Description
In the Linux kernel, the following vulnerability has been resolved: net/iucv: fix use after free in iucv_sock_close() iucv_sever_path() is called from process context and from bh context. iucv->path is used as indicator whether somebody else is taking care of severing the path (or it is already removed / never existed). This needs to be done with atomic compare and swap, otherwise there is a small window where iucv_sock_close() will try to work with a path that has already been severed and freed by iucv_callback_connrej() called by iucv_tasklet_fn(). Example: [452744.123844] Call Trace: [452744.123845] ([] 0x1e87f03880) [452744.123966] [] iucv_path_sever+0x96/0x138 [452744.124330] [] iucv_sever_path+0xc2/0xd0 [af_iucv] [452744.124336] [] iucv_sock_close+0xa6/0x310 [af_iucv] [452744.124341] [] iucv_sock_release+0x3c/0xd0 [af_iucv] [452744.124345] [] __sock_release+0x5e/0xe8 [452744.124815] [] sock_close+0x34/0x48 [452744.124820] [] __fput+0xba/0x268 [452744.124826] [] task_work_run+0xbc/0xf0 [452744.124832] [] do_notify_resume+0x88/0x90 [452744.124841] [] system_call+0xe2/0x2c8 [452744.125319] Last Breaking-Event-Address: [452744.125321] [] iucv_path_sever+0x90/0x138 [452744.125324] [452744.125325] Kernel panic - not syncing: Fatal exception in interrupt Note that bh_lock_sock() is not serializing the tasklet context against process context, because the check for sock_owned_by_user() and corresponding handling is missing. Ideas for a future clean-up patch: A) Correct usage of bh_lock_sock() in tasklet context, as described in Re-enqueue, if needed. This may require adding return values to the tasklet functions and thus changes to all users of iucv. B) Change iucv tasklet into worker and use only lock_sock() in af_iucv.
Details
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Affected Packages
| Software | From version | Fixed in |
|---|---|---|
| linux-kernel | — | — |
References
Similar Threats
- High CVE-2022-0400
- Medium CVE-2022-0480
- Medium CVE-2022-0168
- Medium CVE-2022-0171
- Medium CVE-2022-0322
Site Security Check
Concerned your site may already be targeted?
BotEraser analyzes incoming traffic patterns and helps identify bot behavior consistent with known exploit attempts.
Check My Site Free →No credit card required · Results in minutes
ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the vulnerabilities listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.