nvd-json-data-feeds/CVE-2022/CVE-2022-490xx/CVE-2022-49063.json

{
  "id": "CVE-2022-49063",
  "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
  "published": "2025-02-26T07:00:43.547",
  "lastModified": "2025-02-26T07:00:43.547",
  "vulnStatus": "Received",
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nice: arfs: fix use-after-free when freeing @rx_cpu_rmap\n\nThe CI testing bots triggered the following splat:\n\n[  718.203054] BUG: KASAN: use-after-free in free_irq_cpu_rmap+0x53/0x80\n[  718.206349] Read of size 4 at addr ffff8881bd127e00 by task sh/20834\n[  718.212852] CPU: 28 PID: 20834 Comm: sh Kdump: loaded Tainted: G S      W IOE     5.17.0-rc8_nextqueue-devqueue-02643-g23f3121aca93 #1\n[  718.219695] Hardware name: Intel Corporation S2600WFT/S2600WFT, BIOS SE5C620.86B.02.01.0012.070720200218 07/07/2020\n[  718.223418] Call Trace:\n[  718.227139]\n[  718.230783]  dump_stack_lvl+0x33/0x42\n[  718.234431]  print_address_description.constprop.9+0x21/0x170\n[  718.238177]  ? free_irq_cpu_rmap+0x53/0x80\n[  718.241885]  ? free_irq_cpu_rmap+0x53/0x80\n[  718.245539]  kasan_report.cold.18+0x7f/0x11b\n[  718.249197]  ? free_irq_cpu_rmap+0x53/0x80\n[  718.252852]  free_irq_cpu_rmap+0x53/0x80\n[  718.256471]  ice_free_cpu_rx_rmap.part.11+0x37/0x50 [ice]\n[  718.260174]  ice_remove_arfs+0x5f/0x70 [ice]\n[  718.263810]  ice_rebuild_arfs+0x3b/0x70 [ice]\n[  718.267419]  ice_rebuild+0x39c/0xb60 [ice]\n[  718.270974]  ? asm_sysvec_apic_timer_interrupt+0x12/0x20\n[  718.274472]  ? ice_init_phy_user_cfg+0x360/0x360 [ice]\n[  718.278033]  ? delay_tsc+0x4a/0xb0\n[  718.281513]  ? preempt_count_sub+0x14/0xc0\n[  718.284984]  ? delay_tsc+0x8f/0xb0\n[  718.288463]  ice_do_reset+0x92/0xf0 [ice]\n[  718.292014]  ice_pci_err_resume+0x91/0xf0 [ice]\n[  718.295561]  pci_reset_function+0x53/0x80\n<...>\n[  718.393035] Allocated by task 690:\n[  718.433497] Freed by task 20834:\n[  718.495688] Last potentially related work creation:\n[  718.568966] The buggy address belongs to the object at ffff8881bd127e00\n                which belongs to the cache kmalloc-96 of size 96\n[  718.574085] The buggy address is located 0 bytes inside of\n                96-byte region [ffff8881bd127e00, ffff8881bd127e60)\n[  718.579265] The buggy address belongs to the page:\n[  718.598905] Memory state around the buggy address:\n[  718.601809]  ffff8881bd127d00: fa fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc\n[  718.604796]  ffff8881bd127d80: 00 00 00 00 00 00 00 00 00 00 fc fc fc fc fc fc\n[  718.607794] >ffff8881bd127e00: fa fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc\n[  718.610811]                    ^\n[  718.613819]  ffff8881bd127e80: 00 00 00 00 00 00 00 00 00 00 00 00 fc fc fc fc\n[  718.617107]  ffff8881bd127f00: fa fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc\n\nThis is due to that free_irq_cpu_rmap() is always being called\n*after* (devm_)free_irq() and thus it tries to work with IRQ descs\nalready freed. For example, on device reset the driver frees the\nrmap right before allocating a new one (the splat above).\nMake rmap creation and freeing function symmetrical with\n{request,free}_irq() calls i.e. do that on ifup/ifdown instead\nof device probe/remove/resume. These operations can be performed\nindependently from the actual device aRFS configuration.\nAlso, make sure ice_vsi_free_irq() clears IRQ affinity notifiers\nonly when aRFS is disabled -- otherwise, CPU rmap sets and clears\nits own and they must not be touched manually."
