CVE-2022-49195 (GCVE-0-2022-49195)

Vulnerability from cvelistv5 – Published: 2025-02-26 01:55 – Updated: 2025-05-04 08:32
VLAI?
Summary
In the Linux kernel, the following vulnerability has been resolved: net: dsa: fix panic on shutdown if multi-chip tree failed to probe DSA probing is atypical because a tree of devices must probe all at once, so out of N switches which call dsa_tree_setup_routing_table() during probe, for (N - 1) of them, "complete" will return false and they will exit probing early. The Nth switch will set up the whole tree on their behalf. The implication is that for (N - 1) switches, the driver binds to the device successfully, without doing anything. When the driver is bound, the ->shutdown() method may run. But if the Nth switch has failed to initialize the tree, there is nothing to do for the (N - 1) driver instances, since the slave devices have not been created, etc. Moreover, dsa_switch_shutdown() expects that the calling @ds has been in fact initialized, so it jumps at dereferencing the various data structures, which is incorrect. Avoid the ensuing NULL pointer dereferences by simply checking whether the Nth switch has previously set "ds->setup = true" for the switch which is currently shutting down. The entire setup is serialized under dsa2_mutex which we already hold.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
Vendor Product Version
Linux Linux Affected: 0650bf52b31ff35dc6430fc2e37969c36baba724 , < 95df5cd5a446df6738d2d45872e08594819080e4 (git)
Affected: 0650bf52b31ff35dc6430fc2e37969c36baba724 , < b6e668ff43ebd87ccc8a19e5481345c428672295 (git)
Affected: 0650bf52b31ff35dc6430fc2e37969c36baba724 , < b864d5350c18bea9369d0bdd9e7eb6f6172cc283 (git)
Affected: 0650bf52b31ff35dc6430fc2e37969c36baba724 , < 8fd36358ce82382519b50b05f437493e1e00c4a9 (git)
Create a notification for this product.
    Linux Linux Affected: 5.15
Unaffected: 0 , < 5.15 (semver)
Unaffected: 5.15.33 , ≤ 5.15.* (semver)
Unaffected: 5.16.19 , ≤ 5.16.* (semver)
Unaffected: 5.17.2 , ≤ 5.17.* (semver)
Unaffected: 5.18 , ≤ * (original_commit_for_fix)
Create a notification for this product.
Show details on NVD website
To clipboard 

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "net/dsa/dsa2.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "95df5cd5a446df6738d2d45872e08594819080e4",
              "status": "affected",
              "version": "0650bf52b31ff35dc6430fc2e37969c36baba724",
              "versionType": "git"
            },
            {
              "lessThan": "b6e668ff43ebd87ccc8a19e5481345c428672295",
              "status": "affected",
              "version": "0650bf52b31ff35dc6430fc2e37969c36baba724",
              "versionType": "git"
            },
            {
              "lessThan": "b864d5350c18bea9369d0bdd9e7eb6f6172cc283",
              "status": "affected",
              "version": "0650bf52b31ff35dc6430fc2e37969c36baba724",
              "versionType": "git"
            },
            {
              "lessThan": "8fd36358ce82382519b50b05f437493e1e00c4a9",
              "status": "affected",
              "version": "0650bf52b31ff35dc6430fc2e37969c36baba724",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "net/dsa/dsa2.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "5.15"
            },
            {
              "lessThan": "5.15",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.33",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.16.*",
              "status": "unaffected",
              "version": "5.16.19",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.17.*",
              "status": "unaffected",
              "version": "5.17.2",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "5.18",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.33",
                  "versionStartIncluding": "5.15",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.16.19",
                  "versionStartIncluding": "5.15",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.17.2",
                  "versionStartIncluding": "5.15",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.18",
                  "versionStartIncluding": "5.15",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: dsa: fix panic on shutdown if multi-chip tree failed to probe\n\nDSA probing is atypical because a tree of devices must probe all at\nonce, so out of N switches which call dsa_tree_setup_routing_table()\nduring probe, for (N - 1) of them, \"complete\" will return false and they\nwill exit probing early. The Nth switch will set up the whole tree on\ntheir behalf.\n\nThe implication is that for (N - 1) switches, the driver binds to the\ndevice successfully, without doing anything. When the driver is bound,\nthe -\u003eshutdown() method may run. But if the Nth switch has failed to\ninitialize the tree, there is nothing to do for the (N - 1) driver\ninstances, since the slave devices have not been created, etc. Moreover,\ndsa_switch_shutdown() expects that the calling @ds has been in fact\ninitialized, so it jumps at dereferencing the various data structures,\nwhich is incorrect.\n\nAvoid the ensuing NULL pointer dereferences by simply checking whether\nthe Nth switch has previously set \"ds-\u003esetup = true\" for the switch\nwhich is currently shutting down. The entire setup is serialized under\ndsa2_mutex which we already hold."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-04T08:32:07.310Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/95df5cd5a446df6738d2d45872e08594819080e4"
        },
        {
