CVE-2022-49636

If a memory allocation fails in vlanchangelink() after other allocations succeeded, we need to call vlandevfreeegresspriority() to free all allocated memory because after a failed ->newlink() we do not call any methods like ndouninit() or dev->priv_destructor().

In following example, if the allocation for last element 2000:2001 fails, we need to free eight prior allocations:

ip link add link dummy0 dummy0.100 type vlan id 100 \ egress-qos-map 1:2 2:3 3:4 4:5 5:6 6:7 7:8 8:9 2000:2001

syzbot report was:

BUG: memory leak unreferenced object 0xffff888117bd1060 (size 32): comm "syz-executor408", pid 3759, jiffies 4294956555 (age 34.090s) hex dump (first 32 bytes): 09 00 00 00 00 a0 00 00 00 00 00 00 00 00 00 00 ................ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ backtrace: [<ffffffff83fc60ad>] kmalloc include/linux/slab.h:600 [inline] [<ffffffff83fc60ad>] vlandevsetegresspriority+0xed/0x170 net/8021q/vlandev.c:193 [<ffffffff83fc6628>] vlanchangelink+0x178/0x1d0 net/8021q/vlannetlink.c:128 [<ffffffff83fc67c8>] vlannewlink+0x148/0x260 net/8021q/vlannetlink.c:185 [<ffffffff838b1278>] rtnlnewlinkcreate net/core/rtnetlink.c:3363 [inline] [<ffffffff838b1278>] rtnlnewlink+0xa58/0xdc0 net/core/rtnetlink.c:3580 [<ffffffff838b1629>] rtnlnewlink+0x49/0x70 net/core/rtnetlink.c:3593 [<ffffffff838ac66c>] rtnetlinkrcvmsg+0x21c/0x5c0 net/core/rtnetlink.c:6089 [<ffffffff839f9c37>] netlinkrcvskb+0x87/0x1d0 net/netlink/afnetlink.c:2501 [<ffffffff839f8da7>] netlinkunicastkernel net/netlink/afnetlink.c:1319 [inline] [<ffffffff839f8da7>] netlinkunicast+0x397/0x4c0 net/netlink/afnetlink.c:1345 [<ffffffff839f9266>] netlinksendmsg+0x396/0x710 net/netlink/afnetlink.c:1921 [<ffffffff8384dbf6>] socksendmsgnosec net/socket.c:714 [inline] [<ffffffff8384dbf6>] socksendmsg+0x56/0x80 net/socket.c:734 [<ffffffff8384e15c>] syssendmsg+0x36c/0x390 net/socket.c:2488 [<ffffffff838523cb>] _syssendmsg+0x8b/0xd0 net/socket.c:2542 [<ffffffff838525b8>] _syssendmsg net/socket.c:2571 [inline] [<ffffffff838525b8>] _dosyssendmsg net/socket.c:2580 [inline] [<ffffffff838525b8>] _sesyssendmsg net/socket.c:2578 [inline] [<ffffffff838525b8>] _x64syssendmsg+0x78/0xf0 net/socket.c:2578 [<ffffffff845ad8d5>] dosyscallx64 arch/x86/entry/common.c:50 [inline] [<ffffffff845ad8d5>] dosyscall64+0x35/0xb0 arch/x86/entry/common.c:80 [<ffffffff8460006a>] entrySYSCALL64after_hwframe+0x46/0xb0

References

Affected packages

Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git

Affected ranges

Type: GIT
Repo: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events: Introduced

b195d229de401377f70c04e0dff93b342464ec8e

Fixed

549de58dba4bf1b2adc72e9948b9c76fa88be9d2

Type: GIT
Repo: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events: Introduced

62d7ad2c191122119c66361ba6d9f04974b51afe

Fixed

df27729a4fe0002dfd80c96fe1c142829c672728

Type: GIT
Repo: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events: Introduced

842801181864690fdcde73b017cce4c1353a7083

Fixed

f5dc10b910bdac523e5947336445a77066c51bf9

Type: GIT
Repo: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events: Introduced

