admin/nvd-json-data-feeds
1
0
Fork 0
mirror of https://github.com/fkie-cad/nvd-json-data-feeds.git synced 2025-05-28 17:21:36 +00:00
Code Issues Packages Projects Releases Wiki Activity
nvd-json-data-feeds/CVE-2022/CVE-2022-490xx/CVE-2022-49096.json
cad-safe-bot e78d3f243b Auto-Update: 2025-03-13T23:00:21.542802+00:00
2025-03-13 23:03:50 +00:00

122 lines
9.1 KiB
JSON
Raw Blame History

{
"id": "CVE-2022-49096",
"sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"published": "2025-02-26T07:00:47.010",
"lastModified": "2025-03-13T21:35:06.293",
"vulnStatus": "Analyzed",
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: sfc: add missing xdp queue reinitialization\n\nAfter rx/tx ring buffer size is changed, kernel panic occurs when\nit acts XDP_TX or XDP_REDIRECT.\n\nWhen tx/rx ring buffer size is changed(ethtool -G), sfc driver\nreallocates and reinitializes rx and tx queues and their buffer\n(tx_queue->buffer).\nBut it misses reinitializing xdp queues(efx->xdp_tx_queues).\nSo, while it is acting XDP_TX or XDP_REDIRECT, it uses the uninitialized\ntx_queue->buffer.\n\nA new function efx_set_xdp_channels() is separated from efx_set_channels()\nto handle only xdp queues.\n\nSplat looks like:\n BUG: kernel NULL pointer dereference, address: 000000000000002a\n #PF: supervisor write access in kernel mode\n #PF: error_code(0x0002) - not-present page\n PGD 0 P4D 0\n Oops: 0002 [#4] PREEMPT SMP NOPTI\n RIP: 0010:efx_tx_map_chunk+0x54/0x90 [sfc]\n CPU: 2 PID: 0 Comm: swapper/2 Tainted: G D 5.17.0+ #55 e8beeee8289528f11357029357cf\n Code: 48 8b 8d a8 01 00 00 48 8d 14 52 4c 8d 2c d0 44 89 e0 48 85 c9 74 0e 44 89 e2 4c 89 f6 48 80\n RSP: 0018:ffff92f121e45c60 EFLAGS: 00010297\n RIP: 0010:efx_tx_map_chunk+0x54/0x90 [sfc]\n RAX: 0000000000000040 RBX: ffff92ea506895c0 RCX: ffffffffc0330870\n RDX: 0000000000000001 RSI: 00000001139b10ce RDI: ffff92ea506895c0\n RBP: ffffffffc0358a80 R08: 00000001139b110d R09: 0000000000000000\n R10: 0000000000000001 R11: ffff92ea414c0088 R12: 0000000000000040\n R13: 0000000000000018 R14: 00000001139b10ce R15: ffff92ea506895c0\n FS: 0000000000000000(0000) GS:ffff92f121ec0000(0000) knlGS:0000000000000000\n CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n Code: 48 8b 8d a8 01 00 00 48 8d 14 52 4c 8d 2c d0 44 89 e0 48 85 c9 74 0e 44 89 e2 4c 89 f6 48 80\n CR2: 000000000000002a CR3: 00000003e6810004 CR4: 00000000007706e0\n RSP: 0018:ffff92f121e85c60 EFLAGS: 00010297\n PKRU: 55555554\n RAX: 0000000000000040 RBX: ffff92ea50689700 RCX: ffffffffc0330870\n RDX: 0000000000000001 RSI: 00000001145a90ce RDI: ffff92ea50689700\n RBP: ffffffffc0358a80 R08: 00000001145a910d R09: 0000000000000000\n R10: 0000000000000001 R11: ffff92ea414c0088 R12: 0000000000000040\n R13: 0000000000000018 R14: 00000001145a90ce R15: ffff92ea50689700\n FS: 0000000000000000(0000) GS:ffff92f121e80000(0000) knlGS:0000000000000000\n CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n CR2: 000000000000002a CR3: 00000003e6810005 CR4: 00000000007706e0\n PKRU: 55555554\n Call Trace:\n <IRQ>\n efx_xdp_tx_buffers+0x12b/0x3d0 [sfc 84c94b8e32d44d296c17e10a634d3ad454de4ba5]\n __efx_rx_packet+0x5c3/0x930 [sfc 84c94b8e32d44d296c17e10a634d3ad454de4ba5]\n efx_rx_packet+0x28c/0x2e0 [sfc 84c94b8e32d44d296c17e10a634d3ad454de4ba5]\n efx_ef10_ev_process+0x5f8/0xf40 [sfc 84c94b8e32d44d296c17e10a634d3ad454de4ba5]\n ? enqueue_task_fair+0x95/0x550\n efx_poll+0xc4/0x360 [sfc 84c94b8e32d44d296c17e10a634d3ad454de4ba5]"
},
{
"lang": "es",
"value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: net: sfc: add missing xdp queue reinitialization Despu\u00e9s de cambiar el tama\u00f1o del b\u00fafer de anillo rx/tx, se produce un p\u00e1nico del kernel cuando act\u00faa XDP_TX o XDP_REDIRECT. Cuando se cambia el tama\u00f1o del b\u00fafer de anillo tx/rx (ethtool -G), el controlador sfc reasigna y reinicializa las colas rx y tx y su b\u00fafer (tx_queue-&gt;buffer). Pero no reinicializa las colas xdp (efx-&gt;xdp_tx_queues). Por lo tanto, mientras act\u00faa XDP_TX o XDP_REDIRECT, utiliza el tx_queue-&gt;buffer no inicializado. Una nueva funci\u00f3n efx_set_xdp_channels() est\u00e1 separada de efx_set_channels() para manejar solo las colas xdp. El problema se parece a