CVE-2022-48865
- Source
- https://nvd.nist.gov/vuln/detail/CVE-2022-48865
- Import Source
- https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2022-48865.json
- JSON Data
- https://api.osv.dev/v1/vulns/CVE-2022-48865
- Downstream
- Related
- Published
- 2024-07-16T12:25:27Z
- Modified
- 2025-10-14T20:30:12.806599Z
- Summary
- tipc: fix kernel panic when enabling bearer
- Details
-
In the Linux kernel, the following vulnerability has been resolved:
tipc: fix kernel panic when enabling bearer
When enabling a bearer on a node, a kernel panic is observed:
[ 4.498085] RIP: 0010:tipcmonprep+0x4e/0x130 [tipc] ... [ 4.520030] Call Trace: [ 4.520689] <IRQ> [ 4.521236] tipclinkbuildprotomsg+0x375/0x750 [tipc] [ 4.522654] tipclinkbuildstatemsg+0x48/0xc0 [tipc] [ 4.524034] _tipcnodelinkup+0xd7/0x290 [tipc] [ 4.525292] tipcrcv+0x5da/0x730 [tipc] [ 4.526346] ? _netifreceiveskbcore+0xb7/0xfc0 [ 4.527601] tipcl2rcvmsg+0x5e/0x90 [tipc] [ 4.528737] _netifreceiveskblistcore+0x20b/0x260 [ 4.530068] netifreceiveskblistinternal+0x1bf/0x2e0 [ 4.531450] ? devgroreceive+0x4c2/0x680 [ 4.532512] napicompletedone+0x6f/0x180 [ 4.533570] virtnetpoll+0x29c/0x42e [virtio_net] ...
The node in question is receiving activate messages in another thread after changing bearer status to allow message sending/ receiving in current thread:
thread 1 | thread 2 -------- | -------- |tipcenablebearer() | testandsetbitlock() | tipcbearerxmitskb() | | tipcl2rcvmsg() | tipcrcv() | _tipcnodelinkup() | tipclinkbuildstatemsg() | tipclinkbuildprotomsg() | tipcmonprep() | { | ... | // null-pointer dereference | u16 gen = mon->domgen; | ... | } // Not being executed yet | tipcmoncreate() | { | ... | // allocate | mon = kzalloc(); | ... | } |
Monitoring pointer in thread 2 is dereferenced before monitoring data is allocated in thread 1. This causes kernel panic.
This commit fixes it by allocating the monitoring data before enabling the bearer to receive messages.
- References
-
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- https://git.kernel.org/stable/c/2de76d37d4a6dca9b96ea51da24d4290e6cfa1a5
- https://git.kernel.org/stable/c/be4977b847f5d5cedb64d50eaaf2218c3a55a3a3
- https://git.kernel.org/stable/c/f4f59fdbc748805b08c13dae14c01f0518c77c94
- https://git.kernel.org/stable/c/f96dc3adb9a97b8f3dfdb88796483491a3006b71
Affected packages
Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Affected ranges
- Type
- GIT
- Repo
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- Events
-
Introduced35c55c9877f8de0ab129fa1a309271d0ecc868b9Fixed2de76d37d4a6dca9b96ea51da24d4290e6cfa1a5
- Type
- GIT
- Repo
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- Events
-
Introduced35c55c9877f8de0ab129fa1a309271d0ecc868b9Fixedf96dc3adb9a97b8f3dfdb88796483491a3006b71
- Type
- GIT
- Repo
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- Events
-
