{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2022-48865", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2024-07-16T11:38:08.920Z", "datePublished": "2024-07-16T12:25:27.843Z", "dateUpdated": "2025-05-04T08:25:05.214Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2025-05-04T08:25:05.214Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ntipc: fix kernel panic when enabling bearer\n\nWhen enabling a bearer on a node, a kernel panic is observed:\n\n[    4.498085] RIP: 0010:tipc_mon_prep+0x4e/0x130 [tipc]\n...\n[    4.520030] Call Trace:\n[    4.520689]  <IRQ>\n[    4.521236]  tipc_link_build_proto_msg+0x375/0x750 [tipc]\n[    4.522654]  tipc_link_build_state_msg+0x48/0xc0 [tipc]\n[    4.524034]  __tipc_node_link_up+0xd7/0x290 [tipc]\n[    4.525292]  tipc_rcv+0x5da/0x730 [tipc]\n[    4.526346]  ? __netif_receive_skb_core+0xb7/0xfc0\n[    4.527601]  tipc_l2_rcv_msg+0x5e/0x90 [tipc]\n[    4.528737]  __netif_receive_skb_list_core+0x20b/0x260\n[    4.530068]  netif_receive_skb_list_internal+0x1bf/0x2e0\n[    4.531450]  ? dev_gro_receive+0x4c2/0x680\n[    4.532512]  napi_complete_done+0x6f/0x180\n[    4.533570]  virtnet_poll+0x29c/0x42e [virtio_net]\n...\n\nThe node in question is receiving activate messages in another\nthread after changing bearer status to allow message sending/\nreceiving in current thread:\n\n         thread 1           |              thread 2\n         --------           |              --------\n                            |\ntipc_enable_bearer()        |\n  test_and_set_bit_lock()   |\n    tipc_bearer_xmit_skb()  |\n                            | tipc_l2_rcv_msg()\n                            |   tipc_rcv()\n                            |     __tipc_node_link_up()\n                            |       tipc_link_build_state_msg()\n                            |         tipc_link_build_proto_msg()\n                            |           tipc_mon_prep()\n                            |           {\n                            |             ...\n                            |             // null-pointer dereference\n                            |             u16 gen = mon->dom_gen;\n                            |             ...\n                            |           }\n  // Not being executed yet |\n  tipc_mon_create()         |\n  {                         |\n    ...                     |\n    // allocate             |\n    mon = kzalloc();        |\n    ...                     |\n  }                         |\n\nMonitoring pointer in thread 2 is dereferenced before monitoring data\nis allocated in thread 1. This causes kernel panic.\n\nThis commit fixes it by allocating the monitoring data before enabling\nthe bearer to receive messages."}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["net/tipc/bearer.c"], "versions": [{"version": "35c55c9877f8de0ab129fa1a309271d0ecc868b9", "lessThan": "2de76d37d4a6dca9b96ea51da24d4290e6cfa1a5", "status": "affected", "versionType": "git"}, {"version": "35c55c9877f8de0ab129fa1a309271d0ecc868b9", "lessThan": "f96dc3adb9a97b8f3dfdb88796483491a3006b71", "status": "affected", "versionType": "git"}, {"version": "35c55c9877f8de0ab129fa1a309271d0ecc868b9", "lessThan": "f4f59fdbc748805b08c13dae14c01f0518c77c94", "status": "affected", "versionType": "git"}, {"version": "35c55c9877f8de0ab129fa1a309271d0ecc868b9", "lessThan": "be4977b847f5d5cedb64d50eaaf2218c3a55a3a3", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["net/tipc/bearer.c"], "versions": [{"version": "4.8", "status": "affected"}, {"version": "0", "lessThan": "4.8", "status": "unaffected", "versionType": "semver"}, {"version": "5.10.106", "lessThanOrEqual": "5.10.*", "status": "unaffected", "versionType": "semver"}, {"version": "5.15.29", "lessThanOrEqual": "5.15.*", "status": "unaffected", "versionType": "semver"}, {"version": "5.16.15", "lessThanOrEqual": "5.16.