CVE-2022-48970

Source
https://cve.org/CVERecord?id=CVE-2022-48970
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2022-48970.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2022-48970
Downstream
Related
Published
2024-10-21T20:05:51.703Z
Modified
2026-07-15T01:49:14.523806775Z
Summary
af_unix: Get user_ns from in_skb in unix_diag_get_exact().
Details

In the Linux kernel, the following vulnerability has been resolved:

afunix: Get userns from inskb in unixdiaggetexact().

Wei Chen reported a NULL deref in skuserns() 0, and Paolo diagnosed the root cause: in unixdiagget_exact(), the newly allocated skb does not have sk. [2]

We must get the userns from the NETLINKCB(inskb).sk and pass it to skdiag_fill().

PF: supervisor read access in kernel mode

PF: error_code(0x0000) - not-present page

PGD 12bbce067 P4D 12bbce067 PUD 12bc40067 PMD 0 Oops: 0000 [#1] PREEMPT SMP CPU: 0 PID: 27942 Comm: syz-executor.0 Not tainted 6.1.0-rc5-next-20221118 #2 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.13.0-48-gd9c812dda519-prebuilt.qemu.org 04/01/2014 RIP: 0010:skuserns include/net/sock.h:920 [inline] RIP: 0010:skdiagdumpuid net/unix/diag.c:119 [inline] RIP: 0010:skdiagfill+0x77d/0x890 net/unix/diag.c:170 Code: 89 ef e8 66 d4 2d fd c7 44 24 40 00 00 00 00 49 8d 7c 24 18 e8 54 d7 2d fd 49 8b 5c 24 18 48 8d bb 70 02 00 00 e8 43 d7 2d fd <48> 8b 9b 70 02 00 00 48 8d 7b 10 e8 33 d7 2d fd 48 8b 5b 10 48 8d RSP: 0018:ffffc90000d67968 EFLAGS: 00010246 RAX: ffff88812badaa48 RBX: 0000000000000000 RCX: ffffffff840d481d RDX: 0000000000000465 RSI: 0000000000000000 RDI: 0000000000000270 RBP: ffffc90000d679a8 R08: 0000000000000277 R09: 0000000000000000 R10: 0001ffffffffffff R11: 0001c90000d679a8 R12: ffff88812ac03800 R13: ffff88812c87c400 R14: ffff88812ae42210 R15: ffff888103026940 FS: 00007f08b4e6f700(0000) GS:ffff88813bc00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000000000270 CR3: 000000012c58b000 CR4: 00000000003506f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: <TASK> unixdiaggetexact net/unix/diag.c:285 [inline] unixdiaghandler_dump+0x3f9/0x500 net/unix/diag.c:317 __sockdiagcmd net/core/sockdiag.c:235 [inline] sockdiagrcvmsg+0x237/0x250 net/core/sockdiag.c:266 netlinkrcvskb+0x13e/0x250 net/netlink/afnetlink.c:2564 sockdiagrcv+0x24/0x40 net/core/sockdiag.c:277 netlinkunicastkernel net/netlink/afnetlink.c:1330 [inline] netlinkunicast+0x5e9/0x6b0 net/netlink/afnetlink.c:1356 netlinksendmsg+0x739/0x860 net/netlink/afnetlink.c:1932 socksendmsgnosec net/socket.c:714 [inline] sock_sendmsg net/socket.c:734 [inline] ____sys_sendmsg+0x38f/0x500 net/socket.c:2476 ___sys_sendmsg net/socket.c:2530 [inline] __sys_sendmsg+0x197/0x230 net/socket.c:2559 __dosyssendmsg net/socket.c:2568 [inline] __sesyssendmsg net/socket.c:2566 [inline] _x64syssendmsg+0x42/0x50 net/socket.c:2566 dosyscallx64 arch/x86/entry/common.c:50 [inline] dosyscall64+0x2b/0x70 arch/x86/entry/common.c:80 entrySYSCALL64afterhwframe+0x63/0xcd RIP: 0033:0x4697f9 Code: f7 d8 64 89 02 b8 ff ff ff ff c3 66 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 bc ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007f08b4e6ec48 EFLAGS: 00000246 ORIGRAX: 000000000000002e RAX: ffffffffffffffda RBX: 000000000077bf80 RCX: 00000000004697f9 RDX: 0000000000000000 RSI: 00000000200001c0 RDI: 0000000000000003 RBP: 00000000004d29e9 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 000000000077bf80 R13: 0000000000000000 R14: 000000000077bf80 R15: 00007ffdb36bc6c0 </TASK> Modules linked in: CR2: 0000000000000270

Database specific
{
    "cna_assigner": "Linux",
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2022/48xxx/CVE-2022-48970.json"
}
References

Affected packages

Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git

Affected ranges

Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
cae9910e73446cac68a54e3a7b02aaa12b689026
Fixed
c66d78aee55dab72c92020ebfbebc464d4f5dd2a
Fixed
575a6266f63dbb3b8eb1da03671451f0d81b8034
Fixed
5c014eb0ed6c8c57f483e94cc6e90f34ce426d91
Fixed
9c1d6f79a2c7b8221dcec27defc6dc461052ead4
Fixed
b3abe42e94900bdd045c472f9c9be620ba5ce553

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2022-48970.json"

Linux / Kernel

Package

Name
Kernel

Affected ranges

Type
ECOSYSTEM
Events
Introduced
5.3.0
Fixed
5.4.227
Type
ECOSYSTEM
Events
Introduced
5.5.0
Fixed
5.10.159
Type
ECOSYSTEM
Events
Introduced
5.11.0
Fixed
5.15.83
Type
ECOSYSTEM
Events
Introduced
5.16.0
Fixed
6.0.13

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2022-48970.json"