Bug 2109926 (CVE-2022-2526) - CVE-2022-2526 systemd-resolved: use-after-free when dealing with DnsStream in resolved-dns-stream.c
Summary: CVE-2022-2526 systemd-resolved: use-after-free when dealing with DnsStream in...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2022-2526
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 2110544 2110545 2110546 2110547 2110548 2110549 2119141 2119142 2123211
Blocks: 2109833 2110206
TreeView+ depends on / blocked
 
Reported: 2022-07-22 13:31 UTC by Riccardo Schirone
Modified: 2024-05-20 11:09 UTC (History)
29 users (show)

Fixed In Version: systemd 240
Doc Type: If docs needed, set a value
Doc Text:
A use-after-free vulnerability was found in systemd. This issue occurs due to the on_stream_io() function and dns_stream_complete() function in 'resolved-dns-stream.c' not incrementing the reference counting for the DnsStream object. Therefore, other functions and callbacks called can dereference the DNSStream object, causing the use-after-free when the reference is still used later.
Clone Of:
Environment:
Last Closed: 2022-09-03 04:55:48 UTC
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2022:6200 0 None None None 2022-08-29 01:02:36 UTC
Red Hat Product Errata RHBA-2022:6207 0 None None None 2022-08-29 16:19:56 UTC
Red Hat Product Errata RHBA-2022:6208 0 None None None 2022-08-29 16:10:52 UTC
Red Hat Product Errata RHBA-2022:6210 0 None None None 2022-08-29 16:11:47 UTC
Red Hat Product Errata RHBA-2022:6211 0 None None None 2022-08-29 16:13:56 UTC
Red Hat Product Errata RHBA-2022:6212 0 None None None 2022-08-29 16:16:06 UTC
Red Hat Product Errata RHBA-2022:6216 0 None None None 2022-08-30 02:59:37 UTC
Red Hat Product Errata RHBA-2022:6217 0 None None None 2022-08-30 03:08:15 UTC
Red Hat Product Errata RHBA-2022:6218 0 None None None 2022-08-30 03:16:16 UTC
Red Hat Product Errata RHBA-2022:6219 0 None None None 2022-08-30 03:17:00 UTC
Red Hat Product Errata RHBA-2022:6220 0 None None None 2022-08-30 03:25:26 UTC
Red Hat Product Errata RHBA-2022:6221 0 None None None 2022-08-30 03:37:50 UTC
Red Hat Product Errata RHBA-2022:6222 0 None None None 2022-08-30 14:06:44 UTC
Red Hat Product Errata RHBA-2022:6223 0 None None None 2022-08-30 15:11:22 UTC
Red Hat Product Errata RHBA-2022:6225 0 None None None 2022-08-30 16:39:03 UTC
Red Hat Product Errata RHBA-2022:6226 0 None None None 2022-08-30 16:38:06 UTC
Red Hat Product Errata RHBA-2022:6227 0 None None None 2022-08-30 17:04:58 UTC
Red Hat Product Errata RHBA-2022:6228 0 None None None 2022-08-30 17:04:35 UTC
Red Hat Product Errata RHBA-2022:6265 0 None None None 2022-08-31 11:05:17 UTC
Red Hat Product Errata RHBA-2022:6267 0 None None None 2022-08-31 13:27:55 UTC
Red Hat Product Errata RHBA-2022:6280 0 None None None 2022-08-31 18:15:40 UTC
Red Hat Product Errata RHBA-2022:6300 0 None None None 2022-09-01 11:11:39 UTC
Red Hat Product Errata RHBA-2022:6315 0 None None None 2022-09-01 16:49:47 UTC
Red Hat Product Errata RHBA-2022:6325 0 None None None 2022-09-05 08:16:49 UTC
Red Hat Product Errata RHBA-2022:6326 0 None None None 2022-09-05 09:10:24 UTC
Red Hat Product Errata RHBA-2022:6337 0 None None None 2022-09-05 10:52:37 UTC
Red Hat Product Errata RHBA-2022:6342 0 None None None 2022-09-05 15:30:20 UTC
Red Hat Product Errata RHBA-2022:6343 0 None None None 2022-09-06 09:32:33 UTC
Red Hat Product Errata RHBA-2022:6379 0 None None None 2022-09-07 11:18:32 UTC
Red Hat Product Errata RHBA-2022:6380 0 None None None 2022-09-07 11:32:33 UTC
Red Hat Product Errata RHBA-2022:6387 0 None None None 2022-09-08 07:58:34 UTC
Red Hat Product Errata RHBA-2022:6388 0 None None None 2022-09-08 08:38:21 UTC
Red Hat Product Errata RHBA-2022:6395 0 None None None 2022-09-08 13:29:31 UTC
Red Hat Product Errata RHBA-2022:6396 0 None None None 2022-09-08 13:34:16 UTC
Red Hat Product Errata RHBA-2022:6399 0 None None None 2022-09-08 14:50:23 UTC
Red Hat Product Errata RHBA-2022:6400 0 None None None 2022-09-08 16:12:47 UTC
Red Hat Product Errata RHBA-2022:6421 0 None None None 2022-09-12 17:20:58 UTC
Red Hat Product Errata RHBA-2022:6493 0 None None None 2022-09-13 09:01:15 UTC
Red Hat Product Errata RHBA-2022:6509 0 None None None 2022-09-14 00:17:46 UTC
Red Hat Product Errata RHBA-2022:6524 0 None None None 2022-09-14 14:08:48 UTC
Red Hat Product Errata RHBA-2022:6550 0 None None None 2022-09-19 10:30:25 UTC
Red Hat Product Errata RHBA-2022:6636 0 None None None 2022-09-20 18:11:08 UTC
Red Hat Product Errata RHBA-2022:6674 0 None None None 2022-09-21 16:18:55 UTC
Red Hat Product Errata RHBA-2022:6685 0 None None None 2022-09-22 11:44:37 UTC
Red Hat Product Errata RHBA-2022:6688 0 None None None 2022-09-22 13:54:55 UTC
Red Hat Product Errata RHBA-2022:6690 0 None None None 2022-09-22 18:17:57 UTC
Red Hat Product Errata RHBA-2022:6697 0 None None None 2022-09-26 12:32:12 UTC
Red Hat Product Errata RHBA-2022:6719 0 None None None 2022-09-26 16:51:39 UTC
Red Hat Product Errata RHBA-2022:6736 0 None None None 2022-09-28 12:29:03 UTC
Red Hat Product Errata RHBA-2022:6737 0 None None None 2022-09-28 12:58:08 UTC
Red Hat Product Errata RHBA-2022:6745 0 None None None 2022-09-28 16:28:01 UTC
Red Hat Product Errata RHBA-2022:6749 0 None None None 2022-09-29 11:26:08 UTC
Red Hat Product Errata RHBA-2022:6826 0 None None None 2022-10-06 05:11:45 UTC
Red Hat Product Errata RHSA-2022:6160 0 None None None 2022-08-24 17:53:18 UTC
Red Hat Product Errata RHSA-2022:6161 0 None None None 2022-08-24 17:48:09 UTC
Red Hat Product Errata RHSA-2022:6162 0 None None None 2022-08-24 17:00:53 UTC
Red Hat Product Errata RHSA-2022:6163 0 None None None 2022-08-24 16:44:40 UTC
Red Hat Product Errata RHSA-2022:6206 0 None None None 2022-08-29 17:13:45 UTC
Red Hat Product Errata RHSA-2022:6551 0 None None None 2022-09-19 11:50:36 UTC

