CVE-2022-49636

{"id": "CVE-2022-49636", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.5, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}, "impactScore": 3.6, "exploitabilityScore": 1.8}]}, "published": "2025-02-26T07:01:38.827", "references": [{"url": "https://git.kernel.org/stable/c/4c43069bb1097dd6cc1cf0f7c43a36d1f7b3910b", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/549de58dba4bf1b2adc72e9948b9c76fa88be9d2", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/72a0b329114b1caa8e69dfa7cdad1dd3c69b8602", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/df27729a4fe0002dfd80c96fe1c142829c672728", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/f5dc10b910bdac523e5947336445a77066c51bf9", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-401"}]}], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nvlan: fix memory leak in vlan_newlink()\n\nBlamed commit added back a bug I fixed in commit 9bbd917e0bec\n(\"vlan: fix memory leak in vlan_dev_set_egress_priority\")\n\nIf a memory allocation fails in vlan_changelink() after other allocations\nsucceeded, we need to call vlan_dev_free_egress_priority()\nto free all allocated memory because after a failed ->newlink()\nwe do not call any methods like ndo_uninit() or dev->priv_destructor().\n\nIn following example, if the allocation for last element 2000:2001 fails,\nwe need to free eight prior allocations:\n\nip link add link dummy0 dummy0.100 type vlan id 100 \\\n\tegress-qos-map 1:2 2:3 3:4 4:5 5:6 6:7 7:8 8:9 2000:2001\n\nsyzbot report was:\n\nBUG: memory leak\nunreferenced object 0xffff888117bd1060 (size 32):\ncomm \"syz-executor408\", pid 3759, jiffies 4294956555 (age 34.090s)\nhex dump (first 32 bytes):\n09 00 00 00 00 a0 00 00 00 00 00 00 00 00 00 00 ................\n00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\nbacktrace:\n[<ffffffff83fc60ad>] kmalloc include/linux/slab.h:600 [inline]\n[<ffffffff83fc60ad>] vlan_dev_set_egress_priority+0xed/0x170 net/8021q/vlan_dev.c:193\n[<ffffffff83fc6628>] vlan_changelink+0x178/0x1d0 net/8021q/vlan_netlink.c:128\n[<ffffffff83fc67c8>] vlan_newlink+0x148/0x260 net/8021q/vlan_netlink.c:185\n[<ffffffff838b1278>] rtnl_newlink_create net/core/rtnetlink.c:3363 [inline]\n[<ffffffff838b1278>] __rtnl_newlink+0xa58/0xdc0 net/core/rtnetlink.c:3580\n[<ffffffff838b1629>] rtnl_newlink+0x49/0x70 net/core/rtnetlink.c:3593\n[<ffffffff838ac66c>] rtnetlink_rcv_msg+0x21c/0x5c0 net/core/rtnetlink.c:6089\n[<ffffffff839f9c37>] netlink_rcv_skb+0x87/0x1d0 net/netlink/af_netlink.c:2501\n[<ffffffff839f8da7>] netlink_unicast_kernel net/netlink/af_netlink.c:1319 [inline]\n[<ffffffff839f8da7>] netlink_unicast+0x397/0x4c0 net/netlink/af_netlink.c:1345\n[<ffffffff839f9266>] netlink_sendmsg+0x396/0x710 net/netlink/af_netlink.c:1921\n[<ffffffff8384dbf6>] sock_sendmsg_nosec net/socket.c:714 [inline]\n[<ffffffff8384dbf6>] sock_sendmsg+0x56/0x80 net/socket.c:734\n[<ffffffff8384e15c>] ____sys_sendmsg+0x36c/0x390 net/socket.c:2488\n[<ffffffff838523cb>] ___sys_sendmsg+0x8b/0xd0 net/socket.c:2542\n[<ffffffff838525b8>] __sys_sendmsg net/socket.c:2571 [inline]\n[<ffffffff838525b8>] __do_sys_sendmsg net/socket.c:2580 [inline]\n[<ffffffff838525b8>] __se_sys_sendmsg net/socket.c:2578 [inline]\n[<ffffffff838525b8>] __x64_sys_sendmsg+0x78/0xf0 net/socket.c:2578\n[<ffffffff845ad8d5>] do_syscall_x64 arch/x86/entry/common.c:50 [inline]\n[<ffffffff845ad8d5>] do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80\n[<ffffffff8460006a>] entry_SYSCALL_64_after_hwframe+0x46/0xb0"}, {"lang": "es", "value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: vlan: arregla la p\u00e9rdida de memoria en vlan_newlink() El commit culpable