CVE-2022-49087
Published: 26 February 2025
Description
In the Linux kernel, the following vulnerability has been resolved: rxrpc: fix a race in rxrpc_exit_net() Current code can lead to the following race: CPU0 CPU1 rxrpc_exit_net() rxrpc_peer_keepalive_worker() if (rxnet->live) rxnet->live = false; del_timer_sync(&rxnet->peer_keepalive_timer); timer_reduce(&rxnet->peer_keepalive_timer, jiffies + delay); cancel_work_sync(&rxnet->peer_keepalive_work); rxrpc_exit_net() exits while peer_keepalive_timer is still armed, leading to use-after-free. syzbot report was: ODEBUG: free active (active state 0) object type: timer_list hint: rxrpc_peer_keepalive_timeout+0x0/0xb0 WARNING: CPU: 0 PID: 3660 at lib/debugobjects.c:505 debug_print_object+0x16e/0x250 lib/debugobjects.c:505 Modules linked in: CPU: 0 PID: 3660 Comm: kworker/u4:6 Not tainted 5.17.0-syzkaller-13993-g88e6c0207623 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Workqueue: netns cleanup_net RIP: 0010:debug_print_object+0x16e/0x250 lib/debugobjects.c:505 Code: ff df 48 89 fa 48 c1 ea 03 80 3c 02 00 0f 85 af 00 00 00 48 8b 14 dd 00 1c 26 8a 4c 89 ee 48 c7 c7 00 10 26 8a e8 b1 e7 28 05 <0f> 0b 83 05 15 eb c5 09 01 48 83 c4 18 5b 5d 41 5c 41 5d 41 5e c3 RSP: 0018:ffffc9000353fb00 EFLAGS: 00010082 RAX: 0000000000000000 RBX: 0000000000000003 RCX: 0000000000000000 RDX: ffff888029196140 RSI: ffffffff815efad8 RDI: fffff520006a7f52 RBP: 0000000000000001 R08: 0000000000000000 R09: 0000000000000000 R10: ffffffff815ea4ae R11: 0000000000000000 R12: ffffffff89ce23e0 R13: ffffffff8a2614e0 R14: ffffffff816628c0 R15: dffffc0000000000 FS: 0000000000000000(0000) GS:ffff8880b9c00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007fe1f2908924 CR3: 0000000043720000 CR4: 00000000003506f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: <TASK> __debug_check_no_obj_freed lib/debugobjects.c:992 [inline] debug_check_no_obj_freed+0x301/0x420 lib/debugobjects.c:1023 kfree+0xd6/0x310 mm/slab.c:3809 ops_free_list.part.0+0x119/0x370 net/core/net_namespace.c:176 ops_free_list net/core/net_namespace.c:174 [inline] cleanup_net+0x591/0xb00 net/core/net_namespace.c:598 process_one_work+0x996/0x1610 kernel/workqueue.c:2289 worker_thread+0x665/0x1080 kernel/workqueue.c:2436 kthread+0x2e9/0x3a0 kernel/kthread.c:376 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:298 </TASK>
Security Summary
CVE-2022-49087 is a race condition vulnerability in the Linux kernel's RxRPC implementation, specifically within the rxrpc_exit_net() function. The issue arises when rxrpc_exit_net() sets rxnet->live to false, deletes the peer_keepalive_timer using del_timer_sync(), and cancels the peer_keepalive_work using cancel_work_sync(). Concurrently, the rxrpc_peer_keepalive_worker() can check rxnet->live while it is still true and subsequently arm the timer via timer_reduce() after del_timer_sync() completes, resulting in the timer remaining active. This leads to a use-after-free of the timer_list object during network namespace cleanup, as reported by syzbot with an ODEBUG warning on kernel 5.17.0.
A local attacker with low privileges (PR:L) can exploit this vulnerability given low attack complexity (AC:L) and no user interaction (UI:N), achieving high impacts on confidentiality, integrity, and availability (C:H/I:H/A:H) with an overall CVSS v3.1 score of 7.8. The use-after-free occurs in the context of netns cleanup, potentially allowing arbitrary code execution, privilege escalation, or system denial of service through manipulation of the racing timer and workqueue operations in RxRPC peer keepalive handling.
Mitigation involves applying upstream kernel patches from the referenced stable commits, such as 08ff0e74fab517dbc44e11b8bc683dd4ecc65950, 1946014ca3b19be9e485e780e862c375c6f98bad, 41024a40f6c793abbb916a857f18fb009f07464c, 571d8e1d154ca18f08dcb72b69318d36e10010a0, and 7ee84d29f22de6f6c63fad6c54690517659862f1, available at git.kernel.org. These commits resolve the race by ensuring proper synchronization during RxRPC network exit.
Details
- CWE(s)