Introduced35c55c9877f8de0ab129fa1a309271d0ecc868b9Fixedf4f59fdbc748805b08c13dae14c01f0518c77c94
- Type
- GIT
- Repo
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- Events
-
Introduced35c55c9877f8de0ab129fa1a309271d0ecc868b9Fixedbe4977b847f5d5cedb64d50eaaf2218c3a55a3a3
Affected versions
v4.*
v4.10
v4.10-rc1
v4.10-rc2
v4.10-rc3
v4.10-rc4
v4.10-rc5
v4.10-rc6
v4.10-rc7
v4.10-rc8
v4.11
v4.11-rc1
v4.11-rc2
v4.11-rc3
v4.11-rc4
v4.11-rc5
v4.11-rc6
v4.11-rc7
v4.11-rc8
v4.12
v4.12-rc1
v4.12-rc2
v4.12-rc3
v4.12-rc4
v4.12-rc5
v4.12-rc6
v4.12-rc7
v4.13
v4.13-rc1
v4.13-rc2
v4.13-rc3
v4.13-rc4
v4.13-rc5
v4.13-rc6
v4.13-rc7
v4.14
v4.14-rc1
v4.14-rc2
v4.14-rc3
v4.14-rc4
v4.14-rc5
v4.14-rc6
v4.14-rc7
v4.14-rc8
v4.15
v4.15-rc1
v4.15-rc2
v4.15-rc3
v4.15-rc4
v4.15-rc5
v4.15-rc6
v4.15-rc7
v4.15-rc8
v4.15-rc9
v4.16
v4.16-rc1
v4.16-rc2
v4.16-rc3
v4.16-rc4
v4.16-rc5
v4.16-rc6
v4.16-rc7
v4.17
v4.17-rc1
v4.17-rc2
v4.17-rc3
v4.17-rc4
v4.17-rc5
v4.17-rc6
v4.17-rc7
v4.18
v4.18-rc1
v4.18-rc2
v4.18-rc3
v4.18-rc4
v4.18-rc5
v4.18-rc6
v4.18-rc7
v4.18-rc8
v4.19
v4.19-rc1
v4.19-rc2
v4.19-rc3
v4.19-rc4
v4.19-rc5
v4.19-rc6
v4.19-rc7
v4.19-rc8
v4.20
v4.20-rc1
v4.20-rc2
v4.20-rc3
v4.20-rc4
v4.20-rc5
v4.20-rc6
v4.20-rc7
v4.7
v4.7-rc3
v4.7-rc4
v4.7-rc5
v4.7-rc6
v4.7-rc7
v4.8
v4.8-rc1
v4.8-rc2
v4.8-rc3
v4.8-rc4
v4.8-rc5
v4.8-rc6
v4.8-rc7
v4.8-rc8
v4.9
v4.9-rc1
v4.9-rc2
v4.9-rc3
v4.9-rc4
v4.9-rc5
v4.9-rc6
v4.9-rc7
v4.9-rc8
v5.*
v5.0
v5.0-rc1
v5.0-rc2
v5.0-rc3
v5.0-rc4
v5.0-rc5
v5.0-rc6
v5.0-rc7
v5.0-rc8
v5.1
v5.1-rc1
v5.1-rc2
v5.1-rc3
v5.1-rc4
v5.1-rc5
v5.1-rc6
v5.1-rc7
v5.10
v5.10-rc1
v5.10-rc2
v5.10-rc3
v5.10-rc4
v5.10-rc5
v5.10-rc6
v5.10-rc7
v5.10.1
v5.10.10
v5.10.100
v5.10.101
v5.10.102
v5.10.103
v5.10.104
v5.10.105
v5.10.11
v5.10.12
v5.10.13
v5.10.14
v5.10.15
v5.10.16
v5.10.17
v5.10.18
v5.10.19
v5.10.2
v5.10.20
v5.10.21
v5.10.22
v5.10.23
v5.10.24
v5.10.25
v5.10.26
v5.10.27
v5.10.28
v5.10.29
v5.10.3
v5.10.30
v5.10.31
v5.10.32
v5.10.33
v5.10.34
v5.10.35
v5.10.36
v5.10.37
v5.10.38
v5.10.39
v5.10.4
v5.10.40
v5.10.41
v5.10.42
v5.10.43
v5.10.44
v5.10.45
v5.10.46
v5.10.47
v5.10.48
v5.10.49
v5.10.5
v5.10.50
v5.10.51
v5.10.52
v5.10.53
v5.10.54
v5.10.55
v5.10.56
v5.10.57
v5.10.58
v5.10.59
v5.10.6
v5.10.60
v5.10.61
v5.10.62
v5.10.63
v5.10.64
v5.10.65
v5.10.66
v5.10.67
v5.10.68
v5.10.69
v5.10.7
v5.10.70
v5.10.71
v5.10.72
v5.10.73
v5.10.74
v5.10.75
v5.10.76
v5.10.77
v5.10.78
v5.10.79
v5.10.8
v5.10.80
v5.10.81
v5.10.82
v5.10.83
v5.10.84
v5.10.85
v5.10.86
v5.10.87
v5.10.88
v5.10.89
v5.10.9
v5.10.90
v5.10.91
v5.10.92
v5.10.93
v5.10.94
v5.10.95
v5.10.96
v5.10.97
v5.10.98
v5.10.99
v5.11
v5.11-rc1
v5.11-rc2
v5.11-rc3
v5.11-rc4
v5.11-rc5
v5.11-rc6
v5.11-rc7
v5.12
v5.12-rc1
v5.12-rc1-dontuse
v5.12-rc2
v5.12-rc3
v5.12-rc4
v5.12-rc5
v5.12-rc6
v5.12-rc7
v5.12-rc8
v5.13
v5.13-rc1
v5.13-rc2
v5.13-rc3
v5.13-rc4
v5.13-rc5
v5.13-rc6
v5.13-rc7
v5.14
v5.14-rc1
v5.14-rc2
v5.14-rc3
v5.14-rc4
v5.14-rc5
v5.14-rc6
v5.14-rc7
v5.15
v5.15-rc1
v5.15-rc2
