #4\\n    [  334.779950] Hardware name: GIGABYTE R272-P31-00/MP32-AR1-00, BIOS F18v (SCP: 1.08.20211002) 12/01/2021\\n    [  334.789244] pstate: 60400009 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)\\n    [  334.796196] pc : bond_rr_gen_slave_id+0x40/0x124 [bonding]\\n    [  334.801691] lr : bond_xmit_roundrobin_slave_get+0x38/0xdc [bonding]\\n    [  334.807962] sp : ffff8000221733e0\\n    [  334.811265] x29: ffff8000221733e0 x28: ffffdbac8572d198 x27: ffff80002217357c\\n    [  334.818392] x26: 000000000000002a x25: ffffdbacb33ee000 x24: ffff07ff980fa000\\n    [  334.825519] x23: ffffdbacb2e398ba x22: ffff07ff98102000 x21: ffff07ff981029c0\\n    [  334.832646] x20: 0000000000000001 x19: ffff07ff981029c0 x18: 0000000000000014\\n    [  334.839773] x17: 0000000000000000 x16: ffffdbacb1004364 x15: 0000aaaabe2f5a62\\n    [  334.846899] x14: ffff07ff8e55d968 x13: ffff07ff8e55db30 x12: 0000000000000000\\n    [  334.854026] x11: ffffdbacb21532e8 x10: 0000000000000001 x9 : ffffdbac857178ec\\n    [  334.861153] x8 : ffff07ff9f6e5a28 x7 : 0000000000000000 x6 : 000000007c2b3742\\n    [  334.868279] x5 : ffff2c91ac905000 x4 : ffff2c91ac905000 x3 : ffff07ff9f554400\\n    [  334.875406] x2 : ffff2c91ac905000 x1 : 0000000000000001 x0 : ffff07ff981029c0\\n    [  334.882532] Call trace:\\n    [  334.884967]  bond_rr_gen_slave_id+0x40/0x124 [bonding]\\n    [  334.890109]  bond_xmit_roundrobin_slave_get+0x38/0xdc [bonding]\\n    [  334.896033]  __bond_start_xmit+0x128/0x3a0 [bonding]\\n    [  334.901001]  bond_start_xmit+0x54/0xb0 [bonding]\\n    [  334.905622]  dev_hard_start_xmit+0xb4/0x220\\n    [  334.909798]  __dev_queue_xmit+0x1a0/0x720\\n    [  334.913799]  arp_xmit+0x3c/0xbc\\n    [  334.916932]  arp_send_dst+0x98/0xd0\\n    [  334.920410]  arp_solicit+0xe8/0x230\\n    [  334.923888]  neigh_probe+0x60/0xb0\\n    [  334.927279]  __neigh_event_send+0x3b0/0x470\\n    [  334.931453]  neigh_resolve_output+0x70/0x90\\n    [  334.935626]  ip_finish_output2+0x158/0x514\\n    [  334.939714]  __ip_finish_output+0xac/0x1a4\\n    [  334.943800]  ip_finish_output+0x40/0xfc\\n    [  334.947626]  ip_output+0xf8/0x1a4\\n    [  334.950931]  ip_send_skb+0x5c/0x100\\n    [  334.954410]  ip_push_pending_frames+0x3c/0x60\\n    [  334.958758]  raw_sendmsg+0x458/0x6d0\\n    [  334.962325]  inet_sendmsg+0x50/0x80\\n    [  334.965805]  sock_sendmsg+0x60/0x6c\\n    [  334.969286]  __sys_sendto+0xc8/0x134\\n    [  334.972853]  __arm64_sys_sendto+0x34/0x4c\\n---truncated---\"},{\"lang\":\"es\",\"value\":\"En el kernel de Linux se ha resuelto la siguiente vulnerabilidad: bonding: corrige la deref NULL en bond_rr_gen_slave_id Se corrige una desreferencia NULL del miembro struct bonding.rr_tx_counter porque si un enlace se crea inicialmente con un modo inicial != cero (Round Robin) la memoria requerido para el contador nunca se crea y cuando se cambia el modo nunca se intenta verificar que la memoria est\u00e9 asignada al cambiar de modo. Esto provoca los siguientes errores en una m\u00e1quina aarch64: [334.686773] No se puede manejar la solicitud de paginaci\u00f3n del kernel en la direcci\u00f3n virtual ffff2c91ac905000 [334.694703] Informaci\u00f3n de cancelaci\u00f3n de memoria: [334.697486] ESR = 0x0000000096000004 [334.701234] EC = 0x25: DABT (EL actual), IL = 32 bits [ 334.706536] SET = 0, FnV = 0 [ 334.709579] EA = 0, S1PTW = 0 [ 334.712719] FSC = 0x04: error de