CVE-2022-48954
- Source
- https://nvd.nist.gov/vuln/detail/CVE-2022-48954
- Import Source
- https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2022-48954.json
- JSON Data
- https://api.osv.dev/v1/vulns/CVE-2022-48954
- Downstream
- Related
- Published
- 2024-10-21T20:05:41Z
- Modified
- 2025-10-21T08:40:18.270040Z
- Summary
- s390/qeth: fix use-after-free in hsci
- Details
-
In the Linux kernel, the following vulnerability has been resolved:
s390/qeth: fix use-after-free in hsci
KASAN found that addr was dereferenced after br2deveventwork was freed.
================================================================== BUG: KASAN: use-after-free in qethl2br2devworker+0x5ba/0x6b0 Read of size 1 at addr 00000000fdcea440 by task kworker/u760:4/540 CPU: 17 PID: 540 Comm: kworker/u760:4 Tainted: G E 6.1.0-20221128.rc7.git1.5aa3bed4ce83.300.fc36.s390x+kasan #1 Hardware name: IBM 8561 T01 703 (LPAR) Workqueue: 0.0.8000event qethl2br2devworker Call Trace: [<000000016944d4ce>] dumpstacklvl+0xc6/0xf8 [<000000016942cd9c>] printaddressdescription.constprop.0+0x34/0x2a0 [<000000016942d118>] printreport+0x110/0x1f8 [<0000000167a7bd04>] kasanreport+0xfc/0x128 [<000000016938d79a>] qethl2br2devworker+0x5ba/0x6b0 [<00000001673edd1e>] processonework+0x76e/0x1128 [<00000001673ee85c>] workerthread+0x184/0x1098 [<000000016740718a>] kthread+0x26a/0x310 [<00000001672c606a>] retfromfork+0x8a/0xe8 [<00000001694711da>] retfromfork+0xa/0x40 Allocated by task 108338: kasansavestack+0x40/0x68 kasansettrack+0x36/0x48 _kasankmalloc+0xa0/0xc0 qethl2switchdevevent+0x25a/0x738 atomicnotifiercallchain+0x9c/0xf8 brswitchdevfdbnotify+0xf4/0x110 fdbnotify+0x122/0x180 fdbaddentry.constprop.0.isra.0+0x312/0x558 brfdbadd+0x59e/0x858 rtnlfdbadd+0x58a/0x928 rtnetlinkrcvmsg+0x5f8/0x8d8 netlinkrcvskb+0x1f2/0x408 netlinkunicast+0x570/0x790 netlinksendmsg+0x752/0xbe0 socksendmsg+0xca/0x110 syssendmsg+0x510/0x6a8 syssendmsg+0x12a/0x180 _syssendmsg+0xe6/0x168 _dosyssocketcall+0x3c8/0x468 dosyscall+0x22c/0x328 _dosyscall+0x94/0xf0 systemcall+0x82/0xb0 Freed by task 540: kasansavestack+0x40/0x68 kasansettrack+0x36/0x48 kasansavefreeinfo+0x4c/0x68 _kasanslabfree+0x14e/0x1a8 kasanslabfree+0x24/0x30 _kmemcachefree+0x168/0x338 qethl2br2devworker+0x154/0x6b0 processonework+0x76e/0x1128 workerthread+0x184/0x1098 kthread+0x26a/0x310 _retfromfork+0x8a/0xe8 retfromfork+0xa/0x40 Last potentially related work creation: kasansavestack+0x40/0x68 _kasanrecordauxstack+0xbe/0xd0 insertwork+0x56/0x2e8 _queuework+0x4ce/0xd10 queueworkon+0xf4/0x100 qethl2switchdevevent+0x520/0x738 atomicnotifiercallchain+0x9c/0xf8 brswitchdevfdbnotify+0xf4/0x110 fdbnotify+0x122/0x180 fdbaddentry.constprop.0.isra.0+0x312/0x558 brfdbadd+0x59e/0x858 rtnlfdbadd+0x58a/0x928 rtnetlinkrcvmsg+0x5f8/0x8d8 netlinkrcvskb+0x1f2/0x408 netlinkunicast+0x570/0x790 netlinksendmsg+0x752/0xbe0 socksendmsg+0xca/0x110 syssendmsg+0x510/0x6a8 _syssendmsg+0x12a/0x180 _syssendmsg+0xe6/0x168 _dosyssocketcall+0x3c8/0x468 dosyscall+0x22c/0x328 _dosyscall+0x94/0xf0 systemcall+0x82/0xb0 Second to last potentially related work creation: kasansavestack+0x40/0x68 _kasanrecordauxstack+0xbe/0xd0 kvfreecallrcu+0xb2/0x760 kernfsunlinkopenfile+0x348/0x430 kernfsfoprelease+0xc2/0x320 _fput+0x1ae/0x768 taskworkrun+0x1bc/0x298 exittousermodeprepare+0x1a0/0x1a8 _dosyscall+0x94/0xf0 systemcall+0x82/0xb0 The buggy address belongs to the object at 00000000fdcea400 which belongs to the cache kmalloc-96 of size 96 The buggy address is located 64 bytes inside of 96-byte region [00000000fdcea400, 00000000fdcea460) The buggy address belongs to the physical page: page:000000005a9c26e8 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0xfdcea flags: 0x3ffff00000000200(slab|node=0|zone=1|lastcpupid=0x1ffff) raw: 3ffff00000000200 0000000000000000 0000000100000122 000000008008cc00 raw: 0000000000000000 0020004100000000 ffffffff00000001 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: 00000000fdcea300: fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc 00000000fdcea380: fb fb fb fb fb fb f ---truncated---
