CVE-2022-48784

In the Linux kernel, the following vulnerability has been resolved: cfg80211: fix race in netlink owner interface destruction My previous fix here to fix the deadlock left a race where the exact same deadlock (see the original commit referenced below) can still happen if cfg80211_destroy_ifaces() already runs while nl80211_netlink_notify() is still marking some interfaces as nl_owner_dead. The race happens because we have two loops here - first we dev_close() all the netdevs, and then we destroy them. If we also have two netdevs (first one need only be a wdev though) then we can find one during the first iteration, close it, and go to the second iteration -- but then find two, and try to destroy also the one we didn't close yet. Fix this by only iterating once.

CVSS v3 4.7 MEDIUM

4.7^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 1.0 / Impact : 3.6

Attack Vector LOCAL

Attack Complexity HIGH

Privileges Required LOW

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact NONE

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://git.kernel.org/stable/c/241e633cb379c4f332fc1baf2abec95ec840cbeb	Patch
https://git.kernel.org/stable/c/c979f792a2baf6d0f3419587668a1a6eba46a3d2	Patch
https://git.kernel.org/stable/c/f0a6fd1527067da537e9c48390237488719948ed	Patch
https://git.kernel.org/stable/c/241e633cb379c4f332fc1baf2abec95ec840cbeb	Patch
https://git.kernel.org/stable/c/c979f792a2baf6d0f3419587668a1a6eba46a3d2	Patch
https://git.kernel.org/stable/c/f0a6fd1527067da537e9c48390237488719948ed	Patch

Configurations

Configuration 1 (hide)

OR	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel:5.17:rc1::::::
	cpe:2.3:o:linux:linux_kernel:5.17:rc2::::::
	cpe:2.3:o:linux:linux_kernel:5.17:rc3::::::
	cpe:2.3:o:linux:linux_kernel:5.17:rc4::::::

History

No history.

Information

Published : 2024-07-16 12:15

Updated : 2025-02-03 15:43

NVD link : CVE-2022-48784

Mitre link : CVE-2022-48784

CVE.ORG link : CVE-2022-48784

JSON object : View

Products Affected

linux

linux_kernel

CWE

CWE-362

Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')

{"id": "CVE-2022-48784", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.7, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}, "impactScore": 3.6, "exploitabilityScore": 1.0}]}, "published": "2024-07-16T12:15:03.427", "references": [{"url": "https://git.kernel.org/stable/c/241e633cb379c4f332fc1baf2abec95ec840cbeb", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/c979f792a2baf6d0f3419587668a1a6eba46a3d2", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/f0a6fd1527067da537e9c48390237488719948ed", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/241e633cb379c4f332fc1baf2abec95ec840cbeb", "tags": ["Patch"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://git.kernel.org/stable/c/c979f792a2baf6d0f3419587668a1a6eba46a3d2", "tags": ["Patch"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://git.kernel.org/stable/c/f0a6fd1527067da537e9c48390237488719948ed", "tags": ["Patch"], "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-362"}]}], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ncfg80211: fix race in netlink owner interface destruction\n\nMy previous fix here to fix the deadlock left a race where\nthe exact same deadlock (see the original commit referenced\nbelow) can still happen if cfg80211_destroy_ifaces() already\nruns while nl80211_netlink_notify() is still marking some\ninterfaces as nl_owner_dead.\n\nThe race happens because we have two loops here - first we\ndev_close() all the netdevs, and then we destroy them. If we\nalso have two netdevs (first one need only be a wdev though)\nthen we can find one during the first iteration, close it,\nand go to the second iteration -- but then find two, and try\nto destroy also the one we didn't close yet.\n\nFix this by only iterating once."}, {"lang": "es", "value": "En el kernel de Linux, se resolvi\u00f3 la siguiente vulnerabilidad: cfg80211: corrige la ejecuci\u00f3n en la destrucci\u00f3n de la interfaz del propietario de netlink. Mi soluci\u00f3n anterior aqu\u00ed para arreglar el punto muerto dej\u00f3 una ejecuci\u00f3n donde exactamente el mismo punto muerto (consulte la confirmaci\u00f3n original a la que se hace referencia a continuaci\u00f3n) a\u00fan puede ocurrir si cfg80211_destroy_ifaces () ya se ejecuta mientras nl80211_netlink_notify() todav\u00eda marca algunas interfaces como nl_owner_dead. La ejecuci\u00f3n ocurre porque tenemos dos bucles aqu\u00ed: primero dev_close() todos los netdevs y luego los destruimos. Si tambi\u00e9n tenemos dos netdevs (aunque el primero solo necesita ser un wdev), entonces podemos encontrar uno durante la primera iteraci\u00f3n, cerrarlo e ir a la segunda iteraci\u00f3n, pero luego encontrar dos e intentar destruir tambi\u00e9n el que tenemos. A\u00fan no ha cerrado. Solucione este problema iterando solo una vez."}], "lastModified": "2025-02-03T15:43:35.473", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "96C77AE2-CEE4-431F-BED7-9E05F95F5CA1", "versionEndExcluding": "5.15.25", "versionStartIncluding": "5.12.1"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "0D327234-5D4A-43DC-A6DF-BCA0CEBEC039", "versionEndExcluding": "5.16.11", "versionStartIncluding": "5.16"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:5.17:rc1:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "7BD5F8D9-54FA-4CB0-B4F0-CB0471FDDB2D"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:5.17:rc2:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "E6E34B23-78B4-4516-9BD8-61B33F4AC49A"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:5.17:rc3:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "C030FA3D-03F4-4FB9-9DBF-D08E5CAC51AA"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:5.17:rc4:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "B2D2677C-5389-4AE9-869D-0F881E80D923"}], "operator": "OR"}]}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}