Bug 2142371 (CVE-2022-3977) - CVE-2022-3977 kernel: use-after-free bug in mctp_sk_unhash in net/mctp/af_mctp.c
Summary: CVE-2022-3977 kernel: use-after-free bug in mctp_sk_unhash in net/mctp/af_mctp.c
Keywords:
Status: CLOSED NOTABUG
Alias: CVE-2022-3977
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks: 2134114
TreeView+ depends on / blocked
 
Reported: 2022-11-13 13:34 UTC by Alex
Modified: 2023-01-09 18:49 UTC (History)
57 users (show)

Fixed In Version: Linux kernel 6.1-rc1
Doc Type: If docs needed, set a value
Doc Text:
A use-after-free flaw was found in the Linux kernel MCTP (Management Component Transport Protocol) functionality. This issue occurs when a user simultaneously calls DROPTAG ioctl and socket close happens, which could allow a local user to crash the system or potentially escalate their privileges on the system.
Clone Of:
Environment:
Last Closed: 2022-12-04 13:03:53 UTC


Attachments (Terms of Use)

Description Alex 2022-11-13 13:34:49 UTC
A flaw use after free found in the Linux Kernel MCTP (Management Component Transport Protocol) implementation.
Starting from Kernel version 5.18.0, after commit 63ed1aab3d40aa61aaa66819bdce9377ac7f40fa that introduces ioctls SIOCMCTPALLOCTAG and
SIOCMCTPDROPTAG (DROPTAGS), there is a bug in mctp_sk_unhash function. The reason of the bug that the simultaneous DROPTAG ioctl and socket close may lead to race condition.

Reference:
https://seclists.org/oss-sec/2022/q4/36

Comment 3 Product Security DevOps Team 2022-12-04 13:03:50 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2022-3977


Note You need to log in before you can comment on or make changes to this bug.