FKIE_CVE-2022-48690

Vulnerability from fkie_nvd - Published: 2024-05-03 18:15 - Updated: 2025-09-19 14:55
Severity ?
5.5 (Medium) - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Summary
In the Linux kernel, the following vulnerability has been resolved: ice: Fix DMA mappings leak Fix leak, when user changes ring parameters. During reallocation of RX buffers, new DMA mappings are created for those buffers. New buffers with different RX ring count should substitute older ones, but those buffers were freed in ice_vsi_cfg_rxq and reallocated again with ice_alloc_rx_buf. kfree on rx_buf caused leak of already mapped DMA. Reallocate ZC with xdp_buf struct, when BPF program loads. Reallocate back to rx_buf, when BPF program unloads. If BPF program is loaded/unloaded and XSK pools are created, reallocate RX queues accordingly in XDP_SETUP_XSK_POOL handler. Steps for reproduction: while : do for ((i=0; i<=8160; i=i+32)) do ethtool -G enp130s0f0 rx $i tx $i sleep 0.5 ethtool -g enp130s0f0 done done
References
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/07f40e9f0ff342eb3e97d5c544783b7cb641689cPatch
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/7e753eb675f0523207b184558638ee2eed6c9ac2Patch
af854a3a-2127-422b-91ae-364da2661108https://git.kernel.org/stable/c/07f40e9f0ff342eb3e97d5c544783b7cb641689cPatch
af854a3a-2127-422b-91ae-364da2661108https://git.kernel.org/stable/c/7e753eb675f0523207b184558638ee2eed6c9ac2Patch
Impacted products
Vendor Product Version
linux linux_kernel *
linux linux_kernel 5.16
linux linux_kernel 5.16
linux linux_kernel 5.16
linux linux_kernel 6.0
linux linux_kernel 6.0
linux linux_kernel 6.0
linux linux_kernel 6.0
To clipboard 

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "E3E8F443-B989-4EDE-80D8-7BB85AFA04ED",
              "versionEndExcluding": "5.19.9",
              "versionStartIncluding": "5.16.1",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:linux:linux_kernel:5.16:-:*:*:*:*:*:*",
              "matchCriteriaId": "FF588A58-013F-4DBF-A3AB-70EC054B1892",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:linux:linux_kernel:5.16:rc7:*:*:*:*:*:*",
              "matchCriteriaId": "4EAC2750-F7C6-4A4E-9C04-1E450722B853",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:linux:linux_kernel:5.16:rc8:*:*:*:*:*:*",
              "matchCriteriaId": "ED611C74-E83A-4AFA-8688-9B829C02B038",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:linux:linux_kernel:6.0:rc1:*:*:*:*:*:*",
              "matchCriteriaId": "E8BD11A3-8643-49B6-BADE-5029A0117325",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:linux:linux_kernel:6.0:rc2:*:*:*:*:*:*",
              "matchCriteriaId": "5F0AD220-F6A9-4012-8636-155F1B841FAD",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:linux:linux_kernel:6.0:rc3:*:*:*:*:*:*",
              "matchCriteriaId": "A46498B3-78E1-4623-AAE1-94D29A42BE4E",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:linux:linux_kernel:6.0:rc4:*:*:*:*:*:*",
              "matchCriteriaId": "F8446E87-F5F6-41CA-8201-BAE0F0CA6DD9",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nice: Fix DMA mappings leak\n\nFix leak, when user changes ring parameters.\nDuring reallocation of RX buffers, new DMA mappings are created for\nthose buffers. New buffers with different RX ring count should\nsubstitute older ones, but those buffers were freed in ice_vsi_cfg_rxq\nand reallocated again with ice_alloc_rx_buf. kfree on rx_buf caused\nleak of already mapped DMA.\nReallocate ZC with xdp_buf struct, when BPF program loads. Reallocate\nback to rx_buf, when BPF program unloads.\nIf BPF program is loaded/unloaded and XSK pools are created, reallocate\nRX queues accordingly in XDP_SETUP_XSK_POOL handler.\n\nSteps for reproduction:\nwhile :\ndo\n\tfor ((i=0; i\u003c=8160; i=i+32))\n\tdo\n\t\tethtool -G enp130s0f0 rx $i tx $i\n\t\tsleep 0.5\n\t\tethtool -g enp130s0f0\n\tdone\ndone"
    },
    {
      "lang": "es",
      "value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: ice: Reparar fuga de asignaciones DMA. Reparar fuga cuando el usuario cambia los par\u00e1metros del anillo. Durante la reasignaci\u00f3n de b\u00faferes RX, se crean nuevas asignaciones DMA para esos b\u00faferes. Los nuevos b\u00faferes con diferente n\u00famero de anillos RX deber\u00edan sustituir a los m\u00e1s antiguos, pero esos b\u00faferes se liberaron en ice_vsi_cfg_rxq y se reasignaron nuevamente con ice_alloc_rx_buf. kfree en rx_buf provoc\u00f3 una fuga de DMA ya mapeado. Reasigne ZC con la estructura xdp_buf, cuando se cargue el programa BPF. Reasigne nuevamente a rx_buf, cuando se descargue el programa BPF. Si se carga/descarga el programa BPF y se crean grupos XSK, reasigne las colas RX en consecuencia en el controlador XDP_SETUP_XSK_POOL. Pasos para la reproducci\u00f3n: while: do for ((i=0; i\u0026lt;=8160; i=i+32)) do ethtool -G enp130s0f0 rx $i tx $i sleep 0.5 ethtool -g enp130s0f0 done done"
    }
  ],
  "id": "CVE-2022-48690",
  "lastModified": "2025-09-19T14:55:29.430",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "LOCAL",
          "availabilityImpact": "HIGH",
          "baseScore": 5.5,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "NONE",
          "integrityImpact": "NONE",
          "privilegesRequired": "LOW",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 1.8,
        "impactScore": 3.6,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ]
  },
  "published": "2024-05-03T18:15:08.167",
  "references": [
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "tags": [
        "Patch"
      ],
      "url": "https://git.kernel.org/stable/c/07f40e9f0ff342eb3e97d5c544783b7cb641689c"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "tags": [
        "Patch"
      ],
      "url": "https://git.kernel.org/stable/c/7e753eb675f0523207b184558638ee2eed6c9ac2"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Patch"
      ],
      "url": "https://git.kernel.org/stable/c/07f40e9f0ff342eb3e97d5c544783b7cb641689c"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Patch"
      ],
      "url": "https://git.kernel.org/stable/c/7e753eb675f0523207b184558638ee2eed6c9ac2"
    }
  ],
  "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
  "vulnStatus": "Analyzed",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-401"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Primary"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.