traducci\u00f3n de nivel 0 [ 334.717586] Informaci\u00f3n de cancelaci\u00f3n de datos: [ 334.720454] ISV = 0, ISS = 0x00000004 [334.724288] CM = 0, WnR = 0 [334.727244] tabla de intercambio: p\u00e1ginas 4k, VA de 48 bits, pgdp=000008044d662000 [334.733944] [ffff2c91ac905000] 0000000000000, p4d=00000000000000000 [334.740734] Error interno: Ups: 96000004 [#1] SMP [334.745602] M\u00f3dulos vinculados en: uni\u00f3n tls veth rfkill sunrpc arm_spe_pmu vfat fat acpi_ipmi ipmi_ssif ixgbe igb i40e mdio ipmi_devintf ipmi_msghandler arm_cmn arm_dsu_pmu cppc_cpufreq acpi_tad fuse crct10dif_ce ast ghash_ce sbsa_gwdt nvme drm_vram_helper drm_ttm_helper nvme_core ttm xgene_hwmon [334.772217] CPU: 7 PID: 2214 Comm: ping No contaminado 6.0.0-rc4-00133-g64ae13ed4784 #4 [334.779950] Nombre de hardware: GIGABYTE R272-P31-00/MP32-AR1-00, BIOS F18v (SCP: 1.08.20211002) 12/01 /2021 [ 334.789244] pstate: 60400009 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--) [ 334.796196] pc : bond_rr_gen_slave_id+0x40/0x124 [uni\u00f3n] [ 334.801691] lr : _slave_get+0x38/0xdc [ vinculaci\u00f3n] [ 334.807962] sp : ffff8000221733e0 [ 334.811265] x29: ffff8000221733e0 x28: ffffdbac8572d198 x27: ffff80002217357c [ 334.818392] x26: 00000000002a x25: ffffdbacb33ee000 x24: ffff07ff980fa000 [ 334.825519] x23: ffffdbacb2e398ba x22: ffff07ff98102000 x21: ffff07ff981029c0 [ 334.832646] x 20: 0000000000000001 x19: ffff07ff981029c0 x18: 0000000000000014 [ 334.839773] x17: 0000000000000000 x16: ffffdbacb1004364 x15: 0000aaaabe2f5a62 [ 334.846899] 14: ffff07ff8e55d968 x13: ffff07ff8e55db30 x12: 0000000000000000 [ 334.854026] x11: ffffdbacb21532e8 x10: 0000000000000001 x9 : ffffdbac857178ec [ 3 34.861153] x8: ffff07ff9f6e5a28 x7: 0000000000000000 x6: 000000007c2b3742 [334.868279] x5: ffff2c91ac905000 x4: ffff2c91ac905000 x3: ffff07ff9f554400 [334.875406] x2: 1ac905000 x1: 0000000000000001 x0: ffff07ff981029c0 [334.882532] Rastreo de llamadas: [334.884967] bond_rr_gen_slave_id+0x40/0x124 [vinculaci\u00f3n] [334.890109] _obtener+ 0x38/0xdc [v\u00ednculo] [ 334.896033] __bond_start_xmit+0x128/0x3a0 [v\u00ednculo] [ 334.901001] bond_start_xmit+0x54/0xb0 [v\u00ednculo] [ 334.905622] dev_hard_start_xmit+0xb4/0x220 [ 334 .909798] __dev_queue_xmit+0x1a0/0x720 [ 334.913799] arp_xmit+0x3c /0xbc [ 334.916932] arp_send_dst+0x98/0xd0 [ 334.920410] arp_solicit+0xe8/0x230 [ 334.923888] neigh_probe+0x60/0xb0 [ 334.927279] 0x470 [334.931453] neigh_resolve_output+0x70/0x90 [334.935626] ip_finish_output2+0x158/0x514 [ 334.939714] __ip_finish_output+0xac/0x1a4 [ 334.943800] ip_finish_output+0x40/0xfc [ 334.947626] ip_output+0xf8/0x1a4 [ 334.950931] 0 [ 334.954410] ip_push_pending_frames+0x3c/0x60 [ 334.958758] raw_sendmsg+0x458/0x6d0 [ 334.962325 ] inet_sendmsg+0x50/0x80 [ 334.965805] sock_sendmsg+0x60/0x6c [ 334.969286] __sys_sendto+0xc8/0x134 [ 334.972853] __arm64_sys_sendto+0x34/0x4c ncado---\"}],\"metrics\":{},\"references\":[{\"url\":\"https://git.kernel.org/stable/c/0e400d602f46360752e4b32ce842dba3808e15e6\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/2c8e8ab53acfc78da0b4a65f30cb5d306e7d78f7\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/ec3a6f4ffe556a28f6f5028bf7c4412557e7051b\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"}]}}"
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.


Loading...

Loading...

Loading...
  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.