*", "status": "unaffected", "versionType": "semver"}, {"version": "5.17", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.8", "versionEndExcluding": "5.10.106"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.8", "versionEndExcluding": "5.15.29"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.8", "versionEndExcluding": "5.16.15"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.8", "versionEndExcluding": "5.17"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/2de76d37d4a6dca9b96ea51da24d4290e6cfa1a5"}, {"url": "https://git.kernel.org/stable/c/f96dc3adb9a97b8f3dfdb88796483491a3006b71"}, {"url": "https://git.kernel.org/stable/c/f4f59fdbc748805b08c13dae14c01f0518c77c94"}, {"url": "https://git.kernel.org/stable/c/be4977b847f5d5cedb64d50eaaf2218c3a55a3a3"}], "title": "tipc: fix kernel panic when enabling bearer", "x_generator": {"engine": "bippy-1.2.0"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T15:25:01.624Z"}, "title": "CVE Program Container", "references": [{"url": "https://git.kernel.org/stable/c/2de76d37d4a6dca9b96ea51da24d4290e6cfa1a5", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/f96dc3adb9a97b8f3dfdb88796483491a3006b71", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/f4f59fdbc748805b08c13dae14c01f0518c77c94", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/be4977b847f5d5cedb64d50eaaf2218c3a55a3a3", "tags": ["x_transferred"]}]}, {"metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2022-48865", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-09-10T16:25:18.991470Z"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-09-11T17:34:06.982Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://git.kernel.org/stable/c/2de76d37d4a6dca9b96ea51da24d4290e6cfa1a5", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/f96dc3adb9a97b8f3dfdb88796483491a3006b71", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/f4f59fdbc748805b08c13dae14c01f0518c77c94", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/be4977b847f5d5cedb64d50eaaf2218c3a55a3a3", "tags": ["x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T15:25:01.624Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2022-48865", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-09-10T16:25:18.991470Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-09-11T12:42:20.746Z"}}], "cna": {"title": "tipc: fix kernel panic when enabling bearer", "affected": [{"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "product": "Linux", "versions": [{"status": "affected", "version": "35c55c9877f8de0ab129fa1a309271d0ecc868b9", "lessThan": "2de76d37d4a6dca9b96ea51da24d4290e6cfa1a5", "versionType": "git"}, {"status": "affected", "version": "35c55c9877f8de0ab129fa1a309271d0ecc868b9", "lessThan": "f96dc3adb9a97b8f3dfdb88796483491a3006b71", "versionType": "git"}, {"status": "affected", "version": "35c55c9877f8de0ab129fa1a309271d0ecc868b9", "lessThan": "f4f59fdbc748805b08c13dae14c01f0518c77c94", "versionType": "git"}, {"status": "affected", "version": "35c55c9877f8de0ab129fa1a309271d0ecc868b9", "lessThan": "be4977b847f5d5cedb64d50eaaf2218c3a55a3a3", "versionType": "git"}], "programFiles": ["net/tipc/bearer.c"], "defaultStatus": "unaffected"}, {"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "product": "Linux", "versions": [{"status": "affected", "version": "4.8"}, {"status": "unaffected", "version": "0", "lessThan": "4.8", "versionType": "semver"}, {"status": "unaffected", "version": "5.10.106", "versionType": "semver", "lessThanOrEqual": "5.10.*"}, {"status": "unaffected", "version": "5.15.29", "versionType": "semver", "lessThanOrEqual": "5.15.*"}, {"status": "unaffected", "version": "5.16.15", "versionType": "semver", "lessThanOrEqual": "5.16.*"}, {"status": "unaffected", "version": "5.17", "versionType": "original_commit_for_fix", "lessThanOrEqual": "*"}], "programFiles": ["net/tipc/bearer.c"], "defaultStatus": "affected"}], "references": [{"url": "https://git.kernel.org/stable/c/2de76d37d4a6dca9b96ea51da24d4290e6cfa1a5"}, {"url": "https://git.kernel.org/stable/c/f96dc3adb9a97b8f3dfdb88796483491a3006b71"}, {"url": "https://git.kernel.org/stable/c/f4f59fdbc748805b08c13dae14c01f0518c77c94"}, {"url": "https://git.kernel.org/stable/c/be4977b847f5d5cedb64d50eaaf2218c3a55a3a3"}], "x_generator": {"engine": "bippy-1.2.0"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ntipc: fix kernel panic when enabling bearer\n\nWhen enabling a bearer on a node, a kernel panic is observed:\n\n[    4.498085] RIP: 0010:tipc_mon_prep+0x4e/0x130 [tipc]\n...