v5.15-rc3
v5.15-rc4
v5.15-rc5
v5.15-rc6
v5.15-rc7
v5.15.1
v5.15.10
v5.15.11
v5.15.12
v5.15.13
v5.15.14
v5.15.15
v5.15.16
v5.15.17
v5.15.18
v5.15.19
v5.15.2
v5.15.20
v5.15.21
v5.15.22
v5.15.23
v5.15.24
v5.15.25
v5.15.26
v5.15.27
v5.15.28
v5.15.3
v5.15.4
v5.15.5
v5.15.6
v5.15.7
v5.15.8
v5.15.9
v5.16
v5.16-rc1
v5.16-rc2
v5.16-rc3
v5.16-rc4
v5.16-rc5
v5.16-rc6
v5.16-rc7
v5.16-rc8
v5.16.1
v5.16.10
v5.16.11
v5.16.12
v5.16.13
v5.16.14
v5.16.2
v5.16.3
v5.16.4
v5.16.5
v5.16.6
v5.16.7
v5.16.8
v5.16.9
v5.17-rc1
v5.17-rc2
v5.17-rc3
v5.17-rc4
v5.17-rc5
v5.17-rc6
v5.2
v5.2-rc1
v5.2-rc2
v5.2-rc3
v5.2-rc4
v5.2-rc5
v5.2-rc6
v5.2-rc7
v5.3
v5.3-rc1
v5.3-rc2
v5.3-rc3
v5.3-rc4
v5.3-rc5
v5.3-rc6
v5.3-rc7
v5.3-rc8
v5.4
v5.4-rc1
v5.4-rc2
v5.4-rc3
v5.4-rc4
v5.4-rc5
v5.4-rc6
v5.4-rc7
v5.4-rc8
v5.5
v5.5-rc1
v5.5-rc2
v5.5-rc3
v5.5-rc4
v5.5-rc5
v5.5-rc6
v5.5-rc7
v5.6
v5.6-rc1
v5.6-rc2
v5.6-rc3
v5.6-rc4
v5.6-rc5
v5.6-rc6
v5.6-rc7
v5.7
v5.7-rc1
v5.7-rc2
v5.7-rc3
v5.7-rc4
v5.7-rc5
v5.7-rc6
v5.7-rc7
v5.8
v5.8-rc1
v5.8-rc2
v5.8-rc3
v5.8-rc4
v5.8-rc5
v5.8-rc6
v5.8-rc7
v5.9
v5.9-rc1
v5.9-rc2
v5.9-rc3
v5.9-rc4
v5.9-rc5
v5.9-rc6
v5.9-rc7
v5.9-rc8
Database specific
{
"vanir_signatures": [
{
"deprecated": false,
"signature_type": "Line",
"target": {
"file": "net/tipc/bearer.c"
},
"signature_version": "v1",
"digest": {
"line_hashes": [
"260495014474219130192019687510802083277",
"269521071537358867445350056628291965962",
"195324117045704585866110040327687169022",
"14789781464074043938415019305880145224",
"190819356290755548526799921132613081558",
"136463705290066715814988006907395510536",
"15545066793421535326420348874242697674",
"118652780174501687464958826698224165230",
"19968785441936340380452332855070037196",
"151798649054507161706994654001256375526",
"216081378577141040465385909046938774628"
],
"threshold": 0.9
},
"id": "CVE-2022-48865-02113960",
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@be4977b847f5d5cedb64d50eaaf2218c3a55a3a3"
},
{
"deprecated": false,
"signature_type": "Function",
"target": {
"file": "net/tipc/bearer.c",
"function": "tipc_enable_bearer"
},
"signature_version": "v1",
"digest": {
"length": 2782.0,
"function_hash": "232756383241282899626418742109612803885"
},
"id": "CVE-2022-48865-0bead8d4",
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@f4f59fdbc748805b08c13dae14c01f0518c77c94"
},
{
"deprecated": false,
"signature_type": "Function",
"target": {
"file": "net/tipc/bearer.c",
"function": "tipc_enable_bearer"
},
"signature_version": "v1",
"digest": {
"length": 2782.0,
"function_hash": "232756383241282899626418742109612803885"
},
"id": "CVE-2022-48865-1401a30a",
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@be4977b847f5d5cedb64d50eaaf2218c3a55a3a3"
},
{
"deprecated": false,
"signature_type": "Line",
"target": {
"file": "net/tipc/bearer.c"
},
"signature_version": "v1",
"digest": {
"line_hashes": [
"260495014474219130192019687510802083277",
