CVE-2022-49856 in Linuxinfo

Summary

by MITRE • 05/01/2025

In the Linux kernel, the following vulnerability has been resolved:

net: tun: call napi_schedule_prep() to ensure we own a napi

A recent patch exposed another issue in napi_get_frags() caught by syzbot [1]

Before feeding packets to GRO, and calling napi_complete() we must first grab NAPI_STATE_SCHED.

[1]
WARNING: CPU: 0 PID: 3612 at net/core/dev.c:6076 napi_complete_done+0x45b/0x880 net/core/dev.c:6076 Modules linked in: CPU: 0 PID: 3612 Comm: syz-executor408 Not tainted 6.1.0-rc3-syzkaller-00175-g1118b2049d77 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022 RIP: 0010:napi_complete_done+0x45b/0x880 net/core/dev.c:6076 Code: c1 ea 03 0f b6 14 02 4c 89 f0 83 e0 07 83 c0 03 38 d0 7c 08 84 d2 0f 85 24 04 00 00 41 89 5d 1c e9 73 fc ff ff e8 b5 53 22 fa 0b e9 82 fe ff ff e8 a9 53 22 fa 48 8b 5c 24 08 31 ff 48 89 de RSP: 0018:ffffc90003c4f920 EFLAGS: 00010293 RAX: 0000000000000000 RBX: 0000000000000030 RCX: 0000000000000000 RDX: ffff8880251c0000 RSI: ffffffff875a58db RDI: 0000000000000007 RBP: 0000000000000001 R08: 0000000000000007 R09: 0000000000000000 R10: 0000000000000001 R11: 0000000000000001 R12: ffff888072d02628 R13: ffff888072d02618 R14: ffff888072d02634 R15: 0000000000000000 FS: 0000555555f13300(0000) GS:ffff8880b9a00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 000055c44d3892b8 CR3: 00000000172d2000 CR4: 00000000003506f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace:

napi_complete include/linux/netdevice.h:510 [inline]
tun_get_user+0x206d/0x3a60 drivers/net/tun.c:1980 tun_chr_write_iter+0xdb/0x200 drivers/net/tun.c:2027 call_write_iter include/linux/fs.h:2191 [inline]
do_iter_readv_writev+0x20b/0x3b0 fs/read_write.c:735 do_iter_write+0x182/0x700 fs/read_write.c:861 vfs_writev+0x1aa/0x630 fs/read_write.c:934 do_writev+0x133/0x2f0 fs/read_write.c:977 do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x63/0xcd RIP: 0033:0x7f37021a3c19

VulDB is the best source for vulnerability data and more expert information about this specific topic.

Analysis

by VulDB Data Team • 05/01/2025

The vulnerability described in CVE-2022-49856 affects the Linux kernel's TUN network driver implementation and specifically involves improper handling of NAPI (Network API) state management during packet processing. This flaw occurs in the tun_get_user function within the TUN driver where the code fails to properly acquire the NAPI_STATE_SCHED state before completing packet processing and calling napi_complete_done. The issue was exposed by a recent patch that inadvertently created a race condition in the napi_get_frags() function, which is part of the Generic Receive Offload (GRO) mechanism used to aggregate multiple small packets into larger ones for more efficient processing.

The technical root cause stems from a missing synchronization primitive in the network packet processing flow. When the TUN driver processes packets from user space, it must ensure that the NAPI structure is properly scheduled before completing packet handling operations. Without calling napi_schedule_prep() first, the driver attempts to call napi_complete_done() on a NAPI structure that may not be in the expected scheduled state. This leads to a kernel memory corruption scenario where the kernel attempts to manipulate data structures that are not properly locked or owned by the current execution context. The crash occurs at net/core/dev.c:6076 in the napi_complete_done function, indicating that the kernel's NAPI subsystem detects an inconsistent state during cleanup operations.

This vulnerability has significant operational impact as it can lead to kernel crashes and system instability when TUN devices are actively processing network traffic. The issue is particularly concerning because it affects network virtualization and tunneling functionality that is widely used in cloud environments, container networking, and virtual machine setups. The vulnerability exposes a race condition that could potentially be exploited by malicious actors to cause denial of service attacks or in rare cases, achieve privilege escalation depending on the kernel configuration and attack surface. The syzbot fuzzing system that detected this issue indicates that it is a reproducible kernel bug that could be triggered through normal network device operations.

Mitigation strategies include applying the patched kernel version that properly implements napi_schedule_prep() before napi_complete_done() calls, ensuring that all NAPI state transitions are properly synchronized. System administrators should prioritize updating their kernel versions to include the fix, particularly in production environments that utilize TUN devices or network virtualization technologies. The fix aligns with CWE-362 which addresses concurrent execution using shared resources, and the vulnerability demonstrates characteristics consistent with ATT&CK technique T1499.004 which involves network denial of service attacks through kernel exploitation. Organizations should also implement monitoring for kernel oops messages and system crashes related to NAPI subsystems to detect potential exploitation attempts. The fix requires careful consideration of the broader impact on network performance since proper NAPI state management directly affects packet processing efficiency and system resource utilization.

Responsible

Linux

Reservation

05/01/2025

Disclosure

05/01/2025

Moderation

accepted

CPE

ready

EPSS

0.00000

KEV

no

Activities

very low

Sources

Might our Artificial Intelligence support you?

Check our Alexa App!