\n[    4.520030] Call Trace:\n[    4.520689]  <IRQ>\n[    4.521236]  tipc_link_build_proto_msg+0x375/0x750 [tipc]\n[    4.522654]  tipc_link_build_state_msg+0x48/0xc0 [tipc]\n[    4.524034]  __tipc_node_link_up+0xd7/0x290 [tipc]\n[    4.525292]  tipc_rcv+0x5da/0x730 [tipc]\n[    4.526346]  ? __netif_receive_skb_core+0xb7/0xfc0\n[    4.527601]  tipc_l2_rcv_msg+0x5e/0x90 [tipc]\n[    4.528737]  __netif_receive_skb_list_core+0x20b/0x260\n[    4.530068]  netif_receive_skb_list_internal+0x1bf/0x2e0\n[    4.531450]  ? dev_gro_receive+0x4c2/0x680\n[    4.532512]  napi_complete_done+0x6f/0x180\n[    4.533570]  virtnet_poll+0x29c/0x42e [virtio_net]\n...\n\nThe node in question is receiving activate messages in another\nthread after changing bearer status to allow message sending/\nreceiving in current thread:\n\n         thread 1           |              thread 2\n         --------           |              --------\n                            |\ntipc_enable_bearer()        |\n  test_and_set_bit_lock()   |\n    tipc_bearer_xmit_skb()  |\n                            | tipc_l2_rcv_msg()\n                            |   tipc_rcv()\n                            |     __tipc_node_link_up()\n                            |       tipc_link_build_state_msg()\n                            |         tipc_link_build_proto_msg()\n                            |           tipc_mon_prep()\n                            |           {\n                            |             ...\n                            |             // null-pointer dereference\n                            |             u16 gen = mon->dom_gen;\n                            |             ...\n                            |           }\n  // Not being executed yet |\n  tipc_mon_create()         |\n  {                         |\n    ...                     |\n    // allocate             |\n    mon = kzalloc();        |\n    ...                     |\n  }                         |\n\nMonitoring pointer in thread 2 is dereferenced before monitoring data\nis allocated in thread 1. This causes kernel panic.\n\nThis commit fixes it by allocating the monitoring data before enabling\nthe bearer to receive messages."}], "cpeApplicability": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "versionEndExcluding": "5.10.106", "versionStartIncluding": "4.8"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "versionEndExcluding": "5.15.29", "versionStartIncluding": "4.8"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "versionEndExcluding": "5.16.15", "versionStartIncluding": "4.8"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "versionEndExcluding": "5.17", "versionStartIncluding": "4.8"}], "operator": "OR"}]}], "providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2025-05-04T08:25:05.214Z"}}}, "cveMetadata": {"cveId": "CVE-2022-48865", "state": "PUBLISHED", "dateUpdated": "2025-05-04T08:25:05.214Z", "dateReserved": "2024-07-16T11:38:08.920Z", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "datePublished": "2024-07-16T12:25:27.843Z", "assignerShortName": "Linux"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "C7A6C6FB-2FA7-4B00-A0BF-8F39B0227EFC", "versionEndExcluding": "5.10.106", "versionStartIncluding": "4.8", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "15DC6588-B28F-4637-9A1E-3753B34A40CF", "versionEndExcluding": "5.15.29", "versionStartIncluding": "5.11", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "83FDEDF2-0E19-4879-91FD-171E66D1B335", "versionEndExcluding": "5.16.15", "versionStartIncluding": "5.16", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ntipc: fix kernel panic when enabling bearer\n\nWhen enabling a bearer on a node, a kernel panic is observed:\n\n[    4.498085] RIP: 0010:tipc_mon_prep+0x4e/0x130 [tipc]\n...