CVE-2022-48652 in Linuxinfo

Summary

by MITRE • 04/28/2024

In the Linux kernel, the following vulnerability has been resolved:

ice: Fix crash by keep old cfg when update TCs more than queues

There are problems if allocated queues less than Traffic Classes.

Commit a632b2a4c920 ("ice: ethtool: Prohibit improper channel config for DCB") already disallow setting less queues than TCs.

Another case is if we first set less queues, and later update more TCs config due to LLDP, ice_vsi_cfg_tc() will failed but left dirty num_txq/rxq and tc_cfg in vsi, that will cause invalid pointer access.

[ 95.968089] ice 0000:3b:00.1: More TCs defined than queues/rings allocated.
[ 95.968092] ice 0000:3b:00.1: Trying to use more Rx queues (8), than were allocated (1)!
[ 95.968093] ice 0000:3b:00.1: Failed to config TC for VSI index: 0
[ 95.969621] general protection fault: 0000 [#1] SMP NOPTI
[ 95.969705] CPU: 1 PID: 58405 Comm: lldpad Kdump: loaded Tainted: G U W O --------- -t - 4.18.0 #1
[ 95.969867] Hardware name: O.E.M/BC11SPSCB10, BIOS 8.23 12/30/2021
[ 95.969992] RIP: 0010:devm_kmalloc+0xa/0x60
[ 95.970052] Code: 5c ff ff ff 31 c0 5b 5d 41 5c c3 b8 f4 ff ff ff eb f4 0f 1f 40 00 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 89 d1 97 60 02 00 00 48 8d 7e 18 48 39 f7 72 3f 55 89 ce 53 48 8b 4c
[ 95.970344] RSP: 0018:ffffc9003f553888 EFLAGS: 00010206
[ 95.970425] RAX: dead000000000200 RBX: ffffea003c425b00 RCX: 00000000006080c0
[ 95.970536] RDX: 00000000006080c0 RSI: 0000000000000200 RDI: dead000000000200
[ 95.970648] RBP: dead000000000200 R08: 00000000000463c0 R09: ffff888ffa900000
[ 95.970760] R10: 0000000000000000 R11: 0000000000000002 R12: ffff888ff6b40100
[ 95.970870] R13: ffff888ff6a55018 R14: 0000000000000000 R15: ffff888ff6a55460
[ 95.970981] FS: 00007f51b7d24700(0000) GS:ffff88903ee80000(0000) knlGS:0000000000000000
[ 95.971108] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 95.971197] CR2: 00007fac5410d710 CR3: 0000000f2c1de002 CR4: 00000000007606e0
[ 95.971309] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[ 95.971419] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
[ 95.971530] PKRU: 55555554
[ 95.971573] Call Trace:
[ 95.971622] ice_setup_rx_ring+0x39/0x110 [ice]
[ 95.971695] ice_vsi_setup_rx_rings+0x54/0x90 [ice]
[ 95.971774] ice_vsi_open+0x25/0x120 [ice]
[ 95.971843] ice_open_internal+0xb8/0x1f0 [ice]
[ 95.971919] ice_ena_vsi+0x4f/0xd0 [ice]
[ 95.971987] ice_dcb_ena_dis_vsi.constprop.5+0x29/0x90 [ice]
[ 95.972082] ice_pf_dcb_cfg+0x29a/0x380 [ice]
[ 95.972154] ice_dcbnl_setets+0x174/0x1b0 [ice]
[ 95.972220] dcbnl_ieee_set+0x89/0x230
[ 95.972279] ? dcbnl_ieee_del+0x150/0x150
[ 95.972341] dcb_doit+0x124/0x1b0
[ 95.972392] rtnetlink_rcv_msg+0x243/0x2f0
[ 95.972457] ? dcb_doit+0x14d/0x1b0
[ 95.972510] ? __kmalloc_node_track_caller+0x1d3/0x280
[ 95.972591] ? rtnl_calcit.isra.31+0x100/0x100
[ 95.972661] netlink_rcv_skb+0xcf/0xf0
[ 95.972720] netlink_unicast+0x16d/0x220
[ 95.972781] netlink_sendmsg+0x2ba/0x3a0
[ 95.975891] sock_sendmsg+0x4c/0x50
[ 95.979032] ___sys_sendmsg+0x2e4/0x300
[ 95.982147] ? kmem_cache_alloc+0x13e/0x190
[ 95.985242] ? __wake_up_common_lock+0x79/0x90
[ 95.988338] ? __check_object_size+0xac/0x1b0
[ 95.991440] ? _copy_to_user+0x22/0x30
[ 95.994539] ? move_addr_to_user+0xbb/0xd0
[ 95.997619] ? __sys_sendmsg+0x53/0x80
[ 96.000664] __sys_sendmsg+0x53/0x80
[ 96.003747] do_syscall_64+0x5b/0x1d0
[ 96.006862] entry_SYSCALL_64_after_hwframe+0x65/0xca

