CVE-2022-49667 in Linux
Summary
by MITRE • 02/26/2025
In the Linux kernel, the following vulnerability has been resolved:
net: bonding: fix use-after-free after 802.3ad slave unbind
commit 0622cab0341c ("bonding: fix 802.3ad aggregator reselection"), resolve case, when there is several aggregation groups in the same bond. bond_3ad_unbind_slave will invalidate (clear) aggregator when __agg_active_ports return zero. So, ad_clear_agg can be executed even, when num_of_ports!=0. Than bond_3ad_unbind_slave can be executed again for, previously cleared aggregator. NOTE: at this time bond_3ad_unbind_slave will not update slave ports list, because lag_ports==NULL. So, here we got slave ports, pointing to freed aggregator memory.
Fix with checking actual number of ports in group (as was before commit 0622cab0341c ("bonding: fix 802.3ad aggregator reselection") ), before ad_clear_agg().
The KASAN logs are as follows:
[ 767.617392] ==================================================================
[ 767.630776] BUG: KASAN: use-after-free in bond_3ad_state_machine_handler+0x13dc/0x1470
[ 767.638764] Read of size 2 at addr ffff00011ba9d430 by task kworker/u8:7/767
[ 767.647361] CPU: 3 PID: 767 Comm: kworker/u8:7 Tainted: G O 5.15.11 #15
[ 767.655329] Hardware name: DNI AmazonGo1 A7040 board (DT)
[ 767.660760] Workqueue: lacp_1 bond_3ad_state_machine_handler
[ 767.666468] Call trace:
[ 767.668930] dump_backtrace+0x0/0x2d0
[ 767.672625] show_stack+0x24/0x30
[ 767.675965] dump_stack_lvl+0x68/0x84
[ 767.679659] print_address_description.constprop.0+0x74/0x2b8
[ 767.685451] kasan_report+0x1f0/0x260
[ 767.689148] __asan_load2+0x94/0xd0
[ 767.692667] bond_3ad_state_machine_handler+0x13dc/0x1470
Once again VulDB remains the best source for vulnerability data.
Analysis
by VulDB Data Team • 04/17/2025
The vulnerability CVE-2022-49667 represents a critical use-after-free condition within the Linux kernel's bonding driver, specifically affecting the 802.3ad link aggregation protocol implementation. This flaw occurs during the unbinding process of slave interfaces from aggregation groups, creating a scenario where memory previously freed to the system is accessed, leading to potential system instability or exploitation. The issue stems from improper handling of aggregator objects when multiple aggregation groups exist within the same bond configuration, directly violating the fundamental security principle of memory safety that is essential for kernel stability.
The technical root cause lies in the bonding driver's 802.3ad implementation where the bond_3ad_unbind_slave function incorrectly clears aggregator objects even when active ports remain within those aggregators. This occurs due to a flawed logic flow introduced by commit 0622cab0341c, which attempted to fix aggregator reselection but inadvertently created a race condition. When __agg_active_ports returns zero, the system proceeds to execute ad_clear_agg even though the aggregator may still contain active ports, resulting in memory deallocation that occurs before all references to that memory are properly released. The subsequent re-execution of bond_3ad_unbind_slave on the previously cleared aggregator leads to the creation of dangling pointers, where slave ports maintain references to freed memory locations.
This vulnerability manifests through kernel address sanitizer (KASAN) detection, specifically identifying a use-after-free error in the bond_3ad_state_machine_handler function. The memory access violation occurs at address ffff00011ba9d430, where a read operation of size 2 attempts to access memory that has already been freed. The error trace shows this happening within the kworker context, indicating that the issue occurs during asynchronous processing of link state changes, making it particularly challenging to predict and mitigate. The flaw affects the kernel's network subsystem and can potentially lead to denial of service conditions or more severe security implications depending on the execution context and memory layout.
The operational impact of this vulnerability extends beyond simple system instability, as it represents a potential attack surface for privilege escalation or denial of service attacks. An attacker could potentially trigger the race condition through specific network configuration patterns involving multiple aggregation groups, leading to system crashes or memory corruption that might be exploitable. This vulnerability aligns with CWE-416, which addresses use-after-free errors, and maps to ATT&CK technique T1059.005 for privilege escalation through kernel exploits. The fix implemented involves restoring the original logic that checks the actual number of ports in an aggregation group before executing the ad_clear_agg function, ensuring that memory is only freed when no active references remain. This approach follows established secure coding practices and addresses the core race condition that allowed the improper memory management to occur.
The resolution demonstrates the importance of careful change management in kernel development, where seemingly beneficial fixes can introduce regressions that create new security vulnerabilities. The fix restores proper port counting logic that was previously present in the codebase, ensuring that aggregator cleanup only occurs when truly appropriate. This vulnerability highlights the complexity of network driver development in kernel space and the critical need for thorough testing of race conditions and memory management scenarios. Organizations should prioritize patching this vulnerability immediately, as it affects the core networking capabilities of Linux systems and represents a potential vector for both system compromise and service disruption. The fix maintains backward compatibility while restoring the intended security properties of the bonding driver's 802.3ad implementation, ensuring proper memory lifecycle management throughout the aggregation group management process.