37aa50c539bcbcc01767e515bd170787fcfc0f33

Fixed

4c43069bb1097dd6cc1cf0f7c43a36d1f7b3910b

Type: GIT
Repo: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events: Introduced

37aa50c539bcbcc01767e515bd170787fcfc0f33

Fixed

72a0b329114b1caa8e69dfa7cdad1dd3c69b8602

Affected versions

v5.*

v5.10.235

v5.15.142

v5.15.143

v5.15.144

v5.15.145

v5.15.146

v5.15.147

v5.15.148

v5.15.149

v5.15.150

v5.15.151

v5.15.152

v5.15.153

v5.15.154

v5.15.155

v5.15.156

v5.15.157

v5.15.158

v5.15.159

v5.15.160

v5.15.161

v5.15.162

v5.15.163

v5.15.164

v5.15.165

v5.15.166

v5.15.167

v5.15.168

v5.15.169

v5.15.170

v5.15.171

v5.15.172

v5.15.173

v5.15.174

v5.15.175

v5.15.176

v5.15.177

v5.15.178

v5.15.179

v5.17

v5.17-rc3

v5.17-rc4

v5.17-rc5

v5.17-rc6

v5.17-rc7

v5.17-rc8

v5.18

v5.18-rc1

v5.18-rc2

v5.18-rc3

v5.18-rc4

v5.18-rc5

v5.18-rc6

v5.18-rc7

v5.18.1

v5.18.10

v5.18.11

v5.18.12

v5.18.2

v5.18.3

v5.18.4

v5.18.5

v5.18.6

v5.18.7

v5.18.8

v5.18.9

v5.19-rc1

v5.19-rc2

v5.19-rc3

v5.19-rc4

v5.19-rc5

v5.4.291

Database specific

vanir_signatures

[
    {
        "signature_type": "Function",
        "digest": {
            "function_hash": "93897962379425989360089693779848667440",
            "length": 1294.0
        },
        "target": {
            "file": "net/8021q/vlan_netlink.c",
            "function": "vlan_newlink"
        },
        "signature_version": "v1",
        "id": "CVE-2022-49636-00d880bd",
        "deprecated": false,
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@f5dc10b910bdac523e5947336445a77066c51bf9"
    },
    {
        "signature_type": "Function",
        "digest": {
            "function_hash": "93897962379425989360089693779848667440",
            "length": 1294.0
        },
        "target": {
            "file": "net/8021q/vlan_netlink.c",
            "function": "vlan_newlink"
        },
        "signature_version": "v1",
        "id": "CVE-2022-49636-06ec8a03",
        "deprecated": false,
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@df27729a4fe0002dfd80c96fe1c142829c672728"
    },
    {
        "signature_type": "Function",
        "digest": {
            "function_hash": "93897962379425989360089693779848667440",
            "length": 1294.0
        },
        "target": {
            "file": "net/8021q/vlan_netlink.c",
            "function": "vlan_newlink"
        },
        "signature_version": "v1",
        "id": "CVE-2022-49636-155408d4",
        "deprecated": false,
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@549de58dba4bf1b2adc72e9948b9c76fa88be9d2"
    },
    {
        "signature_type": "Line",
        "digest": {
            "threshold": 0.9,
            "line_hashes": [
                "193464501514445085159482663647520163449",
                "21207887940075083336442186447923885520",
                "251322196898798725806890659747144736368",
                "197296028016379736903603127533816767531",
                "147744152573252512416561073312908985790",
                "157552167248836071024448692672199040675",
                "21615195174898310135962723609528135056"
            ]
        },
        "target": {
            "file": "net/8021q/vlan_netlink.c"
        },
        "signature_version": "v1",
        "id": "CVE-2022-49636-255670e9",
        "deprecated": false,
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@df27729a4fe0002dfd80c96fe1c142829c672728"
    },
    {
        "signature_type": "Function",
        "digest": {
            "function_hash": "93897962379425989360089693779848667440",
            "length": 1294.0
        },
        "target": {
            "file": "net/8021q/vlan_netlink.c",
            "function": "vlan_newlink"
        },
        "signature_version": "v1",
        "id": "CVE-2022-49636-2f769e89",
        "deprecated": false,
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@4c43069bb1097dd6cc1cf0f7c43a36d1f7b3910b"
    },
    {
        "signature_type": "Line",
        "digest": {
            "threshold": 0.9,
