CVE-2022-49149 in Linux
Summary
by MITRE • 02/26/2025
In the Linux kernel, the following vulnerability has been resolved:
rxrpc: Fix call timer start racing with call destruction
The rxrpc_call struct has a timer used to handle various timed events relating to a call. This timer can get started from the packet input routines that are run in softirq mode with just the RCU read lock held. Unfortunately, because only the RCU read lock is held - and neither ref or other lock is taken - the call can start getting destroyed at the same time a packet comes in addressed to that call. This causes the timer - which was already stopped - to get restarted. Later, the timer dispatch code may then oops if the timer got deallocated first.
Fix this by trying to take a ref on the rxrpc_call struct and, if successful, passing that ref along to the timer. If the timer was already running, the ref is discarded.
The timer completion routine can then pass the ref along to the call's work item when it queues it. If the timer or work item where already queued/running, the extra ref is discarded.
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
Analysis
by VulDB Data Team • 03/05/2025
The vulnerability identified as CVE-2022-49149 resides within the Linux kernel's remote execution rpc subsystem, specifically affecting the rxrpc_call data structure management. This issue represents a classic race condition scenario where concurrent operations can lead to memory corruption and system instability. The rxrpc subsystem handles remote procedure calls over packet-based networks and relies on timer mechanisms to manage call lifecycle events and timeouts. When packets arrive for a specific call, they are processed in softirq context with only RCU read lock protection, creating a dangerous window where the call structure might be simultaneously destroyed while new packets attempt to interact with it.
The technical flaw stems from insufficient synchronization mechanisms when starting call timers in the packet input routines. The system holds only an RCU read lock during timer initialization, which is inadequate protection against concurrent destruction operations. This design flaw allows a scenario where a packet arrives for a call that is simultaneously being destroyed, causing the timer to restart on a structure that may have already been deallocated. The race condition occurs because no reference counting or exclusive locking mechanism prevents the destruction of the call structure while timer operations are in progress. This particular vulnerability manifests as a potential null pointer dereference or use-after-free condition during timer completion routines, leading to kernel oops and system crashes.
The operational impact of this vulnerability extends beyond simple system instability to potentially enable privilege escalation or denial of service attacks. Attackers could exploit this race condition by crafting specific packet sequences that trigger the timing window, causing the kernel to execute code on freed memory structures. The vulnerability affects systems running Linux kernels with rxrpc functionality, particularly those handling remote procedure calls over network protocols. According to CWE classification, this represents a CWE-362: Concurrency Condition and a CWE-416: Use After Free, both of which are critical in kernel contexts where memory corruption can lead to complete system compromise. The ATT&CK framework categorizes this under T1059.001: Command and Scripting Interpreter - PowerShell and T1499.004: Endpoint Denial of Service, as it can be leveraged for system instability and service disruption.
Mitigation strategies for CVE-2022-49149 focus on implementing proper reference counting mechanisms and synchronization primitives. The fix introduced by the kernel maintainers requires acquiring a reference on the rxrpc_call structure before starting any timer operations, ensuring the structure remains valid throughout the timer lifecycle. This approach prevents the timer from restarting on deallocated memory and eliminates the possibility of accessing freed structures during timer completion. The solution maintains backward compatibility while adding necessary protective layers around timer management operations. System administrators should apply the patched kernel versions immediately, as this vulnerability can be exploited remotely without authentication requirements. The fix also incorporates proper reference handling in timer completion routines, where the reference is passed to work items when queuing, ensuring all operations maintain valid structure references throughout their execution lifecycle.