CVE-2022-48954 (GCVE-0-2022-48954)

Vulnerability from cvelistv5 – Published: 2024-10-21 20:05 – Updated: 2025-05-04 08:26
VLAI?
Title
s390/qeth: fix use-after-free in hsci
Summary
In the Linux kernel, the following vulnerability has been resolved: s390/qeth: fix use-after-free in hsci KASAN found that addr was dereferenced after br2dev_event_work was freed. ================================================================== BUG: KASAN: use-after-free in qeth_l2_br2dev_worker+0x5ba/0x6b0 Read of size 1 at addr 00000000fdcea440 by task kworker/u760:4/540 CPU: 17 PID: 540 Comm: kworker/u760:4 Tainted: G E 6.1.0-20221128.rc7.git1.5aa3bed4ce83.300.fc36.s390x+kasan #1 Hardware name: IBM 8561 T01 703 (LPAR) Workqueue: 0.0.8000_event qeth_l2_br2dev_worker Call Trace: [<000000016944d4ce>] dump_stack_lvl+0xc6/0xf8 [<000000016942cd9c>] print_address_description.constprop.0+0x34/0x2a0 [<000000016942d118>] print_report+0x110/0x1f8 [<0000000167a7bd04>] kasan_report+0xfc/0x128 [<000000016938d79a>] qeth_l2_br2dev_worker+0x5ba/0x6b0 [<00000001673edd1e>] process_one_work+0x76e/0x1128 [<00000001673ee85c>] worker_thread+0x184/0x1098 [<000000016740718a>] kthread+0x26a/0x310 [<00000001672c606a>] __ret_from_fork+0x8a/0xe8 [<00000001694711da>] ret_from_fork+0xa/0x40 Allocated by task 108338: kasan_save_stack+0x40/0x68 kasan_set_track+0x36/0x48 __kasan_kmalloc+0xa0/0xc0 qeth_l2_switchdev_event+0x25a/0x738 atomic_notifier_call_chain+0x9c/0xf8 br_switchdev_fdb_notify+0xf4/0x110 fdb_notify+0x122/0x180 fdb_add_entry.constprop.0.isra.0+0x312/0x558 br_fdb_add+0x59e/0x858 rtnl_fdb_add+0x58a/0x928 rtnetlink_rcv_msg+0x5f8/0x8d8 netlink_rcv_skb+0x1f2/0x408 netlink_unicast+0x570/0x790 netlink_sendmsg+0x752/0xbe0 sock_sendmsg+0xca/0x110 ____sys_sendmsg+0x510/0x6a8 ___sys_sendmsg+0x12a/0x180 __sys_sendmsg+0xe6/0x168 __do_sys_socketcall+0x3c8/0x468 do_syscall+0x22c/0x328 __do_syscall+0x94/0xf0 system_call+0x82/0xb0 Freed by task 540: kasan_save_stack+0x40/0x68 kasan_set_track+0x36/0x48 kasan_save_free_info+0x4c/0x68 ____kasan_slab_free+0x14e/0x1a8 __kasan_slab_free+0x24/0x30 __kmem_cache_free+0x168/0x338 qeth_l2_br2dev_worker+0x154/0x6b0 process_one_work+0x76e/0x1128 worker_thread+0x184/0x1098 kthread+0x26a/0x310 __ret_from_fork+0x8a/0xe8 ret_from_fork+0xa/0x40 Last potentially related work creation: kasan_save_stack+0x40/0x68 __kasan_record_aux_stack+0xbe/0xd0 insert_work+0x56/0x2e8 __queue_work+0x4ce/0xd10 queue_work_on+0xf4/0x100 qeth_l2_switchdev_event+0x520/0x738 atomic_notifier_call_chain+0x9c/0xf8 br_switchdev_fdb_notify+0xf4/0x110 fdb_notify+0x122/0x180 fdb_add_entry.constprop.0.isra.0+0x312/0x558 br_fdb_add+0x59e/0x858 rtnl_fdb_add+0x58a/0x928 rtnetlink_rcv_msg+0x5f8/0x8d8 netlink_rcv_skb+0x1f2/0x408 netlink_unicast+0x570/0x790 netlink_sendmsg+0x752/0xbe0 sock_sendmsg+0xca/0x110 ____sys_sendmsg+0x510/0x6a8 ___sys_sendmsg+0x12a/0x180 __sys_sendmsg+0xe6/0x168 __do_sys_socketcall+0x3c8/0x468 do_syscall+0x22c/0x328 __do_syscall+0x94/0xf0 system_call+0x82/0xb0 Second to last potentially related work creation: kasan_save_stack+0x40/0x68 __kasan_record_aux_stack+0xbe/0xd0 kvfree_call_rcu+0xb2/0x760 kernfs_unlink_open_file+0x348/0x430 kernfs_fop_release+0xc2/0x320 __fput+0x1ae/0x768 task_work_run+0x1bc/0x298 exit_to_user_mode_prepare+0x1a0/0x1a8 __do_syscall+0x94/0xf0 system_call+0x82/0xb0 The buggy address belongs to the object at 00000000fdcea400 which belongs to the cache kmalloc-96 of size 96 The buggy address is located 64 bytes inside of 96-byte region [00000000fdcea400, 00000000fdcea460) The buggy address belongs to the physical page: page:000000005a9c26e8 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0xfdcea flags: 0x3ffff00000000200(slab|node=0|zone=1|lastcpupid=0x1ffff) raw: 3ffff00000000200 0000000000000000 0000000100000122 000000008008cc00 raw: 0000000000000000 0020004100000000 ffffffff00000001 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: 00000000fdcea300: fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc 00000000fdcea380: fb fb fb fb fb fb f ---truncated---
Severity ?
No CVSS data available.
Assigner
References
Impacted products
Vendor Product Version
Linux Linux Affected: f7936b7b2663c99a096a5c432ba96ab1e91a6c0f , < db6343a5b0d9661f2dd76f653c6d274d38234d2b (git)
Affected: f7936b7b2663c99a096a5c432ba96ab1e91a6c0f , < bde0dfc7c4569406a6ddeec363d04a1df7b3073f (git)
Affected: f7936b7b2663c99a096a5c432ba96ab1e91a6c0f , < ebaaadc332cd21e9df4dcf9ce12552d9354bbbe4 (git)
Create a notification for this product.
    Linux Linux Affected: 5.15
Unaffected: 0 , < 5.15 (semver)
Unaffected: 5.15.83 , ≤ 5.15.* (semver)
Unaffected: 6.0.13 , ≤ 6.0.* (semver)
Unaffected: 6.1 , ≤ * (original_commit_for_fix)
Create a notification for this product.
Show details on NVD website
To clipboard 

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2022-48954",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-10-22T13:21:15.283243Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-10-22T13:28:40.195Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/s390/net/qeth_l2_main.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "db6343a5b0d9661f2dd76f653c6d274d38234d2b",
              "status": "affected",
              "version": "f7936b7b2663c99a096a5c432ba96ab1e91a6c0f",
              "versionType": "git"
            },
            {
              "lessThan": "bde0dfc7c4569406a6ddeec363d04a1df7b3073f",
              "status": "affected",
              "version": "f7936b7b2663c99a096a5c432ba96ab1e91a6c0f",
              "versionType": "git"
            },
            {
              "lessThan": "ebaaadc332cd21e9df4dcf9ce12552d9354bbbe4",
              "status": "affected",
              "version": "f7936b7b2663c99a096a5c432ba96ab1e91a6c0f",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/s390/net/qeth_l2_main.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "5.15"
            },
            {
              "lessThan": "5.15",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.83",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.0.*",
              "status": "unaffected",
