CVE-2022-48637

bnxt: prevent skb UAF after handing over to PTP worker

Severity Score

7.0

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

Track*

*SSVC

Descriptions

In the Linux kernel, the following vulnerability has been resolved:

bnxt: prevent skb UAF after handing over to PTP worker

When reading the timestamp is required bnxt_tx_int() hands
over the ownership of the completed skb to the PTP worker.
The skb should not be used afterwards, as the worker may
run before the rest of our code and free the skb, leading
to a use-after-free.

Since dev_kfree_skb_any() accepts NULL make the loss of
ownership more obvious and set skb to NULL.

En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: bnxt: impide que skb UAF se entregue al trabajador de PTP. Cuando se requiere leer la marca de tiempo, bnxt_tx_int() entrega la propiedad del skb completado al trabajador de PTP. El skb no debe usarse después, ya que el trabajador puede ejecutarse antes que el resto de nuestro código y liberar el skb, lo que lleva a un use-after-free. Dado que dev_kfree_skb_any() acepta NULL, la pérdida de propiedad es más obvia y establece skb en NULL.

*Credits: N/A

CVSS Scores

Red Hatv3.1 7.0

Attack Vector

Local

Attack Complexity

High

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

* Common Vulnerability Scoring System

SSVC

Decision:Track*

Exploitation

None

Automatable

Tech. Impact

Total

* Organization's Worst-case Scenario

Timeline

2024-02-25 CVE Reserved
2024-04-28 CVE Published
2024-04-29 EPSS Updated
2024-08-03 CVE Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-416: Use After Free

CAPEC

References (6)

URL	Tag	Source
https://git.kernel.org/stable/c/83bb623c968e7351aee5111547693f95f330dc5a	Vuln. Introduced

URL	Date	SRC

URL	Date	SRC
https://git.kernel.org/stable/c/08483e4c0c83b221b8891434a04cec405dee94a6	2022-09-28
https://git.kernel.org/stable/c/32afa1f23e42cc635ccf4c39f24514d03d1e8338	2022-09-28
https://git.kernel.org/stable/c/c31f26c8f69f776759cbbdfb38e40ea91aa0dd65	2022-09-22

URL	Date	SRC
https://access.redhat.com/security/cve/CVE-2022-48637	2024-08-13
https://bugzilla.redhat.com/show_bug.cgi?id=2277831	2024-08-13

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 5.14 < 5.15.71 Search vendor "Linux" for product "Linux Kernel" and version " >= 5.14 < 5.15.71"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 5.14 < 5.19.12 Search vendor "Linux" for product "Linux Kernel" and version " >= 5.14 < 5.19.12"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 5.14 < 6.0 Search vendor "Linux" for product "Linux Kernel" and version " >= 5.14 < 6.0"		en		Affected