esto: ERROR: desreferencia de puntero NULL del kernel, direcci\u00f3n: 000000000000002a #PF: acceso de escritura del supervisor en modo kernel #PF: error_code(0x0002) - p\u00e1gina no presente PGD 0 P4D 0 Oops: 0002 [#4] PREEMPT SMP NOPTI RIP: 0010:efx_tx_map_chunk+0x54/0x90 [sfc] CPU: 2 PID: 0 Comm: swapper/2 Tainted: GD 5.17.0+ #55 e8beeee8289528f11357029357cf C\u00f3digo: 48 8b 8d a8 01 00 00 48 8d 14 52 4c 8d 2c d0 44 89 e0 48 85 c9 74 0e 44 89 e2 4c 89 f6 48 80 RSP: 0018:ffff92f121e45c60 EFLAGS: 00010297 RIP: 0010:efx_tx_map_chunk+0x54/0x90 [sfc] RAX: 000000000000040 RBX: ffff92ea506895c0 RCX: ffffffffc0330870 RDX: 0000000000000001 RSI: 00000001139b10ce RDI: ffff92ea506895c0 RBP: ffffffffc0358a80 R08: 00000001139b110d R09: 00000000000000000 R10: 0000000000000001 R11: ffff92ea414c0088 R12: 0000000000000040 R13: 0000000000000018 R14: 00000001139b10ce R15: ffff92ea506895c0 FS: 0000000000000000(0000) GS:ffff92f121ec0000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 C\u00f3digo: 48 8b 8d a8 01 00 00 48 8d 14 52 4c 8d 2c d0 44 89 e0 48 85 c9 74 0e 44 89 e2 4c 89 f6 48 80 CR2: 00000000000002a CR3: 00000003e6810004 CR4: 00000000007706e0 RSP: 0018:ffff92f121e85c60 EFLAGS: 00010297 PKRU: 55555554 RAX: 0000000000000040 RBX: ffff92ea50689700 RCX: ffffffffc0330870 RDX: 0000000000000001 RSI: 00000001145a90ce RDI: ffff92ea50689700 RBP: ffffffffc0358a80 R08: 00000001145a910d R09: 0000000000000000 R10: 000000000000001 R11: ffff92ea414c0088 R12: 0000000000000040 R13: 0000000000000018 R14: 00000001145a90ce R15: ffff92ea50689700 FS: 0000000000000000(0000) GS:ffff92f121e80000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 000000080050033 CR2: 00000000000002a CR3: 00000003e6810005 CR4: 00000000007706e0 PKRU: 55555554 Rastreo de llamadas: efx_xdp_tx_buffers+0x12b/0x3d0 [sfc 84c94b8e32d44d296c17e10a634d3ad454de4ba5] __efx_rx_packet+0x5c3/0x930 [sfc 84c94b8e32d44d296c17e10a634d3ad454de4ba5] efx_rx_packet+0x28c/0x2e0 [sfc 84c94b8e32d44d296c17e10a634d3ad454de4ba5] efx_ef10_ev_process+0x5f8/0xf40 [sfc 84c94b8e32d44d296c17e10a634d3ad454de4ba5] ? enqueue_task_fair+0x95/0x550 efx_poll+0xc4/0x360 [sfc 84c94b8e32d44d296c17e10a634d3ad454de4ba5]"
}
],
"metrics": {
"cvssMetricV31": [
{
"source": "nvd@nist.gov",
"type": "Primary",
"cvssData": {
"version": "3.1",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"attackVector": "LOCAL",
"attackComplexity": "LOW",
"privilegesRequired": "LOW",
"userInteraction": "NONE",
"scope": "UNCHANGED",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"availabilityImpact": "HIGH"
},
"exploitabilityScore": 1.8,
"impactScore": 3.6
}
]
},
"weaknesses": [
{
"source": "nvd@nist.gov",
"type": "Primary",
"description": [
{
"lang": "en",
"value": "CWE-476"
}
]
}
],
"configurations": [
{
"nodes": [
{
"operator": "OR",
"negate": false,
"cpeMatch": [
{
"vulnerable": true,
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "5.5",
"versionEndExcluding": "5.15.34",
"matchCriteriaId": "7B5A35FD-7C8E-453A-AA44-947D2252FADB"
},
{
"vulnerable": true,
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "5.16",
"versionEndExcluding": "5.16.20",
"matchCriteriaId": "ABBBA66E-0244-4621-966B-9790AF1EEB00"
},
{
"vulnerable": true,
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "5.17",
"versionEndExcluding": "5.17.3",
"matchCriteriaId": "AE420AC7-1E59-4398-B84F-71F4B4337762"
},
{
"vulnerable": true,
"criteria": "cpe:2.3:o:linux:linux_kernel:5.18:rc1:*:*:*:*:*:*",
"matchCriteriaId": "6AD94161-84BB-42E6-9882-4FC0C42E9FC1"
}
]
}
]
}
],
"references": [
{
"url": "https://git.kernel.org/stable/c/059a47f1da93811d37533556d67e72f2261b1127",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"tags": [
"Patch"
]
},
{
"url": "https://git.kernel.org/stable/c/b8c46bc358d84701e7f7ffa054037db25f25da0e",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"tags": [
"Patch"
]
},
{
"url": "https://git.kernel.org/stable/c/dcc85e1593686e42c6749ef3d356db34759d59e8",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"tags": [
"Patch"
]
},
{
"url": "https://git.kernel.org/stable/c/ed7a824fda8732578d1014fad1f7fb0363705090",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"tags": [
"Patch"
]
}
]
}
Reference in New Issue View Git Blame Copy Permalink