              "version": "6.0.13",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.1",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.83",
                  "versionStartIncluding": "5.15",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.0.13",
                  "versionStartIncluding": "5.15",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1",
                  "versionStartIncluding": "5.15",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ns390/qeth: fix use-after-free in hsci\n\nKASAN found that addr was dereferenced after br2dev_event_work was freed.\n\n==================================================================\nBUG: KASAN: use-after-free in qeth_l2_br2dev_worker+0x5ba/0x6b0\nRead of size 1 at addr 00000000fdcea440 by task kworker/u760:4/540\nCPU: 17 PID: 540 Comm: kworker/u760:4 Tainted: G            E      6.1.0-20221128.rc7.git1.5aa3bed4ce83.300.fc36.s390x+kasan #1\nHardware name: IBM 8561 T01 703 (LPAR)\nWorkqueue: 0.0.8000_event qeth_l2_br2dev_worker\nCall Trace:\n [\u003c000000016944d4ce\u003e] dump_stack_lvl+0xc6/0xf8\n [\u003c000000016942cd9c\u003e] print_address_description.constprop.0+0x34/0x2a0\n [\u003c000000016942d118\u003e] print_report+0x110/0x1f8\n [\u003c0000000167a7bd04\u003e] kasan_report+0xfc/0x128\n [\u003c000000016938d79a\u003e] qeth_l2_br2dev_worker+0x5ba/0x6b0\n [\u003c00000001673edd1e\u003e] process_one_work+0x76e/0x1128\n [\u003c00000001673ee85c\u003e] worker_thread+0x184/0x1098\n [\u003c000000016740718a\u003e] kthread+0x26a/0x310\n [\u003c00000001672c606a\u003e] __ret_from_fork+0x8a/0xe8\n [\u003c00000001694711da\u003e] ret_from_fork+0xa/0x40\nAllocated by task 108338:\n kasan_save_stack+0x40/0x68\n kasan_set_track+0x36/0x48\n __kasan_kmalloc+0xa0/0xc0\n qeth_l2_switchdev_event+0x25a/0x738\n atomic_notifier_call_chain+0x9c/0xf8\n br_switchdev_fdb_notify+0xf4/0x110\n fdb_notify+0x122/0x180\n fdb_add_entry.constprop.0.isra.0+0x312/0x558\n br_fdb_add+0x59e/0x858\n rtnl_fdb_add+0x58a/0x928\n rtnetlink_rcv_msg+0x5f8/0x8d8\n netlink_rcv_skb+0x1f2/0x408\n netlink_unicast+0x570/0x790\n netlink_sendmsg+0x752/0xbe0\n sock_sendmsg+0xca/0x110\n ____sys_sendmsg+0x510/0x6a8\n ___sys_sendmsg+0x12a/0x180\n __sys_sendmsg+0xe6/0x168\n __do_sys_socketcall+0x3c8/0x468\n do_syscall+0x22c/0x328\n __do_syscall+0x94/0xf0\n system_call+0x82/0xb0\nFreed by task 540:\n kasan_save_stack+0x40/0x68\n kasan_set_track+0x36/0x48\n kasan_save_free_info+0x4c/0x68\n ____kasan_slab_free+0x14e/0x1a8\n __kasan_slab_free+0x24/0x30\n __kmem_cache_free+0x168/0x338\n qeth_l2_br2dev_worker+0x154/0x6b0\n process_one_work+0x76e/0x1128\n worker_thread+0x184/0x1098\n kthread+0x26a/0x310\n __ret_from_fork+0x8a/0xe8\n ret_from_fork+0xa/0x40\nLast potentially related work creation:\n kasan_save_stack+0x40/0x68\n __kasan_record_aux_stack+0xbe/0xd0\n insert_work+0x56/0x2e8\n __queue_work+0x4ce/0xd10\n queue_work_on+0xf4/0x100\n qeth_l2_switchdev_event+0x520/0x738\n atomic_notifier_call_chain+0x9c/0xf8\n br_switchdev_fdb_notify+0xf4/0x110\n fdb_notify+0x122/0x180\n fdb_add_entry.constprop.0.isra.0+0x312/0x558\n br_fdb_add+0x59e/0x858\n