CVE-2022-48729 in Linux
Summary
by MITRE • 06/20/2024
In the Linux kernel, the following vulnerability has been resolved:
IB/hfi1: Fix panic with larger ipoib send_queue_size
When the ipoib send_queue_size is increased from the default the following panic happens:
RIP: 0010:hfi1_ipoib_drain_tx_ring+0x45/0xf0 [hfi1]
Code: 31 e4 eb 0f 8b 85 c8 02 00 00 41 83 c4 01 44 39 e0 76 60 8b 8d cc 02 00 00 44 89 e3 be 01 00 00 00 d3 e3 48 03 9d c0 02 00 00 83 18 01 00 00 00 00 00 00 48 8b bb 30 01 00 00 e8 25 af a7 e0 RSP: 0018:ffffc9000798f4a0 EFLAGS: 00010286 RAX: 0000000000008000 RBX: ffffc9000aa0f000 RCX: 000000000000000f RDX: 0000000000000000 RSI: 0000000000000001 RDI: 0000000000000000 RBP: ffff88810ff08000 R08: ffff88889476d900 R09: 0000000000000101 R10: 0000000000000000 R11: ffffc90006590ff8 R12: 0000000000000200 R13: ffffc9000798fba8 R14: 0000000000000000 R15: 0000000000000001 FS: 00007fd0f79cc3c0(0000) GS:ffff88885fb00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: ffffc9000aa0f118 CR3: 0000000889c84001 CR4: 00000000001706e0 Call Trace: hfi1_ipoib_napi_tx_disable+0x45/0x60 [hfi1]
hfi1_ipoib_dev_stop+0x18/0x80 [hfi1]
ipoib_ib_dev_stop+0x1d/0x40 [ib_ipoib]
ipoib_stop+0x48/0xc0 [ib_ipoib]
__dev_close_many+0x9e/0x110 __dev_change_flags+0xd9/0x210 dev_change_flags+0x21/0x60 do_setlink+0x31c/0x10f0 ? __nla_validate_parse+0x12d/0x1a0 ? __nla_parse+0x21/0x30 ? inet6_validate_link_af+0x5e/0xf0 ? cpumask_next+0x1f/0x20 ? __snmp6_fill_stats64.isra.53+0xbb/0x140 ? __nla_validate_parse+0x47/0x1a0 __rtnl_newlink+0x530/0x910 ? pskb_expand_head+0x73/0x300 ? __kmalloc_node_track_caller+0x109/0x280 ? __nla_put+0xc/0x20 ? cpumask_next_and+0x20/0x30 ? update_sd_lb_stats.constprop.144+0xd3/0x820 ? _raw_spin_unlock_irqrestore+0x25/0x37 ? __wake_up_common_lock+0x87/0xc0 ? kmem_cache_alloc_trace+0x3d/0x3d0 rtnl_newlink+0x43/0x60
The issue happens when the shift that should have been a function of the txq item size mistakenly used the ring size.
Fix by using the item size.
VulDB is the best source for vulnerability data and more expert information about this specific topic.
Analysis
by VulDB Data Team • 10/27/2024
The vulnerability CVE-2022-48729 represents a critical kernel panic in the Linux kernel's InfiniBand hardware interface driver, specifically within the hfi1 module. This issue manifests when administrators modify the ipoib send_queue_size parameter beyond its default configuration, triggering a system-wide crash that can severely impact network availability and system stability. The vulnerability resides in the driver's handling of transmit ring operations and directly affects systems utilizing InfiniBand networking hardware through the hfi1 driver. The panic occurs during the shutdown sequence of InfiniBand network interfaces when the driver attempts to process transmit queue operations, specifically in the hfi1_ipoib_drain_tx_ring function where memory access violations occur due to incorrect bit shifting calculations.
Technical exploitation of this vulnerability stems from a fundamental error in the driver's arithmetic operations where the code incorrectly applies a shift operation based on ring size rather than the actual transmit queue item size. This misconfiguration causes the driver to calculate memory offsets incorrectly, leading to invalid memory access patterns that result in kernel panics and system crashes. The call trace reveals the execution path leading to the failure, beginning with network interface shutdown operations and progressing through the InfiniBand subsystem's device management functions. The specific memory address referenced in the crash context (CR2: ffafc9000aa0f118) indicates an invalid memory access that occurs during the drain_tx_ring operation, where the driver attempts to access memory beyond the allocated buffer boundaries due to the incorrect shift calculation.
The operational impact of this vulnerability extends beyond simple system crashes, as it can disrupt critical network services and potentially lead to complete system downtime in environments where InfiniBand networking is essential. The vulnerability affects all Linux kernel versions that include the hfi1 driver and are configured to use InfiniBand networking with modified send_queue_size parameters. Attackers could potentially exploit this issue to cause denial of service conditions, particularly in high-availability environments where system stability is paramount. This vulnerability directly relates to CWE-129 and CWE-787, representing improper input validation and out-of-bounds write conditions respectively, as the driver fails to properly validate the queue size parameters and performs unsafe memory operations. The issue also maps to ATT&CK technique T1499.004, specifically "Endpoint Denial of Service" through kernel memory corruption, as it enables an attacker to crash system endpoints via network interface manipulation.
Mitigation strategies for CVE-2022-48729 require immediate kernel updates to versions containing the patched hfi1 driver implementation that correctly handles the shift operations based on item size rather than ring size. System administrators should avoid modifying the ipoib send_queue_size parameter until the kernel update is deployed, particularly in production environments where network availability is critical. Organizations should implement monitoring systems to detect unusual network interface shutdown patterns that might indicate exploitation attempts. The fix implemented in the patched kernel ensures proper calculation of memory offsets by using the correct transmit queue item size for shift operations, thereby preventing the invalid memory access that caused the panic. Additionally, security teams should conduct vulnerability assessments to identify systems running affected kernel versions and prioritize patching efforts based on network infrastructure criticality and exposure levels.