\n[    4.520030] Call Trace:\n[    4.520689]  <IRQ>\n[    4.521236]  tipc_link_build_proto_msg+0x375/0x750 [tipc]\n[    4.522654]  tipc_link_build_state_msg+0x48/0xc0 [tipc]\n[    4.524034]  __tipc_node_link_up+0xd7/0x290 [tipc]\n[    4.525292]  tipc_rcv+0x5da/0x730 [tipc]\n[    4.526346]  ? __netif_receive_skb_core+0xb7/0xfc0\n[    4.527601]  tipc_l2_rcv_msg+0x5e/0x90 [tipc]\n[    4.528737]  __netif_receive_skb_list_core+0x20b/0x260\n[    4.530068]  netif_receive_skb_list_internal+0x1bf/0x2e0\n[    4.531450]  ? dev_gro_receive+0x4c2/0x680\n[    4.532512]  napi_complete_done+0x6f/0x180\n[    4.533570]  virtnet_poll+0x29c/0x42e [virtio_net]\n...\n\nThe node in question is receiving activate messages in another\nthread after changing bearer status to allow message sending/\nreceiving in current thread:\n\n         thread 1           |              thread 2\n         --------           |              --------\n                            |\ntipc_enable_bearer()        |\n  test_and_set_bit_lock()   |\n    tipc_bearer_xmit_skb()  |\n                            | tipc_l2_rcv_msg()\n                            |   tipc_rcv()\n                            |     __tipc_node_link_up()\n                            |       tipc_link_build_state_msg()\n                            |         tipc_link_build_proto_msg()\n                            |           tipc_mon_prep()\n                            |           {\n                            |             ...\n                            |             // null-pointer dereference\n                            |             u16 gen = mon->dom_gen;\n                            |             ...\n                            |           }\n  // Not being executed yet |\n  tipc_mon_create()         |\n  {                         |\n    ...                     |\n    // allocate             |\n    mon = kzalloc();        |\n    ...                     |\n  }                         |\n\nMonitoring pointer in thread 2 is dereferenced before monitoring data\nis allocated in thread 1. This causes kernel panic.\n\nThis commit fixes it by allocating the monitoring data before enabling\nthe bearer to receive messages."}, {"lang": "es", "value": "En el kernel de Linux se ha resuelto la siguiente vulnerabilidad: tipc: corrige el p\u00e1nico del kernel al habilitar el portador Al habilitar un portador en un nodo, se observa un p\u00e1nico del kernel: [4.498085] RIP: 0010:tipc_mon_prep+0x4e/0x130 [tipc]. .. [ 4.520030] Seguimiento de llamadas: [ 4.520689]  [ 4.521236] tipc_link_build_proto_msg+0x375/0x750 [tipc] [ 4.522654] tipc_link_build_state_msg+0x48/0xc0 [tipc] [ 4.524034] c_node_link_up+0xd7/0x290 [tipc] [4.525292] tipc_rcv+0x5da/0x730 [tipc] [4.526346]? __netif_receive_skb_core+0xb7/0xfc0 [ 4.527601] tipc_l2_rcv_msg+0x5e/0x90 [tipc] [ 4.528737] __netif_receive_skb_list_core+0x20b/0x260 [ 4.530068] externo+0x1bf/0x2e0 [ 4.531450] ? dev_gro_receive+0x4c2/0x680 [ 4.532512] napi_complete_done+0x6f/0x180 [ 4.533570] virtnet_poll+0x29c/0x42e [virtio_net] ... El nodo en cuesti\u00f3n est\u00e1 recibiendo mensajes de activaci\u00f3n en otro hilo despu\u00e9s de cambiar el estado del portador para permitir el env\u00edo/recepci\u00f3n de mensajes en el actual hilo: hilo 1 | hilo 2 -------- | -------- | tipc_enable_bearer() | test_and_set_bit_lock() | tipc_bearer_xmit_skb() | | tipc_l2_rcv_msg() | tipc_rcv() | __tipc_node_link_up() | tipc_link_build_state_msg() | tipc_link_build_proto_msg() | tipc_mon_prep() | { | ... | // desreferencia del puntero nulo | u16 gen = mon-&gt;dom_gen; | ... | } // A\u00fan no se est\u00e1 ejecutando | tipc_mon_create() | { | ... | // asignar | lunes = kzalloc(); | ... | } | Se elimina la referencia al puntero de monitoreo en el subproceso 2 antes de que los datos de monitoreo se asignen en el subproceso 1. Esto provoca p\u00e1nico en el kernel. Esta confirmaci\u00f3n lo soluciona asignando los datos de monitoreo antes de permitir que el portador reciba mensajes."}], "id": "CVE-2022-48865", "lastModified": "2024-11-21T07:34:14.497", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 5.