Bug 2156322 (CVE-2022-4744) - CVE-2022-4744 kernel: tun: avoid double free in tun_free_netdev
Summary: CVE-2022-4744 kernel: tun: avoid double free in tun_free_netdev
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2022-4744
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 2156361 2156362 2156363 2156364 2156365 2156366 2156367 2156368 2156369 2156370 2156371 2156372 2156373 2156374 2156375 2156376 2156377 2156378 2156379 2156380 2156381 2156382 2156383 2157845 2160021 2180939 2186506
Blocks: 2156315
TreeView+ depends on / blocked
 
Reported: 2022-12-26 12:16 UTC by Alex
Modified: 2024-03-19 17:27 UTC (History)
65 users (show)

Fixed In Version: kernel 5.16-rc7
Doc Type: If docs needed, set a value
Doc Text:
A double-free flaw was found in the Linux kernel’s TUN/TAP device driver functionality in how a user registers the device when the register_netdevice function fails (NETDEV_REGISTER notifier). This flaw allows a local user to crash or potentially escalate their privileges on the system.
Clone Of:
Environment:
Last Closed: 2023-03-27 12:32:54 UTC
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2023:1531 0 None None None 2023-03-30 08:51:00 UTC
Red Hat Product Errata RHBA-2023:1563 0 None None None 2023-04-04 13:30:30 UTC
Red Hat Product Errata RHBA-2023:7268 0 None None None 2023-11-15 18:25:13 UTC
Red Hat Product Errata RHBA-2023:7328 0 None None None 2023-11-16 11:38:44 UTC
Red Hat Product Errata RHBA-2023:7338 0 None None None 2023-11-16 18:04:03 UTC
Red Hat Product Errata RHBA-2023:7343 0 None None None 2023-11-20 01:58:27 UTC
Red Hat Product Errata RHBA-2023:7346 0 None None None 2023-11-20 09:25:31 UTC
Red Hat Product Errata RHSA-2023:1466 0 None None None 2023-03-27 08:15:45 UTC
Red Hat Product Errata RHSA-2023:1467 0 None None None 2023-03-27 08:04:39 UTC
Red Hat Product Errata RHSA-2023:1468 0 None None None 2023-03-27 08:34:38 UTC
Red Hat Product Errata RHSA-2023:1469 0 None None None 2023-03-27 08:11:16 UTC
Red Hat Product Errata RHSA-2023:1470 0 None None None 2023-03-27 08:29:04 UTC
Red Hat Product Errata RHSA-2023:1471 0 None None None 2023-03-27 08:12:56 UTC
Red Hat Product Errata RHSA-2023:6901 0 None None None 2023-11-14 15:14:49 UTC
Red Hat Product Errata RHSA-2023:7077 0 None None None 2023-11-14 15:20:23 UTC
Red Hat Product Errata RHSA-2024:1404 0 None None None 2024-03-19 17:27:05 UTC

Description Alex 2022-12-26 12:16:05 UTC 
A flaw in the Linux Kernel found. If patch 158b515f703e ("tun: avoid double free in tun_free_netdev") not applied, then user can call register_netdevice() to fail that can lead to double free. One way to make a NETDEV_REGISTER notifier fail is to create a device with name "default" or "all", which will be vetoed by devinet_sysctl_register() because sysctl_dev_name_is_allowed() detects that the name is a reserved entry name in /proc/sys/net/ipv4/conf/.

Reference:
https://git.kernel.org/pub/scm/linux/kernel/git/netdev/net.git/commit/?id=158b515f703e
Comment 33 Alex 2023-03-22 17:13:14 UTC 
Created kernel tracking bugs for this issue:

Affects: fedora-all [bug 2180939]
Comment 34 Justin M. Forbes 2023-03-24 16:28:25 UTC 
This was fixed for Fedora with the 5.15.12 stable kernel updates.
Comment 35 errata-xmlrpc 2023-03-27 08:04:36 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.0 Extended Update Support

Via RHSA-2023:1467 https://access.redhat.com/errata/RHSA-2023:1467
Comment 36 errata-xmlrpc 2023-03-27 08:11:13 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2023:1469 https://access.redhat.com/errata/RHSA-2023:1469
Comment 37 errata-xmlrpc 2023-03-27 08:12:52 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2023:1471 https://access.redhat.com/errata/RHSA-2023:1471
Comment 38 errata-xmlrpc 2023-03-27 08:15:41 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.0 Extended Update Support

Via RHSA-2023:1466 https://access.redhat.com/errata/RHSA-2023:1466
Comment 39 errata-xmlrpc 2023-03-27 08:29:00 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2023:1470 https://access.redhat.com/errata/RHSA-2023:1470
Comment 40 errata-xmlrpc 2023-03-27 08:34:35 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.0 Extended Update Support

Via RHSA-2023:1468 https://access.redhat.com/errata/RHSA-2023:1468
Comment 41 Product Security DevOps Team 2023-03-27 12:32:50 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2022-4744
Comment 54 errata-xmlrpc 2023-11-14 15:14:44 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2023:6901 https://access.redhat.com/errata/RHSA-2023:6901
Comment 55 errata-xmlrpc 2023-11-14 15:20:19 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2023:7077 https://access.redhat.com/errata/RHSA-2023:7077
Comment 59 errata-xmlrpc 2024-03-19 17:27:01 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.8 Extended Update Support

Via RHSA-2024:1404 https://access.redhat.com/errata/RHSA-2024:1404
Note You need to log in before you can comment on or make changes to this bug.