CVE-2022-49667
Published: 26 February 2025
Description
In the Linux kernel, the following vulnerability has been resolved: net: bonding: fix use-after-free after 802.3ad slave unbind commit 0622cab0341c ("bonding: fix 802.3ad aggregator reselection"), resolve case, when there is several aggregation groups in the same bond. bond_3ad_unbind_slave will invalidate (clear) aggregator when __agg_active_ports return zero. So, ad_clear_agg can be executed even, when num_of_ports!=0. Than bond_3ad_unbind_slave can be executed again for, previously cleared aggregator. NOTE: at this time bond_3ad_unbind_slave will not update slave ports list, because lag_ports==NULL. So, here we got slave ports, pointing to freed aggregator memory. Fix with checking actual number of ports in group (as was before commit 0622cab0341c ("bonding: fix 802.3ad aggregator reselection") ), before ad_clear_agg(). The KASAN logs are as follows: [ 767.617392] ================================================================== [ 767.630776] BUG: KASAN: use-after-free in bond_3ad_state_machine_handler+0x13dc/0x1470 [ 767.638764] Read of size 2 at addr ffff00011ba9d430 by task kworker/u8:7/767 [ 767.647361] CPU: 3 PID: 767 Comm: kworker/u8:7 Tainted: G O 5.15.11 #15 [ 767.655329] Hardware name: DNI AmazonGo1 A7040 board (DT) [ 767.660760] Workqueue: lacp_1 bond_3ad_state_machine_handler [ 767.666468] Call trace: [ 767.668930] dump_backtrace+0x0/0x2d0 [ 767.672625] show_stack+0x24/0x30 [ 767.675965] dump_stack_lvl+0x68/0x84 [ 767.679659] print_address_description.constprop.0+0x74/0x2b8 [ 767.685451] kasan_report+0x1f0/0x260 [ 767.689148] __asan_load2+0x94/0xd0 [ 767.692667] bond_3ad_state_machine_handler+0x13dc/0x1470
Security Summary
CVE-2022-49667 is a use-after-free vulnerability in the Linux kernel's bonding driver, specifically affecting the 802.3ad (LACP) mode. The issue arises during slave unbind operations when multiple aggregation groups exist within the same bond. A prior commit intended to fix aggregator reselection inadvertently allowed the aggregator to be cleared even when ports remained active, leading to a double unbind scenario. This results in slave ports referencing freed aggregator memory, as detected by KASAN in the bond_3ad_state_machine_handler function. The vulnerability carries a CVSS v3.1 base score of 7.8 and is classified under CWE-416 (Use After Free).
A local attacker with low privileges can exploit this vulnerability due to its AV:L/AC:L/PR:L requirements. Exploitation occurs in kernel workqueues like lacp_1 during state machine handling, potentially allowing the attacker to trigger the use-after-free by manipulating bond interfaces in 802.3ad mode. Successful exploitation could lead to high-impact confidentiality, integrity, and availability violations (C:H/I:H/A:H), such as kernel memory corruption, denial of service via crashes, or potential privilege escalation.
Mitigation involves applying stable kernel patches referenced in the CVE, including commits such as 050133e1aa2cb49bb17be847d48a4431598ef562, 2765749def4765c5052a4c66445cf4c96fcccdbc, 63b2fe509f69b90168a75e04e14573dccf7984e6, 893825289ba840afd86bfffcb6f7f363c73efff8, and a853b7a3a9fd1d74a4ccdd9cd73512b7dace2f1e. These patches restore checks for the actual number of ports in the group before calling ad_clear_agg(), preventing premature aggregator invalidation and subsequent use-after-free. Systems running affected kernel versions, such as 5.15.11, should update to incorporate these fixes.
Details
- CWE(s)