Bug 2144379 (CVE-2022-41858) - CVE-2022-41858 kernel: null-ptr-deref vulnerabilities in sl_tx_timeout in drivers/net/slip
Summary: CVE-2022-41858 kernel: null-ptr-deref vulnerabilities in sl_tx_timeout in dri...
Keywords:
Status: NEW
Alias: CVE-2022-41858
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 2144390 2144391 2144392 2144393
Blocks: 2144843 2144381
TreeView+ depends on / blocked
 
Reported: 2022-11-21 04:02 UTC by Rohit Keshri
Modified: 2022-12-31 23:35 UTC (History)
51 users (show)

Fixed In Version: kernel 5.18 rc2
Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in the Linux kernel. A NULL pointer dereference may occur while a slip driver is in progress to detach in sl_tx_timeout in drivers/net/slip/slip.c. This issue could allow an attacker to crash the system or leak internal kernel information.
Clone Of:
Environment:
Last Closed:

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

Description Rohit Keshri 2022-11-21 04:02:58 UTC 
There are null-ptr-deref vulnerabilities in drivers/net/slip of linux that allow attacker to
crash linux kernel by simulating slip network card from user-space of linux.

------------------------------------------

[Root cause]

When a slip driver is detaching, the slip_close() will act to
cleanup necessary resources and sl->tty is set to NULL in
slip_close(). Meanwhile, the packet we transmit is blocked,
sl_tx_timeout() will be called. Although slip_close() and
sl_tx_timeout() use sl->lock to synchronize, we don`t judge
whether sl->tty equals to NULL in sl_tx_timeout() and the
null pointer dereference bug will happen.

(Thread 1) | (Thread 2)
| slip_close()
| spin_lock_bh(&sl->lock)
| ...
... | sl->tty = NULL //(1)
sl_tx_timeout() | spin_unlock_bh(&sl->lock)
spin_lock(&sl->lock); |
... | ...
tty_chars_in_buffer(sl->tty)|
if (tty->ops->..) //(2) |
... | synchronize_rcu()

We set NULL to sl->tty in position (1) and dereference sl->tty
in position (2).

------------------------------------------
Note You need to log in before you can comment on or make changes to this bug.