Cyber Posture

CVE-2022-49063

High

Published: 26 February 2025

Published
26 February 2025
Modified
18 November 2025
KEV Added
Patch
CVSS Score 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0002 4.3th percentile
Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Description

In the Linux kernel, the following vulnerability has been resolved: ice: arfs: fix use-after-free when freeing @rx_cpu_rmap The CI testing bots triggered the following splat: [ 718.203054] BUG: KASAN: use-after-free in free_irq_cpu_rmap+0x53/0x80 [ 718.206349] Read of size 4 at addr ffff8881bd127e00 by task sh/20834 [ 718.212852] CPU: 28 PID: 20834 Comm: sh Kdump: loaded Tainted: G S W IOE 5.17.0-rc8_nextqueue-devqueue-02643-g23f3121aca93 #1 [ 718.219695] Hardware name: Intel Corporation S2600WFT/S2600WFT, BIOS SE5C620.86B.02.01.0012.070720200218 07/07/2020 [ 718.223418] Call Trace: [ 718.227139] [ 718.230783] dump_stack_lvl+0x33/0x42 [ 718.234431] print_address_description.constprop.9+0x21/0x170 [ 718.238177] ? free_irq_cpu_rmap+0x53/0x80 [ 718.241885] ? free_irq_cpu_rmap+0x53/0x80 [ 718.245539] kasan_report.cold.18+0x7f/0x11b [ 718.249197] ? free_irq_cpu_rmap+0x53/0x80 [ 718.252852] free_irq_cpu_rmap+0x53/0x80 [ 718.256471] ice_free_cpu_rx_rmap.part.11+0x37/0x50 [ice] [ 718.260174] ice_remove_arfs+0x5f/0x70 [ice] [ 718.263810] ice_rebuild_arfs+0x3b/0x70 [ice] [ 718.267419] ice_rebuild+0x39c/0xb60 [ice] [ 718.270974] ? asm_sysvec_apic_timer_interrupt+0x12/0x20 [ 718.274472] ? ice_init_phy_user_cfg+0x360/0x360 [ice] [ 718.278033] ? delay_tsc+0x4a/0xb0 [ 718.281513] ? preempt_count_sub+0x14/0xc0 [ 718.284984] ? delay_tsc+0x8f/0xb0 [ 718.288463] ice_do_reset+0x92/0xf0 [ice] [ 718.292014] ice_pci_err_resume+0x91/0xf0 [ice] [ 718.295561] pci_reset_function+0x53/0x80 <...> [ 718.393035] Allocated by task 690: [ 718.433497] Freed by task 20834: [ 718.495688] Last potentially related work creation: [ 718.568966] The buggy address belongs to the object at ffff8881bd127e00 which belongs to the cache kmalloc-96 of size 96 [ 718.574085] The buggy address is located 0 bytes inside of 96-byte region [ffff8881bd127e00, ffff8881bd127e60) [ 718.579265] The buggy address belongs to the page: [ 718.598905] Memory state around the buggy address: [ 718.601809] ffff8881bd127d00: fa fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc [ 718.604796] ffff8881bd127d80: 00 00 00 00 00 00 00 00 00 00 fc fc fc fc fc fc [ 718.607794] >ffff8881bd127e00: fa fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc [ 718.610811] ^ [ 718.613819] ffff8881bd127e80: 00 00 00 00 00 00 00 00 00 00 00 00 fc fc fc fc [ 718.617107] ffff8881bd127f00: fa fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc This is due to that free_irq_cpu_rmap() is always being called *after* (devm_)free_irq() and thus it tries to work with IRQ descs already freed. For example, on device reset the driver frees the rmap right before allocating a new one (the splat above). Make rmap creation and freeing function symmetrical with {request,free}_irq() calls i.e. do that on ifup/ifdown instead of device probe/remove/resume. These operations can be performed independently from the actual device aRFS configuration. Also, make sure ice_vsi_free_irq() clears IRQ affinity notifiers only when aRFS is disabled -- otherwise, CPU rmap sets and clears its own and they must not be touched manually.

Security Summary

CVE-2022-49063 is a use-after-free vulnerability in the Linux kernel's ice driver, specifically in the Accelerated Receive Flow Steering (ARFS) implementation. The issue occurs when freeing the rx_cpu_rmap structure in free_irq_cpu_rmap, as this function is called after (devm_)free_irq, leading to access of already-freed IRQ descriptors. It was detected by KASAN during CI testing on kernel version 5.17.0-rc8, manifesting as a read of size 4 at a freed kmalloc-96 address during device reset scenarios like ice_pci_err_resume.

A local attacker with low privileges can exploit this vulnerability due to its CVSS vector AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H, achieving high impacts on confidentiality, integrity, and availability. Exploitation is feasible during driver operations such as device reset or rebuild, where the rmap is freed before a new one is allocated, potentially allowing memory corruption, kernel crashes, or arbitrary code execution through the dangling pointer.

Kernel patches address the issue by symmetrizing rmap creation and freeing with request_irq/free_irq calls, shifting these operations to ifup/ifdown events independent of probe/remove/resume. Additionally, ice_vsi_free_irq clears IRQ affinity notifiers only when ARFS is disabled to avoid conflicts with CPU rmap management. Fixes are available in stable kernel commits such as 618df75f2e30c7838a3e010ca32cd4893ec9fe33, ba2f6ec28733fb6b24ed086e676df3df4c138f3f, d08d2fb6d99d82da1c63aba5c0d1c6f237e150f3, and d7442f512b71fc63a99c8a801422dde4fbbf9f93, with Debian LTS announcements confirming backports.

Details

CWE(s)
CWE-416

Affected Products

linux
linux kernel
5.18 · 5.8 — 5.10.238 · 5.11 — 5.15.184 · 5.16 — 5.17.4
debian
debian linux
11.0

References