    }
  ],
  "metrics": {},
  "references": [
    {
      "url": "https://git.kernel.org/stable/c/d08d2fb6d99d82da1c63aba5c0d1c6f237e150f3",
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
    },
    {
      "url": "https://git.kernel.org/stable/c/d7442f512b71fc63a99c8a801422dde4fbbf9f93",
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
    }
  ]
}
Auto-Update: 2025-02-26T19:00:22.362560+00:00 2025-02-26 19:03:52 +00:00			`{`
			`"id": "CVE-2022-49063",`
			`"sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",`
			`"published": "2025-02-26T07:00:43.547",`
			`"lastModified": "2025-02-26T07:00:43.547",`
			`"vulnStatus": "Received",`
			`"cveTags": [],`
			`"descriptions": [`
			`{`
			`"lang": "en",`
			"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nice: arfs: fix use-after-free when freeing @rx_cpu_rmap\n\nThe CI testing bots triggered the following splat:\n\n[ 718.203054] BUG: KASAN: use-after-free in free_irq_cpu_rmap+0x53/0x80\n[ 718.206349] Read of size 4 at addr ffff8881bd127e00 by task sh/20834\n[ 718.212852] CPU: 28 PID: 20834 Comm: sh Kdump: loaded Tainted: G S W IOE 5.17.0-rc8_nextqueue-devqueue-02643-g23f3121aca93 #1\n[ 718.219695] Hardware name: Intel Corporation S2600WFT/S2600WFT, BIOS SE5C620.86B.02.01.0012.070720200218 07/07/2020\n[ 718.223418] Call Trace:\n[ 718.227139]\n[ 718.230783] dump_stack_lvl+0x33/0x42\n[ 718.234431] print_address_description.constprop.9+0x21/0x170\n[ 718.238177] ? free_irq_cpu_rmap+0x53/0x80\n[ 718.241885] ? free_irq_cpu_rmap+0x53/0x80\n[ 718.245539] kasan_report.cold.18+0x7f/0x11b\n[ 718.249197] ? free_irq_cpu_rmap+0x53/0x80\n[ 718.252852] free_irq_cpu_rmap+0x53/0x80\n[ 718.256471] ice_free_cpu_rx_rmap.part.11+0x37/0x50 [ice]\n[ 718.260174] ice_remove_arfs+0x5f/0x70 [ice]\n[ 718.263810] ice_rebuild_arfs+0x3b/0x70 [ice]\n[ 718.267419] ice_rebuild+0x39c/0xb60 [ice]\n[ 718.270974] ? asm_sysvec_apic_timer_interrupt+0x12/0x20\n[ 718.274472] ? ice_init_phy_user_cfg+0x360/0x360 [ice]\n[ 718.278033] ? delay_tsc+0x4a/0xb0\n[ 718.281513] ? preempt_count_sub+0x14/0xc0\n[ 718.284984] ? delay_tsc+0x8f/0xb0\n[ 718.288463] ice_do_reset+0x92/0xf0 [ice]\n[ 718.292014] ice_pci_err_resume+0x91/0xf0 [ice]\n[ 718.295561] pci_reset_function+0x53/0x80\n<...>\n[ 718.393035] Allocated by task 690:\n[ 718.433497] Freed by task 20834:\n[ 718.495688] Last potentially related work creation:\n[ 718.568966] The buggy address belongs to the object at ffff8881bd127e00\n which belongs to the cache kmalloc-96 of size 96\n[ 718.574085] The buggy address is located 0 bytes inside of\n 96-byte region [ffff8881bd127e00, ffff8881bd127e60)\n[ 718.579265] The buggy address belongs to the page:\n[ 718.598905] Memory state around the buggy address:\n[ 718.601809] ffff8881bd127d00: fa fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc\n[ 718.604796] ffff8881bd127d80: 00 00 00 00 00 00 00 00 00 00 fc fc fc fc fc fc\n[ 718.607794] >ffff8881bd127e00: fa fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc\n[ 718.610811] ^\n[ 718.613819] ffff8881bd127e80: 00 00 00 00 00 00 00 00 00 00 00 00 fc fc fc fc\n[ 718.617107] ffff8881bd127f00: fa fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc\n\nThis is due to that free_irq_cpu_rmap() is always being called\nafter (devm_)free_irq() and thus it tries to work with IRQ descs\nalready freed. For example, on device reset the driver frees the\nrmap right before allocating a new one (the splat above).\nMake rmap creation and freeing function symmetrical with\n{request,free}_irq() calls i.e. do that on ifup/ifdown instead\nof device probe/remove/resume. These operations can be performed\nindependently from the actual device aRFS configuration.\nAlso, make sure ice_vsi_free_irq() clears IRQ affinity notifiers\nonly when aRFS is disabled -- otherwise, CPU rmap sets and clears\nits own and they must not be touched manually."
			`}`
			`],`
			`"metrics": {},`
			`"references": [`
			`{`
			`"url": "https://git.kernel.org/stable/c/d08d2fb6d99d82da1c63aba5c0d1c6f237e150f3",`
			`"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"`
			`},`
			`{`
			`"url": "https://git.kernel.org/stable/c/d7442f512b71fc63a99c8a801422dde4fbbf9f93",`
			`"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"`
			`}`
			`]`
			`}`