CVE-2022-48969

Source
https://nvd.nist.gov/vuln/detail/CVE-2022-48969
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2022-48969.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2022-48969
Related
Published
2024-10-21T20:15:09Z
Modified
2024-10-25T22:45:35.475405Z
Severity
  • 5.5 (Medium) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVSS Calculator
Summary
[none]
Details

In the Linux kernel, the following vulnerability has been resolved:

xen-netfront: Fix NULL sring after live migration

A NAPI is setup for each network sring to poll data to kernel The sring with source host is destroyed before live migration and new sring with target host is setup after live migration. The NAPI for the old sring is not deleted until setup new sring with target host after migration. With busypoll/busyread enabled, the NAPI can be polled before got deleted when resume VM.

BUG: unable to handle kernel NULL pointer dereference at 0000000000000008 IP: xennetpoll+0xae/0xd20 PGD 0 P4D 0 Oops: 0000 [#1] SMP PTI Call Trace: finishtaskswitch+0x71/0x230 timerqueuedel+0x1d/0x40 hrtimertrytocancel+0xb5/0x110 xennetallocrxbuffers+0x2a0/0x2a0 napibusyloop+0xdb/0x270 sockpoll+0x87/0x90 dosyspoll+0x26f/0x580 tracingmapinsert+0x1d4/0x2f0 eventhist_trigger+0x14a/0x260

finishtaskswitch+0x71/0x230 _schedule+0x256/0x890 recalcsigpending+0x1b/0x50 xenschedclock+0x15/0x20 _rbreservenext+0x12d/0x140 ringbufferlockreserve+0x123/0x3d0 eventtriggerscall+0x87/0xb0 traceeventbuffercommit+0x1c4/0x210 xenclocksourcegetcycles+0x15/0x20 ktimegetts64+0x51/0xf0 SySppoll+0x160/0x1a0 SySppoll+0x160/0x1a0 dosyscall64+0x73/0x130 entrySYSCALL64afterhwframe+0x41/0xa6 ... RIP: xennet_poll+0xae/0xd20 RSP: ffffb4f041933900 CR2: 0000000000000008 ---[ end trace f8601785b354351c ]---

xen frontend should remove the NAPIs for the old srings before live migration as the bond srings are destroyed

There is a tiny window between the srings are set to NULL and the NAPIs are disabled, It is safe as the NAPI threads are still frozen at that time

References

Affected packages

Debian:11 / linux

Package

Name
linux
Purl
pkg:deb/debian/linux?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
5.10.162-1

Affected versions

5.*

5.10.46-4
5.10.46-5
5.10.70-1~bpo10+1
5.10.70-1
5.10.84-1
5.10.92-1~bpo10+1
5.10.92-1
5.10.92-2
5.10.103-1~bpo10+1
5.10.103-1
5.10.106-1
5.10.113-1
5.10.120-1~bpo10+1
5.10.120-1
5.10.127-1
5.10.127-2~bpo10+1
5.10.127-2
5.10.136-1
5.10.140-1
5.10.148-1
5.10.149-1
5.10.149-2
5.10.158-1
5.10.158-2

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:12 / linux

Package

Name
linux
Purl
pkg:deb/debian/linux?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
6.1.4-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:13 / linux

Package

Name
linux
Purl
pkg:deb/debian/linux?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
6.1.4-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}