            "line_hashes": [
                "193464501514445085159482663647520163449",
                "21207887940075083336442186447923885520",
                "251322196898798725806890659747144736368",
                "197296028016379736903603127533816767531",
                "147744152573252512416561073312908985790",
                "157552167248836071024448692672199040675",
                "21615195174898310135962723609528135056"
            ]
        },
        "target": {
            "file": "net/8021q/vlan_netlink.c"
        },
        "signature_version": "v1",
        "id": "CVE-2022-49636-3cab95b7",
        "deprecated": false,
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@72a0b329114b1caa8e69dfa7cdad1dd3c69b8602"
    },
    {
        "signature_type": "Function",
        "digest": {
            "function_hash": "93897962379425989360089693779848667440",
            "length": 1294.0
        },
        "target": {
            "file": "net/8021q/vlan_netlink.c",
            "function": "vlan_newlink"
        },
        "signature_version": "v1",
        "id": "CVE-2022-49636-7836a307",
        "deprecated": false,
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@72a0b329114b1caa8e69dfa7cdad1dd3c69b8602"
    },
    {
        "signature_type": "Line",
        "digest": {
            "threshold": 0.9,
            "line_hashes": [
                "193464501514445085159482663647520163449",
                "21207887940075083336442186447923885520",
                "251322196898798725806890659747144736368",
                "197296028016379736903603127533816767531",
                "147744152573252512416561073312908985790",
                "157552167248836071024448692672199040675",
                "21615195174898310135962723609528135056"
            ]
        },
        "target": {
            "file": "net/8021q/vlan_netlink.c"
        },
        "signature_version": "v1",
        "id": "CVE-2022-49636-bccdef85",
        "deprecated": false,
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@4c43069bb1097dd6cc1cf0f7c43a36d1f7b3910b"
    },
    {
        "signature_type": "Line",
        "digest": {
            "threshold": 0.9,
            "line_hashes": [
                "193464501514445085159482663647520163449",
                "21207887940075083336442186447923885520",
                "251322196898798725806890659747144736368",
                "197296028016379736903603127533816767531",
                "147744152573252512416561073312908985790",
                "157552167248836071024448692672199040675",
                "21615195174898310135962723609528135056"
            ]
        },
        "target": {
            "file": "net/8021q/vlan_netlink.c"
        },
        "signature_version": "v1",
        "id": "CVE-2022-49636-c0f558c4",
        "deprecated": false,
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@549de58dba4bf1b2adc72e9948b9c76fa88be9d2"
    },
    {
        "signature_type": "Line",
        "digest": {
            "threshold": 0.9,
            "line_hashes": [
                "193464501514445085159482663647520163449",
                "21207887940075083336442186447923885520",
                "251322196898798725806890659747144736368",
                "197296028016379736903603127533816767531",
                "147744152573252512416561073312908985790",
                "157552167248836071024448692672199040675",
                "21615195174898310135962723609528135056"
            ]
        },
        "target": {
            "file": "net/8021q/vlan_netlink.c"
        },
        "signature_version": "v1",
        "id": "CVE-2022-49636-ec942b89",
        "deprecated": false,
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@f5dc10b910bdac523e5947336445a77066c51bf9"
    }
]

Linux / Kernel

Package

Name: Kernel

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

5.4.292

Type: ECOSYSTEM
Events: Introduced

5.5.0

Fixed

5.10.236

Type: ECOSYSTEM
Events: Introduced

5.11.0

Fixed

5.15.180

Type: ECOSYSTEM
Events: Introduced

5.16.0

Fixed

5.18.13