ghsa-j385-2ppr-7766
Vulnerability from github
Published
2024-06-20 12:31
Modified
2024-06-20 12:31
Details

In the Linux kernel, the following vulnerability has been resolved:

net/smc: Transitional solution for clcsock race issue

We encountered a crash in smc_setsockopt() and it is caused by accessing smc->clcsock after clcsock was released.

BUG: kernel NULL pointer dereference, address: 0000000000000020 #PF: supervisor read access in kernel mode #PF: error_code(0x0000) - not-present page PGD 0 P4D 0 Oops: 0000 [#1] PREEMPT SMP PTI CPU: 1 PID: 50309 Comm: nginx Kdump: loaded Tainted: G E 5.16.0-rc4+ #53 RIP: 0010:smc_setsockopt+0x59/0x280 [smc] Call Trace: __sys_setsockopt+0xfc/0x190 __x64_sys_setsockopt+0x20/0x30 do_syscall_64+0x34/0x90 entry_SYSCALL_64_after_hwframe+0x44/0xae RIP: 0033:0x7f16ba83918e

This patch tries to fix it by holding clcsock_release_lock and checking whether clcsock has already been released before access.

In case that a crash of the same reason happens in smc_getsockopt() or smc_switch_to_fallback(), this patch also checkes smc->clcsock in them too. And the caller of smc_switch_to_fallback() will identify whether fallback succeeds according to the return value.

Show details on source website

To clipboard 

{
  "affected": [],
  "aliases": [
    "CVE-2022-48751"
  ],
  "database_specific": {
    "cwe_ids": [],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-06-20T12:15:13Z",
    "severity": null
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/smc: Transitional solution for clcsock race issue\n\nWe encountered a crash in smc_setsockopt() and it is caused by\naccessing smc-\u003eclcsock after clcsock was released.\n\n BUG: kernel NULL pointer dereference, address: 0000000000000020\n #PF: supervisor read access in kernel mode\n #PF: error_code(0x0000) - not-present page\n PGD 0 P4D 0\n Oops: 0000 [#1] PREEMPT SMP PTI\n CPU: 1 PID: 50309 Comm: nginx Kdump: loaded Tainted: G E     5.16.0-rc4+ #53\n RIP: 0010:smc_setsockopt+0x59/0x280 [smc]\n Call Trace:\n  \u003cTASK\u003e\n  __sys_setsockopt+0xfc/0x190\n  __x64_sys_setsockopt+0x20/0x30\n  do_syscall_64+0x34/0x90\n  entry_SYSCALL_64_after_hwframe+0x44/0xae\n RIP: 0033:0x7f16ba83918e\n  \u003c/TASK\u003e\n\nThis patch tries to fix it by holding clcsock_release_lock and\nchecking whether clcsock has already been released before access.\n\nIn case that a crash of the same reason happens in smc_getsockopt()\nor smc_switch_to_fallback(), this patch also checkes smc-\u003eclcsock\nin them too. And the caller of smc_switch_to_fallback() will identify\nwhether fallback succeeds according to the return value.",
  "id": "GHSA-j385-2ppr-7766",
  "modified": "2024-06-20T12:31:22Z",
  "published": "2024-06-20T12:31:22Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-48751"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/38f0bdd548fd2ef5d481b88d8a2bfef968452e34"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/4284225cd8001e134f5cf533a7cd244bbb654d0f"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/c0bf3d8a943b6f2e912b7c1de03e2ef28e76f760"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.