- References
Affected packages
Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Affected ranges
- Type
- GIT
- Repo
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- Events
-
Introducedf7936b7b2663c99a096a5c432ba96ab1e91a6c0fFixeddb6343a5b0d9661f2dd76f653c6d274d38234d2b
- Type
- GIT
- Repo
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- Events
-
Introducedf7936b7b2663c99a096a5c432ba96ab1e91a6c0fFixedbde0dfc7c4569406a6ddeec363d04a1df7b3073f
- Type
- GIT
- Repo
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- Events
-
Introducedf7936b7b2663c99a096a5c432ba96ab1e91a6c0fFixedebaaadc332cd21e9df4dcf9ce12552d9354bbbe4
Affected versions
v5.*
v6.*
Database specific
vanir_signatures
[
{
"signature_version": "v1",
"deprecated": false,
"digest": {
"function_hash": "32680374274573068817430756182804903123",
"length": 1567.0
},
"target": {
"function": "qeth_l2_br2dev_worker",
"file": "drivers/s390/net/qeth_l2_main.c"
},
"id": "CVE-2022-48954-00109963",
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@db6343a5b0d9661f2dd76f653c6d274d38234d2b",
"signature_type": "Function"
},
{
"signature_version": "v1",
"deprecated": false,
"digest": {
"function_hash": "32680374274573068817430756182804903123",
"length": 1567.0
},
"target": {
"function": "qeth_l2_br2dev_worker",
"file": "drivers/s390/net/qeth_l2_main.c"
},
"id": "CVE-2022-48954-00b61b26",
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@ebaaadc332cd21e9df4dcf9ce12552d9354bbbe4",
"signature_type": "Function"
},
{
"signature_version": "v1",
"deprecated": false,
"digest": {
"line_hashes": [
"73047518100758812686449812302143196759",
"150508664495151051797616037992354061656",
"279712897460015799894594750530118911893",
"218448454919083013218252708185095402612",
"288835930434436615126783671072485976237",
"137518893125856088352018616674393591957",
"320142024723560388785146553902515432953",
"221804791765419252097189023842898094473"
],
"threshold": 0.9
},
"target": {
"file": "drivers/s390/net/qeth_l2_main.c"
},
"id": "CVE-2022-48954-8b92b30a",
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@db6343a5b0d9661f2dd76f653c6d274d38234d2b",
"signature_type": "Line"
},
{
"signature_version": "v1",
"deprecated": false,
"digest": {
"function_hash": "32680374274573068817430756182804903123",
"length": 1567.0
},
"target": {
"function": "qeth_l2_br2dev_worker",
"file": "drivers/s390/net/qeth_l2_main.c"
},
"id": "CVE-2022-48954-a2519166",
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@bde0dfc7c4569406a6ddeec363d04a1df7b3073f",
"signature_type": "Function"
},
{
"signature_version": "v1",
"deprecated": false,
"digest": {
"line_hashes": [
"73047518100758812686449812302143196759",
"150508664495151051797616037992354061656",
"279712897460015799894594750530118911893",
"218448454919083013218252708185095402612",
"288835930434436615126783671072485976237",
"137518893125856088352018616674393591957",
"320142024723560388785146553902515432953",
"221804791765419252097189023842898094473"
],
"threshold": 0.9
},
"target": {
"file": "drivers/s390/net/qeth_l2_main.c"
},
"id": "CVE-2022-48954-a8669776",
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@ebaaadc332cd21e9df4dcf9ce12552d9354bbbe4",
"signature_type": "Line"
},
{
"signature_version": "v1",
"deprecated": false,
"digest": {
"line_hashes": [
"73047518100758812686449812302143196759",
"150508664495151051797616037992354061656",
"279712897460015799894594750530118911893",
"218448454919083013218252708185095402612",
"288835930434436615126783671072485976237",
"137518893125856088352018616674393591957",
"320142024723560388785146553902515432953",
"221804791765419252097189023842898094473"
],
"threshold": 0.9
},
"target": {
"file": "drivers/s390/net/qeth_l2_main.c"
},
"id": "CVE-2022-48954-add28e68",
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@bde0dfc7c4569406a6ddeec363d04a1df7b3073f",
"signature_type": "Line"
}
]