agreg\u00f3 un error que arregl\u00e9 en el commit 9bbd917e0bec (\"vlan: arregla la p\u00e9rdida de memoria en vlan_dev_set_egress_priority\") Si una asignaci\u00f3n de memoria falla en vlan_changelink() despu\u00e9s de que otras asignaciones tuvieron \u00e9xito, debemos llamar a vlan_dev_free_egress_priority() para liberar toda la memoria asignada porque despu\u00e9s de un -&gt;newlink() fallido no llamamos a ning\u00fan m\u00e9todo como ndo_uninit() o dev-&gt;priv_destructor(). En el siguiente ejemplo, si falla la asignaci\u00f3n del \u00faltimo elemento 2000:2001, necesitamos liberar ocho asignaciones anteriores: ip link add link dummy0 dummy0.100 type vlan id 100 \\ egress-qos-map 1:2 2:3 3:4 4:5 5:6 6:7 7:8 8:9 2000:2001 el informe de syzbot fue: ERROR: p\u00e9rdida de memoria objeto no referenciado 0xffff888117bd1060 (size 32): comm \"syz-executor408\", pid 3759, jiffies 4294956555 (age 34.090s) hex dump (first 32 bytes): 09 00 00 00 00 a0 00 00 00 00 00 00 00 00 00 00 ................ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ backtrace: [] kmalloc include/linux/slab.h:600 [inline] [] vlan_dev_set_egress_priority+0xed/0x170 net/8021q/vlan_dev.c:193 [] vlan_changelink+0x178/0x1d0 net/8021q/vlan_netlink.c:128 [] vlan_newlink+0x148/0x260 net/8021q/vlan_netlink.c:185 [] rtnl_newlink_create net/core/rtnetlink.c:3363 [inline] [] __rtnl_newlink+0xa58/0xdc0 net/core/rtnetlink.c:3580 [] rtnl_newlink+0x49/0x70 net/core/rtnetlink.c:3593 [] rtnetlink_rcv_msg+0x21c/0x5c0 net/core/rtnetlink.c:6089 [] netlink_rcv_skb+0x87/0x1d0 net/netlink/af_netlink.c:2501 [] netlink_unicast_kernel net/netlink/af_netlink.c:1319 [inline] [] netlink_unicast+0x397/0x4c0 net/netlink/af_netlink.c:1345 [] netlink_sendmsg+0x396/0x710 net/netlink/af_netlink.c:1921 [] sock_sendmsg_nosec net/socket.c:714 [inline] [] sock_sendmsg+0x56/0x80 net/socket.c:734 [] ____sys_sendmsg+0x36c/0x390 net/socket.c:2488 [] ___sys_sendmsg+0x8b/0xd0 net/socket.c:2542 [] __sys_sendmsg net/socket.c:2571 [inline] [] __do_sys_sendmsg net/socket.c:2580 [inline] [] __se_sys_sendmsg net/socket.c:2578 [inline] [] __x64_sys_sendmsg+0x78/0xf0 net/socket.c:2578 [] do_syscall_x64 arch/x86/entry/common.c:50 [inline] [] do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80 [] entry_SYSCALL_64_after_hwframe+0x46/0xb0 "}], "lastModified": "2025-04-10T13:15:43.703", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "129FDDA3-732E-48A0-BD90-B3D54CFC4E7E", "versionEndExcluding": "5.16", "versionStartIncluding": "5.15.142"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "B8B21C94-C38C-4A91-8580-6D05C6F95378", "versionEndExcluding": "5.18.13", "versionStartIncluding": "5.17"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:5.19:rc1:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "A8C30C2D-F82D-4D37-AB48-D76ABFBD5377"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:5.19:rc2:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "BF8547FC-C849-4F1B-804B-A93AE2F04A92"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:5.19:rc3:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "F3068028-F453-4A1C-B80F-3F5609ACEF60"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:5.19:rc4:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "2E9C0DB0-D349-489F-A3D6-B77214E93A8A"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:5.19:rc5:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "1A0DE3B7-0FFB-45AA-9BD6-19870CA7C6FD"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:5.19:rc6:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "00AE778B-BAEE-49EB-9F84-003B73D7862A"}], "operator": "OR"}]}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}