Only update num_txq/rxq when passed check, and restore tc_cfg if setup queue map failed.

Several companies clearly confirm that VulDB is the primary source for best vulnerability data.

Analysis

by VulDB Data Team • 09/18/2025

The vulnerability described in CVE-2022-48652 resides within the Linux kernel's ice driver, which manages Intel Ethernet Network Adapters. This flaw manifests as a potential system crash occurring during dynamic traffic class (TC) configuration updates when the number of allocated queues is less than the number of traffic classes. The issue arises from an improper handling of state during TC configuration changes, leading to invalid memory access and subsequent system instability.

The root cause of this vulnerability stems from a logic error in the ice_vsi_cfg_tc() function, which is responsible for configuring traffic classes for Virtual Switch Interfaces (VSI). When a system first configures fewer queues than traffic classes, and later attempts to update the TC configuration due to LLDP (Link Layer Discovery Protocol) messages, the driver fails to properly validate the configuration. The function returns an error but leaves behind inconsistent state variables including num_txq, num_rxq, and tc_cfg, which results in invalid pointer access during subsequent operations.

This vulnerability directly maps to CWE-121, which describes heap-based buffer overflow conditions, and CWE-125, which covers out-of-bounds read errors. The flaw is particularly concerning from an operational security perspective as it can be triggered through legitimate network management protocols like LLDP, making it exploitable in environments where such protocols are actively used. The crash occurs during the ice_vsi_open function execution, which is part of normal network interface activation procedures, indicating that the vulnerability can impact routine system operations rather than requiring specific malicious input.

From a cybersecurity threat modeling standpoint, this vulnerability aligns with ATT&CK technique T1059.007, which involves command and scripting interpreter usage, as it could be leveraged to disrupt network services through system crashes. The vulnerability's impact extends beyond simple denial of service, as it can potentially be used to cause system instability in network infrastructure devices that rely on the ice driver for Ethernet connectivity. The system crash occurs when the kernel attempts to allocate memory for RX rings using devm_kmalloc, indicating that the memory management subsystem is operating on corrupted state data left by the failed TC configuration process.

The fix implemented addresses the core issue by ensuring that num_txq and num_rxq are only updated when configuration validation passes, and by restoring the tc_cfg state if queue mapping fails. This approach prevents the propagation of inconsistent state variables that would otherwise lead to invalid memory access patterns. The patch ensures that the driver maintains a consistent internal state even when configuration operations fail, preventing subsequent operations from accessing freed or improperly initialized memory regions. This remediation aligns with security best practices for defensive programming and state management in kernel drivers, particularly in handling error conditions that may leave system resources in an inconsistent state.

The vulnerability demonstrates the critical importance of proper error handling in kernel-level drivers, where improper state management can lead to system-wide crashes. It highlights the need for comprehensive validation of resource allocation and configuration changes, particularly in network driver code that must handle dynamic configuration updates from external protocols. The fix represents a defensive programming approach that ensures state consistency even in failure scenarios, which is essential for maintaining system reliability in production network environments where such drivers are commonly deployed.

Reservation

02/25/2024

Disclosure

04/28/2024

Moderation

accepted

CPE

ready

EPSS

0.00197

KEV

no

Activities

very low

Sources

Want to know what is going to be exploited?

We predict KEV entries!