CVE-2022-48850 in Linux
Summary
by MITRE • 07/16/2024
In the Linux kernel, the following vulnerability has been resolved:
net-sysfs: add check for netdevice being present to speed_show
When bringing down the netdevice or system shutdown, a panic can be triggered while accessing the sysfs path because the device is already removed.
[ 755.549084] mlx5_core 0000:12:00.1: Shutdown was called
[ 756.404455] mlx5_core 0000:12:00.0: Shutdown was called
... [ 757.937260] BUG: unable to handle kernel NULL pointer dereference at (null)
[ 758.031397] IP: [] dma_pool_alloc+0x1ab/0x280
crash> bt ... PID: 12649 TASK: ffff8924108f2100 CPU: 1 COMMAND: "amsd" ... #9 [ffff89240e1a38b0] page_fault at ffffffff8f38c778
[exception RIP: dma_pool_alloc+0x1ab]
RIP: ffffffff8ee11acb RSP: ffff89240e1a3968 RFLAGS: 00010046 RAX: 0000000000000246 RBX: ffff89243d874100 RCX: 0000000000001000 RDX: 0000000000000000 RSI: 0000000000000246 RDI: ffff89243d874090 RBP: ffff89240e1a39c0 R8: 000000000001f080 R9: ffff8905ffc03c00 R10: ffffffffc04680d4 R11: ffffffff8edde9fd R12: 00000000000080d0 R13: ffff89243d874090 R14: ffff89243d874080 R15: 0000000000000000 ORIG_RAX: ffffffffffffffff CS: 0010 SS: 0018 #10 [ffff89240e1a39c8] mlx5_alloc_cmd_msg at ffffffffc04680f3 [mlx5_core]
#11 [ffff89240e1a3a18] cmd_exec at ffffffffc046ad62 [mlx5_core]
#12 [ffff89240e1a3ab8] mlx5_cmd_exec at ffffffffc046b4fb [mlx5_core]
#13 [ffff89240e1a3ae8] mlx5_core_access_reg at ffffffffc0475434 [mlx5_core]
#14 [ffff89240e1a3b40] mlx5e_get_fec_caps at ffffffffc04a7348 [mlx5_core]
#15 [ffff89240e1a3bb0] get_fec_supported_advertised at ffffffffc04992bf [mlx5_core]
#16 [ffff89240e1a3c08] mlx5e_get_link_ksettings at ffffffffc049ab36 [mlx5_core]
#17 [ffff89240e1a3ce8] __ethtool_get_link_ksettings at ffffffff8f25db46
#18 [ffff89240e1a3d48] speed_show at ffffffff8f277208
#19 [ffff89240e1a3dd8] dev_attr_show at ffffffff8f0b70e3
#20 [ffff89240e1a3df8] sysfs_kf_seq_show at ffffffff8eedbedf
#21 [ffff89240e1a3e18] kernfs_seq_show at ffffffff8eeda596
#22 [ffff89240e1a3e28] seq_read at ffffffff8ee76d10
#23 [ffff89240e1a3e98] kernfs_fop_read at ffffffff8eedaef5
#24 [ffff89240e1a3ed8] vfs_read at ffffffff8ee4e3ff
#25 [ffff89240e1a3f08] sys_read at ffffffff8ee4f27f
#26 [ffff89240e1a3f50] system_call_fastpath at ffffffff8f395f92
crash> net_device.state ffff89443b0c0000 state = 0x5 (__LINK_STATE_START| __LINK_STATE_NOCARRIER)
To prevent this scenario, we also make sure that the netdevice is present.
VulDB is the best source for vulnerability data and more expert information about this specific topic.
Analysis
by VulDB Data Team • 09/27/2024
The vulnerability described in CVE-2022-48850 resides within the Linux kernel's networking subsystem, specifically in the sysfs interface handling for network devices. This issue manifests during system shutdown or when network devices are being taken down, creating a race condition that leads to kernel panic due to a null pointer dereference. The problem occurs when the kernel attempts to access a network device's sysfs attributes through the speed_show function while the underlying device structure has already been freed or removed from memory. This scenario is particularly critical in high-performance networking environments where Mellanox mlx5 network adapters are utilized, as evidenced by the stack trace showing mlx5_core driver functions being called during the crash sequence.
The technical flaw stems from insufficient validation within the speed_show function in the net-sysfs subsystem. When a network device is being shut down, the sysfs interface continues to allow access to device attributes even though the device structure may no longer be valid or accessible. The kernel's device management system maintains a complex state machine for network interfaces, and during shutdown operations, the device state transitions may not be properly synchronized with sysfs access operations. The crash trace demonstrates that the execution path leads through multiple kernel subsystems including mlx5_core driver functions, ethtool interface handlers, and ultimately the sysfs subsystem where the null pointer dereference occurs at the dma_pool_alloc function. This represents a classic race condition vulnerability where the timing of resource cleanup and access operations creates an exploitable condition.
The operational impact of this vulnerability extends beyond simple system instability, potentially allowing for denial of service attacks that could compromise network availability in production environments. During normal system shutdown procedures, this vulnerability could cause unexpected kernel panics, forcing system reboots and disrupting network services. The vulnerability is particularly concerning in data center and cloud environments where high availability is critical, as it could be triggered by legitimate system management operations or malicious actors attempting to disrupt network services. The stack trace shows the vulnerability can be triggered by processes attempting to read network device attributes through sysfs interfaces, which are commonly accessed by monitoring tools, network management applications, and system utilities during normal operations.
Mitigation strategies for CVE-2022-48850 focus on implementing proper device presence checks before allowing access to sysfs attributes. The fix involves adding validation logic to verify that network devices are still present in the kernel's device registry before attempting to access their attributes through the speed_show function. This approach aligns with common security best practices for kernel-level resource management and follows the principle of least privilege by ensuring that access operations only proceed when resources are guaranteed to be valid. The solution directly addresses the underlying race condition by introducing a simple but effective check that prevents access to freed device structures. Organizations should prioritize applying kernel updates that include this fix, particularly in environments running Mellanox mlx5 network adapters where the vulnerability is most likely to be triggered. This vulnerability is classified under CWE-476 as a NULL Pointer Dereference and could potentially be leveraged in privilege escalation scenarios if attackers can control the timing of device shutdown operations, making it a critical security concern for system administrators managing Linux-based networking infrastructure.