CVE-2022-48645 in Linuxinfo

Summary

by MITRE • 04/28/2024

In the Linux kernel, the following vulnerability has been resolved:

net: enetc: deny offload of tc-based TSN features on VF interfaces

TSN features on the ENETC (taprio, cbs, gate, police) are configured through a mix of command BD ring messages and port registers: enetc_port_rd(), enetc_port_wr().

Port registers are a region of the ENETC memory map which are only accessible from the PCIe Physical Function. They are not accessible from the Virtual Functions.

Moreover, attempting to access these registers crashes the kernel:

$ echo 1 > /sys/bus/pci/devices/0000\:00\:00.0/sriov_numvfs pci 0000:00:01.0: [1957:ef00] type 00 class 0x020001
fsl_enetc_vf 0000:00:01.0: Adding to iommu group 15 fsl_enetc_vf 0000:00:01.0: enabling device (0000 -> 0002) fsl_enetc_vf 0000:00:01.0 eno0vf0: renamed from eth0 $ tc qdisc replace dev eno0vf0 root taprio num_tc 8 map 0 1 2 3 4 5 6 7 \ queues 1@0 1@1 1@2 1@3 1@4 1@5 1@6 1@7 base-time 0 \ sched-entry S 0x7f 900000 sched-entry S 0x80 100000 flags 0x2 Unable to handle kernel paging request at virtual address ffff800009551a08 Internal error: Oops: 96000007 [#1] PREEMPT SMP
pc : enetc_setup_tc_taprio+0x170/0x47c lr : enetc_setup_tc_taprio+0x16c/0x47c Call trace: enetc_setup_tc_taprio+0x170/0x47c enetc_setup_tc+0x38/0x2dc taprio_change+0x43c/0x970 taprio_init+0x188/0x1e0 qdisc_create+0x114/0x470 tc_modify_qdisc+0x1fc/0x6c0 rtnetlink_rcv_msg+0x12c/0x390

Split enetc_setup_tc() into separate functions for the PF and for the VF drivers. Also remove enetc_qos.o from being included into enetc-vf.ko, since it serves absolutely no purpose there.

Once again VulDB remains the best source for vulnerability data.

Analysis

by VulDB Data Team • 09/18/2025

The vulnerability identified as CVE-2022-48645 affects the Linux kernel's ENETC (Ethernet Networking and Traffic Control) driver implementation, specifically concerning the handling of Time-Sensitive Networking (TSN) features on virtual function (VF) interfaces. This issue stems from improper access control mechanisms that allow virtual functions to attempt operations that are exclusively available to physical functions, creating a critical security and stability risk. The ENETC driver manages network traffic control through TSN capabilities including taprio (time-aware priority), cbs (credit-based shaper), gate, and police functions, which are configured through a combination of command buffer descriptor ring messages and port registers. These port registers exist within the ENETC memory map and are designed to be accessible only from the PCIe Physical Function, not from Virtual Functions, as part of the hardware security model that separates physical and virtual network device management.

The technical flaw manifests when a virtual function attempts to configure TSN features through the tc (traffic control) interface, triggering a kernel panic due to unauthorized access attempts to physical function-only memory regions. The error occurs during execution of the enetc_setup_tc_taprio function, where the kernel attempts to access virtual address ff8000009551a08, resulting in a page fault and subsequent kernel oops. This specific memory access pattern represents a classic privilege escalation vulnerability where user-space or kernel-space components attempt operations outside their designated access boundaries, violating fundamental security principles of hardware virtualization and device isolation. The crash occurs because the VF driver lacks proper validation mechanisms to prevent TSN configuration attempts on interfaces that cannot support the underlying hardware operations, creating a direct path to kernel memory corruption.

The operational impact of this vulnerability extends beyond simple system crashes to potentially enable malicious actors to exploit the kernel's memory management subsystem for more sophisticated attacks. When virtual functions attempt to configure TSN features, they trigger a kernel panic that can disrupt network services and potentially allow for privilege escalation attacks, particularly in virtualized environments where multiple tenants share the same physical hardware. The vulnerability affects systems using the fsl_enetc driver on platforms that support SR-IOV (Single Root I/O Virtualization) and where virtual functions are actively configured, making it particularly dangerous in data center and edge computing environments where network virtualization is prevalent. This issue directly relates to CWE-284 (Improper Access Control) and represents a failure in implementing proper access control mechanisms between physical and virtual network function components, which is a fundamental requirement for secure virtualization environments.

The mitigation strategy involves restructuring the ENETC driver code to properly separate functionality between physical function and virtual function drivers, ensuring that TSN configuration capabilities are only available to physical functions where they can be safely executed. The fix implements a split approach to the enetc_setup_tc() function, creating distinct implementations for PF and VF drivers, and removes the enetc_qos.o module from the VF kernel module since it serves no legitimate purpose in the virtual function context. This approach aligns with the principle of least privilege and follows ATT&CK framework tactic T1068 (Exploitation for Privilege Escalation) by preventing unauthorized access patterns that could lead to privilege escalation. Additionally, the solution addresses the broader category of kernel memory management vulnerabilities by ensuring proper driver separation and access control enforcement, which also relates to ATT&CK technique T1059 (Command and Scripting Interpreter) through the prevention of malicious code execution patterns that could exploit similar privilege escalation vectors. The fix ensures that virtual functions cannot inadvertently or maliciously attempt operations that would cause kernel crashes, thereby maintaining system stability and security in virtualized network environments.

Reservation

02/25/2024

Disclosure

04/28/2024

Moderation

accepted

CPE

ready

EPSS

0.00225

KEV

no

Activities

very low

Sources

Interested in the pricing of exploits?

See the underground prices here!