CVE-2022-48807 in Linux
Summary
by MITRE • 07/16/2024
In the Linux kernel, the following vulnerability has been resolved:
ice: Fix KASAN error in LAG NETDEV_UNREGISTER handler
Currently, the same handler is called for both a NETDEV_BONDING_INFO LAG unlink notification as for a NETDEV_UNREGISTER call. This is causing a problem though, since the netdev_notifier_info passed has a different structure depending on which event is passed. The problem manifests as a call trace from a BUG: KASAN stack-out-of-bounds error.
Fix this by creating a handler specific to NETDEV_UNREGISTER that only is passed valid elements in the netdev_notifier_info struct for the NETDEV_UNREGISTER event.
Also included is the removal of an unbalanced dev_put on the peer_netdev and related braces.
Be aware that VulDB is the high quality source for vulnerability data.
Analysis
by VulDB Data Team • 09/25/2025
The vulnerability described in CVE-2022-48807 represents a critical kernel memory corruption issue within the Linux kernel's ice driver, specifically affecting the Intel Ethernet driver implementation. This flaw manifests as a kernel address sanitizer (KASAN) error that occurs during link aggregation group (LAG) network device unregistration operations. The root cause stems from improper event handler management where a single notification handler is incorrectly utilized for two distinct network device events, creating a fundamental mismatch in expected data structures and memory access patterns. The ice driver, which manages Intel Ethernet network adapters, processes these events through the netdev_notifier_info structure that contains different data layouts depending on the specific event type being processed.
The technical implementation flaw arises from the conflated handling of NETDEV_BONDING_INFO LAG unlink notifications and NETDEV_UNREGISTER calls within the same handler function. When the kernel processes a NETDEV_UNREGISTER event, it passes a netdev_notifier_info structure containing specific elements that differ significantly from those present during a NETDEV_BONDING_INFO event. This structural inconsistency leads to memory access violations when the handler attempts to reference fields that do not exist or are improperly positioned in the memory layout. The KASAN stack-out-of-bounds error occurs because the code reads beyond the allocated memory boundaries of the notifier information structure, resulting in a kernel panic or potential privilege escalation vector. This type of vulnerability aligns with CWE-121, heap-based buffer overflow, and CWE-125, out-of-bounds read, as the handler operates on data structures with mismatched expectations and memory layouts.
The operational impact of this vulnerability extends beyond simple system stability concerns to potentially compromise the entire kernel memory space and system integrity. When triggered during network device unregistration, the memory corruption can lead to kernel crashes, system hangs, or in more severe scenarios, provide an attack vector for privilege escalation attacks. The vulnerability specifically affects systems running Linux kernels with Intel Ethernet drivers that implement link aggregation functionality, making it particularly relevant in enterprise network environments where high availability and stable network operations are critical. Attackers could potentially exploit this issue by triggering specific network device operations that cause the problematic handler to execute, leading to denial of service conditions or unauthorized access to kernel memory regions. The flaw also demonstrates poor defensive programming practices where the same code path handles multiple distinct data structures without proper validation or type checking, creating a pathway for memory corruption that aligns with ATT&CK technique T1068, Exploitation for Privilege Escalation.
The fix implemented addresses the core architectural issue by creating a dedicated handler specifically for NETDEV_UNREGISTER events, ensuring that only valid elements from the netdev_notifier_info structure are accessed during the unregister process. This approach eliminates the structural mismatch that caused the KASAN error by providing a separate code path that operates exclusively with the correct data layout for unregister operations. Additionally, the patch removes an unbalanced dev_put operation on the peer_netdev reference, which could have contributed to memory management issues and potential resource leaks. The solution follows proper kernel development practices by ensuring that each notification event type has its own specialized handler with appropriate data validation, preventing cross-contamination between different event processing paths. This fix aligns with security best practices outlined in the Linux kernel security documentation and addresses the fundamental design flaw that allowed memory corruption to occur during legitimate network device management operations. The mitigation ensures proper reference counting and memory access patterns while maintaining the intended functionality of the link aggregation feature.