          "url": "https://git.kernel.org/stable/c/b6e668ff43ebd87ccc8a19e5481345c428672295"
        },
        {
          "url": "https://git.kernel.org/stable/c/b864d5350c18bea9369d0bdd9e7eb6f6172cc283"
        },
        {
          "url": "https://git.kernel.org/stable/c/8fd36358ce82382519b50b05f437493e1e00c4a9"
        }
      ],
      "title": "net: dsa: fix panic on shutdown if multi-chip tree failed to probe",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2022-49195",
    "datePublished": "2025-02-26T01:55:40.082Z",
    "dateReserved": "2025-02-26T01:49:39.288Z",
    "dateUpdated": "2025-05-04T08:32:07.310Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2022-49195\",\"sourceIdentifier\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"published\":\"2025-02-26T07:00:56.580\",\"lastModified\":\"2025-09-23T13:44:29.413\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"In the Linux kernel, the following vulnerability has been resolved:\\n\\nnet: dsa: fix panic on shutdown if multi-chip tree failed to probe\\n\\nDSA probing is atypical because a tree of devices must probe all at\\nonce, so out of N switches which call dsa_tree_setup_routing_table()\\nduring probe, for (N - 1) of them, \\\"complete\\\" will return false and they\\nwill exit probing early. The Nth switch will set up the whole tree on\\ntheir behalf.\\n\\nThe implication is that for (N - 1) switches, the driver binds to the\\ndevice successfully, without doing anything. When the driver is bound,\\nthe -\u003eshutdown() method may run. But if the Nth switch has failed to\\ninitialize the tree, there is nothing to do for the (N - 1) driver\\ninstances, since the slave devices have not been created, etc. Moreover,\\ndsa_switch_shutdown() expects that the calling @ds has been in fact\\ninitialized, so it jumps at dereferencing the various data structures,\\nwhich is incorrect.\\n\\nAvoid the ensuing NULL pointer dereferences by simply checking whether\\nthe Nth switch has previously set \\\"ds-\u003esetup = true\\\" for the switch\\nwhich is currently shutting down. The entire setup is serialized under\\ndsa2_mutex which we already hold.\"},{\"lang\":\"es\",\"value\":\"En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: net: dsa: fix panic on shutting if multi-chip tree failed to probe El sondeo de DSA es at\u00edpico porque un \u00e1rbol de dispositivos debe sondear todos a la vez, por lo que de N switches que llaman a dsa_tree_setup_routing_table() durante el sondeo, para (N - 1) de ellos, \\\"complete\\\" devolver\u00e1 false y saldr\u00e1n del sondeo antes de tiempo. El Nth switch configurar\u00e1 todo el \u00e1rbol en su nombre. La implicaci\u00f3n es que para (N - 1) switches, el controlador se vincula al dispositivo con \u00e9xito, sin hacer nada. Cuando el controlador est\u00e1 vinculado, el m\u00e9todo -\u0026gt;shutdown() puede ejecutarse. Pero si el Nth switch no ha podido inicializar el \u00e1rbol, no hay nada que hacer para las (N - 1) instancias del controlador, ya que los dispositivos esclavos no se han creado, etc. Adem\u00e1s, dsa_switch_shutdown() espera que el @ds que llama se haya inicializado de hecho, por lo que salta a desreferenciar las diversas estructuras de datos, lo cual es incorrecto. Evite las desreferencias de puntero NULL resultantes simplemente verificando si el conmutador Nth ha establecido previamente \\\"ds-\u0026gt;setup = true\\\" para el conmutador que se est\u00e1 apagando actualmente. La configuraci\u00f3n completa est\u00e1 serializada bajo dsa2_mutex que ya tenemos.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H\",\"baseScore\":5.5,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"LOCAL\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":1.8,\"impactScore\":3.6}]},\"weaknesses\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-476\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"5.15.1\",\"versionEndExcluding\":\"5.15.33\",\"matchCriteriaId\":\"4D9EC10D-B839-4DFA-AD2C-E2032832E49F\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"5.16\",\"versionEndExcluding\":\"5.16.19\",\"matchCriteriaId\":\"20C43679-0439-405A-B97F-685BEE50613B\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"5.17\",\"versionEndExcluding\":\"5.17.2\",\"matchCriteriaId\":\"210C679C-CF84-44A3-8939-E629C87E54BF\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:5.15:-:*:*:*:*:*:*\",\"matchCriteriaId\":\"40D9C0D1-0F32-4A2B-9840-1072F5497540\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:5.15:rc3:*:*:*:*:*:*\",\"matchCriteriaId\":\"0460DA88-8FE1-46A2-9DDA-1F1ABA552E71\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:5.15:rc4:*:*:*:*:*:*\",\"matchCriteriaId\":\"AF55383D-4DF2-45DC-93F7-571F4F978EAB\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:5.15:rc5:*:*:*:*:*:*\",\"matchCriteriaId\":\"9E9481B2-8AA6-4CBD-B5D3-C10F51FF6D01\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:5.15:rc6:*:*:*:*:*:*\",\"matchCriteriaId\":\"EBD45831-4B79-42BC-ABC0-86870F0DEA89\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:5.15:rc7:*:*:*:*:*:*\",\"matchCriteriaId\":\"948A6B8D-1B72-4945-8680-354E53BE1C80\"}]}]}],\"references\":[{\"url\":\"https://git.kernel.org/stable/c/8fd36358ce82382519b50b05f437493e1e00c4a9\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/95df5cd5a446df6738d2d45872e08594819080e4\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/b6e668ff43ebd87ccc8a19e5481345c428672295\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/b864d5350c18bea9369d0bdd9e7eb6f6172cc283\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]}]}}"
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.