"269521071537358867445350056628291965962",
"195324117045704585866110040327687169022",
"14789781464074043938415019305880145224",
"190819356290755548526799921132613081558",
"136463705290066715814988006907395510536",
"15545066793421535326420348874242697674",
"118652780174501687464958826698224165230",
"19968785441936340380452332855070037196",
"151798649054507161706994654001256375526",
"216081378577141040465385909046938774628"
],
"threshold": 0.9
},
"id": "CVE-2022-48865-32435529",
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@f4f59fdbc748805b08c13dae14c01f0518c77c94"
},
{
"deprecated": false,
"signature_type": "Function",
"target": {
"file": "net/tipc/bearer.c",
"function": "tipc_enable_bearer"
},
"signature_version": "v1",
"digest": {
"length": 2782.0,
"function_hash": "232756383241282899626418742109612803885"
},
"id": "CVE-2022-48865-4e3b2233",
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@f96dc3adb9a97b8f3dfdb88796483491a3006b71"
},
{
"deprecated": false,
"signature_type": "Function",
"target": {
"file": "net/tipc/bearer.c",
"function": "tipc_enable_bearer"
},
"signature_version": "v1",
"digest": {
"length": 2782.0,
"function_hash": "232756383241282899626418742109612803885"
},
"id": "CVE-2022-48865-53d7dda7",
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@2de76d37d4a6dca9b96ea51da24d4290e6cfa1a5"
},
{
"deprecated": false,
"signature_type": "Line",
"target": {
"file": "net/tipc/bearer.c"
},
"signature_version": "v1",
"digest": {
"line_hashes": [
"260495014474219130192019687510802083277",
"269521071537358867445350056628291965962",
"195324117045704585866110040327687169022",
"14789781464074043938415019305880145224",
"190819356290755548526799921132613081558",
"136463705290066715814988006907395510536",
"15545066793421535326420348874242697674",
"118652780174501687464958826698224165230",
"19968785441936340380452332855070037196",
"151798649054507161706994654001256375526",
"216081378577141040465385909046938774628"
],
"threshold": 0.9
},
"id": "CVE-2022-48865-a27046ed",
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@f96dc3adb9a97b8f3dfdb88796483491a3006b71"
},
{
"deprecated": false,
"signature_type": "Line",
"target": {
"file": "net/tipc/bearer.c"
},
"signature_version": "v1",
"digest": {
"line_hashes": [
"260495014474219130192019687510802083277",
"269521071537358867445350056628291965962",
"195324117045704585866110040327687169022",
"14789781464074043938415019305880145224",
"190819356290755548526799921132613081558",
"136463705290066715814988006907395510536",
"15545066793421535326420348874242697674",
"118652780174501687464958826698224165230",
"19968785441936340380452332855070037196",
"151798649054507161706994654001256375526",
"216081378577141040465385909046938774628"
],
"threshold": 0.9
},
"id": "CVE-2022-48865-ab6b45db",
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@2de76d37d4a6dca9b96ea51da24d4290e6cfa1a5"
}
]
}