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2024-07-16T13:15:13.300", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/2de76d37d4a6dca9b96ea51da24d4290e6cfa1a5"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/be4977b847f5d5cedb64d50eaaf2218c3a55a3a3"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/f4f59fdbc748805b08c13dae14c01f0518c77c94"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/f96dc3adb9a97b8f3dfdb88796483491a3006b71"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/2de76d37d4a6dca9b96ea51da24d4290e6cfa1a5"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/be4977b847f5d5cedb64d50eaaf2218c3a55a3a3"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/f4f59fdbc748805b08c13dae14c01f0518c77c94"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/f96dc3adb9a97b8f3dfdb88796483491a3006b71"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-476"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"bugzilla": {"description": "kernel: tipc: fix kernel panic when enabling bearer", "id": "2298209", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2298209"}, "csaw": false, "cvss3": {"cvss3_base_score": "5.5", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "draft"}, "cwe": "CWE-362", "details": ["In the Linux kernel, the following vulnerability has been resolved:\ntipc: fix kernel panic when enabling bearer\nWhen enabling a bearer on a node, a kernel panic is observed:\n[    4.498085] RIP: 0010:tipc_mon_prep+0x4e/0x130 [tipc]\n...\n[    4.520030] Call Trace:\n[    4.520689]  <IRQ>\n[    4.521236]  tipc_link_build_proto_msg+0x375/0x750 [tipc]\n[    4.522654]  tipc_link_build_state_msg+0x48/0xc0 [tipc]\n[    4.524034]  __tipc_node_link_up+0xd7/0x290 [tipc]\n[    4.525292]  tipc_rcv+0x5da/0x730 [tipc]\n[    4.526346]  ? __netif_receive_skb_core+0xb7/0xfc0\n[    4.527601]  tipc_l2_rcv_msg+0x5e/0x90 [tipc]\n[    4.528737]  __netif_receive_skb_list_core+0x20b/0x260\n[    4.530068]  netif_receive_skb_list_internal+0x1bf/0x2e0\n[    4.531450]  ? dev_gro_receive+0x4c2/0x680\n[    4.532512]  napi_complete_done+0x6f/0x180\n[    4.533570]  virtnet_poll+0x29c/0x42e [virtio_net]\n...\nThe node in question is receiving activate messages in another\nthread after changing bearer status to allow message sending/\nreceiving in current thread:\nthread 1           |              thread 2\n--------           |              --------\n|\ntipc_enable_bearer()        |\ntest_and_set_bit_lock()   |\ntipc_bearer_xmit_skb()  |\n| tipc_l2_rcv_msg()\n|   tipc_rcv()\n|     __tipc_node_link_up()\n|       tipc_link_build_state_msg()\n|         tipc_link_build_proto_msg()\n|           tipc_mon_prep()\n|           {\n|             ...\n|             // null-pointer dereference\n|             u16 gen = mon->dom_gen;\n|             ...\n|           }\n// Not being executed yet |\ntipc_mon_create()         |\n{                         |\n...                     |\n// allocate             |\nmon = kzalloc();        |\n...                     |\n}                         |\nMonitoring pointer in thread 2 is dereferenced before monitoring data\nis allocated in thread 1. This causes kernel panic.\nThis commit fixes it by allocating the monitoring data before enabling\nthe bearer to receive messages.", "A vulnerability was found in the tipc_mon_prep function in the Linux kernel's TIPC driver. This issue occurs when enabling a bearer on a node, leading to a kernel panic due to a null pointer dereference caused by monitoring data being accessed before it is allocated."], "mitigation": {"lang": "en:us", "value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability."}, "name": "CVE-2022-48865", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Will not fix", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Will not fix", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Will not fix", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Will not fix", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2024-07-16T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2022-48865\nhttps://nvd.nist.gov/vuln/detail/CVE-2022-48865\nhttps://lore.kernel.org/linux-cve-announce/2024071629-CVE-2022-48865-bd8b@gregkh/T"], "threat_severity": "Moderate"}