Bug 2156322 (CVE-2022-4744)

Summary: CVE-2022-4744 kernel: tun: avoid double free in tun_free_netdev
Product: [Other] Security Response Reporter: Alex <allarkin>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: aadam, acaringi, allarkin, arachman, atenart, bhu, chwhite, crwood, dbohanno, ddepaula, debarbos, dfreiber, dhoward, dvlasenk, ezulian, hkrzesin, jarod, jasowang, jburrell, jdenham, jfaracco, jferlan, jforbes, jlelli, jmaloy, joe.lawrence, jpoimboe, jshortt, jstancek, juneau, jwyatt, kcarcia, kernel-mgr, kpatch-maint, kzhang, ldoskova, lgoncalv, lleshchi, lveyde, lvivier, lzampier, mcascell, michal.skrivanek, mleitner, mperina, nmurray, ptalbert, qzhao, rhandlin, rogbas, rrobaina, rvrbovsk, rysulliv, sbonazzo, scweaver, security-response-team, sukulkar, tyberry, vkumar, walters, wcosta, williams, wmealing, ycote, zhilli
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: kernel 5.16-rc7 Doc Type: If docs needed, set a value
Doc Text:
A double-free flaw was found in the Linux kernel’s TUN/TAP device driver functionality in how a user registers the device when the register_netdevice function fails (NETDEV_REGISTER notifier). This flaw allows a local user to crash or potentially escalate their privileges on the system.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2023-03-27 12:32:54 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2156361, 2156362, 2156363, 2156364, 2156365, 2156366, 2156367, 2156368, 2156369, 2156370, 2156371, 2156372, 2156373, 2156374, 2156375, 2156376, 2156377, 2156378, 2156379, 2156380, 2156381, 2156382, 2156383, 2157845, 2160021, 2180939, 2186506    
Bug Blocks: 2156315    

Description Alex 2022-12-26 12:16:05 UTC 
A flaw in the Linux Kernel found. If patch 158b515f703e ("tun: avoid double free in tun_free_netdev") not applied, then user can call register_netdevice() to fail that can lead to double free. One way to make a NETDEV_REGISTER notifier fail is to create a device with name "default" or "all", which will be vetoed by devinet_sysctl_register() because sysctl_dev_name_is_allowed() detects that the name is a reserved entry name in /proc/sys/net/ipv4/conf/.

Reference:
https://git.kernel.org/pub/scm/linux/kernel/git/netdev/net.git/commit/?id=158b515f703e
Comment 33 Alex 2023-03-22 17:13:14 UTC 
Created kernel tracking bugs for this issue:

Affects: fedora-all [bug 2180939]
Comment 34 Justin M. Forbes 2023-03-24 16:28:25 UTC 
This was fixed for Fedora with the 5.15.12 stable kernel updates.
Comment 35 errata-xmlrpc 2023-03-27 08:04:36 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.0 Extended Update Support

Via RHSA-2023:1467 https://access.redhat.com/errata/RHSA-2023:1467
Comment 36 errata-xmlrpc 2023-03-27 08:11:13 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2023:1469 https://access.redhat.com/errata/RHSA-2023:1469
Comment 37 errata-xmlrpc 2023-03-27 08:12:52 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2023:1471 https://access.redhat.com/errata/RHSA-2023:1471
Comment 38 errata-xmlrpc 2023-03-27 08:15:41 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.0 Extended Update Support

Via RHSA-2023:1466 https://access.redhat.com/errata/RHSA-2023:1466
Comment 39 errata-xmlrpc 2023-03-27 08:29:00 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2023:1470 https://access.redhat.com/errata/RHSA-2023:1470
Comment 40 errata-xmlrpc 2023-03-27 08:34:35 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.0 Extended Update Support

Via RHSA-2023:1468 https://access.redhat.com/errata/RHSA-2023:1468
Comment 41 Product Security DevOps Team 2023-03-27 12:32:50 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2022-4744
Comment 54 errata-xmlrpc 2023-11-14 15:14:44 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2023:6901 https://access.redhat.com/errata/RHSA-2023:6901
Comment 55 errata-xmlrpc 2023-11-14 15:20:19 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2023:7077 https://access.redhat.com/errata/RHSA-2023:7077
Comment 59 errata-xmlrpc 2024-03-19 17:27:01 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.8 Extended Update Support

Via RHSA-2024:1404 https://access.redhat.com/errata/RHSA-2024:1404