CVE-2022-48673 in Linuxinfo

Summary

by MITRE • 05/03/2024

In the Linux kernel, the following vulnerability has been resolved:

net/smc: Fix possible access to freed memory in link clear

After modifying the QP to the Error state, all RX WR would be completed with WC in IB_WC_WR_FLUSH_ERR status. Current implementation does not wait for it is done, but destroy the QP and free the link group directly. So there is a risk that accessing the freed memory in tasklet context.

Here is a crash example:

BUG: unable to handle page fault for address: ffffffff8f220860 #PF: supervisor write access in kernel mode #PF: error_code(0x0002) - not-present page PGD f7300e067 P4D f7300e067 PUD f7300f063 PMD 8c4e45063 PTE 800ffff08c9df060 Oops: 0002 [#1] SMP PTI
CPU: 1 PID: 0 Comm: swapper/1 Kdump: loaded Tainted: G S OE 5.10.0-0607+ #23 Hardware name: Inspur NF5280M4/YZMB-00689-101, BIOS 4.1.20 07/09/2018 RIP: 0010:native_queued_spin_lock_slowpath+0x176/0x1b0 Code: f3 90 48 8b 32 48 85 f6 74 f6 eb d5 c1 ee 12 83 e0 03 83 ee 01 48 c1 e0 05 48 63 f6 48 05 00 c8 02 00 48 03 04 f5 00 09 98 8e 89 10 8b 42 08 85 c0 75 09 f3 90 8b 42 08 85 c0 74 f7 48 8b 32 RSP: 0018:ffffb3b6c001ebd8 EFLAGS: 00010086 RAX: ffffffff8f220860 RBX: 0000000000000246 RCX: 0000000000080000 RDX: ffff91db1f86c800 RSI: 000000000000173c RDI: ffff91db62bace00 RBP: ffff91db62bacc00 R08: 0000000000000000 R09: c00000010000028b R10: 0000000000055198 R11: ffffb3b6c001ea58 R12: ffff91db80e05010 R13: 000000000000000a R14: 0000000000000006 R15: 0000000000000040 FS: 0000000000000000(0000) GS:ffff91db1f840000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: ffffffff8f220860 CR3: 00000001f9580004 CR4: 00000000003706e0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: _raw_spin_lock_irqsave+0x30/0x40 mlx5_ib_poll_cq+0x4c/0xc50 [mlx5_ib]
smc_wr_rx_tasklet_fn+0x56/0xa0 [smc]
tasklet_action_common.isra.21+0x66/0x100 __do_softirq+0xd5/0x29c asm_call_irq_on_stack+0x12/0x20 do_softirq_own_stack+0x37/0x40 irq_exit_rcu+0x9d/0xa0 sysvec_call_function_single+0x34/0x80 asm_sysvec_call_function_single+0x12/0x20

Be aware that VulDB is the high quality source for vulnerability data.

Analysis

by VulDB Data Team • 09/29/2025

The vulnerability identified as CVE-2022-48673 resides within the Linux kernel's implementation of the SMC (Scalable Memory Communication) subsystem, specifically affecting memory management during the cleanup of InfiniBand queue pairs. This flaw manifests as a potential use-after-free condition that can lead to kernel memory corruption and system instability. The issue occurs when transitioning a queue pair to the error state, where the system attempts to complete all receive work requests with a flush error status but fails to properly synchronize before proceeding to destroy the queue pair and free associated memory structures. This race condition creates an opportunity for the kernel to access memory that has already been deallocated, resulting in page fault exceptions and system crashes.

The technical root cause of this vulnerability stems from improper synchronization between the completion of work requests and the destruction of underlying memory resources. When the kernel modifies a queue pair to the error state, it sets all receive work requests to complete with status IB_WC_WR_FLUSH_ERR, yet the current implementation does not wait for these completions to fully process before proceeding to destroy the queue pair and free the associated link group structure. This premature cleanup allows tasklet contexts to attempt access to memory that has already been freed, leading to the memory corruption observed in the crash dump. The specific address ff9ffffff8f220860 indicates an invalid memory access within the kernel's spinlock implementation, demonstrating how freed memory structures are being accessed during soft interrupt processing.

The operational impact of this vulnerability extends beyond simple system crashes to potentially enable privilege escalation and denial of service conditions within kernel environments. The crash pattern observed through the tasklet execution path shows that the mlx5_ib_poll_cq function is called from within the smc_wr_rx_tasklet_fn context, indicating that the memory corruption occurs during network I/O processing for InfiniBand connections. This vulnerability affects systems utilizing the mlx5_ib driver and SMC functionality, particularly those handling high-throughput network communications where the race condition between work request completion and resource cleanup is more likely to manifest. The flaw represents a classic memory safety issue that aligns with CWE-416, which describes the use of freed memory condition, and can be mapped to ATT&CK technique T1068 under "Exploitation for Privilege Escalation" when exploited in kernel contexts.

Mitigation strategies for this vulnerability should focus on implementing proper synchronization mechanisms before resource cleanup operations. The fix requires ensuring that all work requests are fully processed and completed before proceeding with queue pair destruction and memory deallocation. System administrators should prioritize applying kernel updates that contain the patched implementation, which typically involves adding explicit waits for work request completion status before allowing the cleanup process to proceed. Additionally, monitoring for system crashes or memory corruption patterns in environments using SMC and InfiniBand networking can help identify systems that may be vulnerable to this class of exploit. Organizations should also consider implementing kernel lockdown features and restricting access to kernel memory management interfaces to minimize the potential impact of such vulnerabilities in production environments.

Reservation

02/25/2024

Disclosure

05/03/2024

Moderation

accepted

CPE

ready

EPSS

0.00210

KEV

no

Activities

very low

Sources

Want to know what is going to be exploited?

We predict KEV entries!