rtnl_fdb_add+0x58a/0x928\n rtnetlink_rcv_msg+0x5f8/0x8d8\n netlink_rcv_skb+0x1f2/0x408\n netlink_unicast+0x570/0x790\n netlink_sendmsg+0x752/0xbe0\n sock_sendmsg+0xca/0x110\n ____sys_sendmsg+0x510/0x6a8\n ___sys_sendmsg+0x12a/0x180\n __sys_sendmsg+0xe6/0x168\n __do_sys_socketcall+0x3c8/0x468\n do_syscall+0x22c/0x328\n __do_syscall+0x94/0xf0\n system_call+0x82/0xb0\nSecond to last potentially related work creation:\n kasan_save_stack+0x40/0x68\n __kasan_record_aux_stack+0xbe/0xd0\n kvfree_call_rcu+0xb2/0x760\n kernfs_unlink_open_file+0x348/0x430\n kernfs_fop_release+0xc2/0x320\n __fput+0x1ae/0x768\n task_work_run+0x1bc/0x298\n exit_to_user_mode_prepare+0x1a0/0x1a8\n __do_syscall+0x94/0xf0\n system_call+0x82/0xb0\nThe buggy address belongs to the object at 00000000fdcea400\n which belongs to the cache kmalloc-96 of size 96\nThe buggy address is located 64 bytes inside of\n 96-byte region [00000000fdcea400, 00000000fdcea460)\nThe buggy address belongs to the physical page:\npage:000000005a9c26e8 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0xfdcea\nflags: 0x3ffff00000000200(slab|node=0|zone=1|lastcpupid=0x1ffff)\nraw: 3ffff00000000200 0000000000000000 0000000100000122 000000008008cc00\nraw: 0000000000000000 0020004100000000 ffffffff00000001 0000000000000000\npage dumped because: kasan: bad access detected\nMemory state around the buggy address:\n 00000000fdcea300: fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc\n 00000000fdcea380: fb fb fb fb fb fb f\n---truncated---"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-04T08:26:51.141Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/db6343a5b0d9661f2dd76f653c6d274d38234d2b"
        },
        {
          "url": "https://git.kernel.org/stable/c/bde0dfc7c4569406a6ddeec363d04a1df7b3073f"
        },
        {
          "url": "https://git.kernel.org/stable/c/ebaaadc332cd21e9df4dcf9ce12552d9354bbbe4"
        }
      ],
      "title": "s390/qeth: fix use-after-free in hsci",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2022-48954",
    "datePublished": "2024-10-21T20:05:41.057Z",
    "dateReserved": "2024-08-22T01:27:53.627Z",
    "dateUpdated": "2025-05-04T08:26:51.141Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2022-48954\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2024-10-22T13:21:15.283243Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2024-10-22T13:21:18.302Z\"}}], \"cna\": {\"title\": \"s390/qeth: fix use-after-free in hsci\", \"affected\": [{\"repo\": \"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git\", \"vendor\": \"Linux\", \"product\": \"Linux\", \"versions\": [{\"status\": \"affected\", \"version\": \"f7936b7b2663c99a096a5c432ba96ab1e91a6c0f\", \"lessThan\": \"db6343a5b0d9661f2dd76f653c6d274d38234d2b\", \"versionType\": \"git\"}, {\"status\": \"affected\", \"version\": \"f7936b7b2663c99a096a5c432ba96ab1e91a6c0f\", \"lessThan\": \"bde0dfc7c4569406a6ddeec363d04a1df7b3073f\", \"versionType\": \"git\"}, {\"status\": \"affected\", \"version\": \"f7936b7b2663c99a096a5c432ba96ab1e91a6c0f\", \"lessThan\": \"ebaaadc332cd21e9df4dcf9ce12552d9354bbbe4\", \"versionType\": \"git\"}], \"programFiles\": [\"drivers/s390/net/qeth_l2_main.c\"], \"defaultStatus\": \"unaffected\"}, {\"repo\": \"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git\", \"vendor\": \"Linux\", \"product\": \"Linux\", \"versions\": [{\"status\": \"affected\", \"version\": \"5.15\"}, {\"status\": \"unaffected\", \"version\": \"0\", \"lessThan\": \"5.15\", \"versionType\": \"semver\"}, {\"status\": \"unaffected\", \"version\": \"5.15.83\", \"versionType\": \"semver\", \"lessThanOrEqual\": \"5.15.*\"}, {\"status\": \"unaffected\", \"version\": \"6.0.13\", \"versionType\": \"semver\", \"lessThanOrEqual\": \"6.0.*\"}, {\"status\": \"unaffected\", \"version\": \"6.1\", \"versionType\": \"original_commit_for_fix\", \"lessThanOrEqual\": \"*\"}], \"programFiles\": [\"drivers/s390/net/qeth_l2_main.c\"], \"defaultStatus\": \"affected\"}], \"references\": [{\"url\": \"https://git.kernel.org/stable/c/db6343a5b0d9661f2dd76f653c6d274d38234d2b\"}, {\"url\": \"https://git.kernel.org/stable/c/bde0dfc7c4569406a6ddeec363d04a1df7b3073f\"}, {\"url\": \"https://git.kernel.org/stable/c/ebaaadc332cd21e9df4dcf9ce12552d9354bbbe4\"}], \"x_generator\": {\"engine\": \"bippy-5f407fcff5a0\"}, \"descriptions\": [{\"lang\": \"en\", \"value\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\ns390/qeth: fix use-after-free in hsci\\n\\nKASAN found that addr was dereferenced after br2dev_event_work was freed.\\n\\n==================================================================\\nBUG: KASAN: use-after-free in qeth_l2_br2dev_worker+0x5ba/0x6b0\\nRead of size 1 at addr 00000000fdcea440 by task kworker/u760:4/540\\nCPU: 17 PID: 540 Comm: kworker/u760:4 Tainted: G            E      6.1.0-20221128.rc7.git1.5aa3bed4ce83.300.fc36.s390x+kasan #1\\nHardware name: IBM 8561 T01 703 (LPAR)\\nWorkqueue: 0.0.8000_event qeth_l2_br2dev_worker\\nCall Trace:\\n [\u003c000000016944d4ce\u003e] dump_stack_lvl+0xc6/0xf8\\n [\u003c000000016942cd9c\u003e] print_address_description.constprop.0+0x34/0x2a0\\n [\u003c000000016942d118\u003e] print_report+0x110/0x1f8\\n [\u003c0000000167a7bd04\u003e] kasan_report+0xfc/0x128\\n [\u003c000000016938d79a\u003e] qeth_l2_br2dev_worker+0x5ba/0x6b0\\n [\u003c00000001673edd1e\u003e] process_one_work+0x76e/0x1128\\n [\u003c00000001673ee85c\u003e] worker_thread+0x184/0x1098\\n [\u003c000000016740718a\u003e] kthread+0x26a/0x310\\n [\u003c00000001672c606a\u003e] __ret_from_fork+0x8a/0xe8\\n [\u003c00000001694711da\u003e] ret_from_fork+0xa/0x40\\nAllocated by task 108338:\\n kasan_save_stack+0x40/0x68\\n kasan_set_track+0x36/0x48\\n __kasan_kmalloc+0xa0/0xc0\\n qeth_l2_switchdev_event+0x25a/0x738\\n atomic_notifier_call_chain+0x9c/0xf8\\n br_switchdev_fdb_notify+0xf4/0x110\\n fdb_notify+0x122/0x180\\n fdb_add_entry.constprop.0.isra.0+0x312/0x558\\n br_fdb_add+0x59e/0x858\\n rtnl_fdb_add+0x58a/0x928\\n rtnetlink_rcv_msg+0x5f8/0x8d8\\n netlink_rcv_skb+0x1f2/0x408\\n netlink_unicast+0x570/0x790\\n netlink_sendmsg+0x752/0xbe0\\n sock_sendmsg+0xca/0x110\\n ____sys_sendmsg+0x510/0x6a8\\n ___sys_sendmsg+0x12a/0x180\\n __sys_sendmsg+0xe6/0x168\\n __do_sys_socketcall+0x3c8/0x468\\n do_syscall+0x22c/0x328\\n __do_syscall+0x94/0xf0\\n system_call+0x82/0xb0\\nFreed by task 540:\\n kasan_save_stack+0x40/0x68\\n kasan_set_track+0x36/0x48\\n kasan_save_free_info+0x4c/0x68\\n ____kasan_slab_free+0x14e/0x1a8\\n __kasan_slab_free+0x24/0x30\\n __kmem_cache_free+0x168/0x338\\n qeth_l2_br2dev_worker+0x154/0x6b0\\n process_one_work+0x76e/0x1128\\n worker_thread+0x184/0x1098\\n kthread+0x26a/0x310\\n __ret_from_fork+0x8a/0xe8\\n ret_from_fork+0xa/0x40\\nLast potentially related work creation:\\n kasan_save_stack+0x40/0x68\\n __kasan_record_aux_stack+0xbe/0xd0\\n insert_work+0x56/0x2e8\\n __queue_work+0x4ce/0xd10\\n queue_work_on+0xf4/0x100\\n qeth_l2_switchdev_event+0x520/0x738\\n atomic_notifier_call_chain+0x9c/0xf8\\n br_switchdev_fdb_notify+0xf4/0x110\\n fdb_notify+0x122/0x180\\n fdb_add_entry.constprop.0.isra.0+0x312/0x558\\n br_fdb_add+0x59e/0x858\\n rtnl_fdb_add+0x58a/0x928\\n rtnetlink_rcv_msg+0x5f8/0x8d8\\n netlink_rcv_skb+0x1f2/0x408\\n netlink_unicast+0x570/0x790\\n netlink_sendmsg+0x752/0xbe0\\n sock_sendmsg+0xca/0x110\\n ____sys_sendmsg+0x510/0x6a8\\n ___sys_sendmsg+0x12a/0x180\\n __sys_sendmsg+0xe6/0x168\\n __do_sys_socketcall+0x3c8/0x468\\n do_syscall+0x22c/0x328\\n __do_syscall+0x94/0xf0\\n system_call+0x82/0xb0\\nSecond to last potentially related work creation:\\n kasan_save_stack+0x40/0x68\\n __kasan_record_aux_stack+0xbe/0xd0\\n kvfree_call_rcu+0xb2/0x760\\n kernfs_unlink_open_file+0x348/0x430\\n kernfs_fop_release+0xc2/0x320\\n __fput+0x1ae/0x768\\n task_work_run+0x1bc/0x298\\n exit_to_user_mode_prepare+0x1a0/0x1a8\\n __do_syscall+0x94/0xf0\\n system_call+0x82/0xb0\\nThe buggy address belongs to the object at 00000000fdcea400\\n which belongs to the cache kmalloc-96 of size 96\\nThe buggy address is located 64 bytes inside of\\n 96-byte region [00000000fdcea400, 00000000fdcea460)\\nThe buggy address belongs to the physical page:\\npage:000000005a9c26e8 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0xfdcea\\nflags: 0x3ffff00000000200(slab|node=0|zone=1|lastcpupid=0x1ffff)\\nraw: 3ffff00000000200 0000000000000000 0000000100000122 000000008008cc00\\nraw: 0000000000000000 0020004100000000 ffffffff00000001 0000000000000000\\npage dumped because: kasan: bad access detected\\nMemory state around the buggy address:\\n 00000000fdcea300: fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc\\n 00000000fdcea380: fb fb fb fb fb fb f\\n---truncated---\"}], \"providerMetadata\": {\"orgId\": \"416baaa9-dc9f-4396-8d5f-8c081fb06d67\", \"shortName\": \"Linux\", \"dateUpdated\": \"2024-12-19T08:11:11.649Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2022-48954\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2024-12-19T08:11:11.649Z\", \"dateReserved\": \"2024-08-22T01:27:53.627Z\", \"assignerOrgId\": \"416baaa9-dc9f-4396-8d5f-8c081fb06d67\", \"datePublished\": \"2024-10-21T20:05:41.057Z\", \"assignerShortName\": \"Linux\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.