Description Riccardo Schirone 2022-07-22 13:31:03 UTC 
systemd-resolved is susceptible to a Use After Free (UAF) vulnerability in how DNS packets are handled. Functions such as on_stream_io and dns_stream_complete in resolved-dns-stream.c do not increment the reference counting for the DnsStream object they are working on. Other functions and callbacks called there (e.g. on_llmnr_stream_packet) could unreference the DnsStream object, causing a Use After Free when the reference is still used later.

Upstream patch:
https://github.com/systemd/systemd/commit/d973d94dec349fb676fdd844f6fe2ada3538f27c
Comment 7 errata-xmlrpc 2022-08-24 16:44:37 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.1 Update Services for SAP Solutions

Via RHSA-2022:6163 https://access.redhat.com/errata/RHSA-2022:6163
Comment 8 errata-xmlrpc 2022-08-24 17:00:51 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.2 Extended Update Support

Via RHSA-2022:6162 https://access.redhat.com/errata/RHSA-2022:6162
Comment 9 errata-xmlrpc 2022-08-24 17:48:07 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.4 Extended Update Support

Via RHSA-2022:6161 https://access.redhat.com/errata/RHSA-2022:6161
Comment 10 errata-xmlrpc 2022-08-24 17:53:16 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2022:6160 https://access.redhat.com/errata/RHSA-2022:6160
Comment 11 errata-xmlrpc 2022-08-29 17:13:43 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2022:6206 https://access.redhat.com/errata/RHSA-2022:6206
Comment 12 Sandipan Roy 2022-09-01 04:55:44 UTC 
Created systemd tracking bugs for this issue:

Affects: fedora-all [bug 2123211]
Comment 15 Product Security DevOps Team 2022-09-03 04:55:45 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2022-2526
Comment 20 errata-xmlrpc 2022-09-19 11:50:31 UTC 
This issue has been addressed in the following products:

  Red Hat Virtualization 4 for Red Hat Enterprise Linux 8

Via RHSA-2022:6551 https://access.redhat.com/errata/RHSA-2022:6551
Note You need to log in before you can comment on or make changes to this bug.