CVE-2022-49808

See a problem?
Please try reporting it to the source first.
Source
https://nvd.nist.gov/vuln/detail/CVE-2022-49808
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2022-49808.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2022-49808
Downstream
Published
2025-05-01T14:09:34Z
Modified
2025-10-21T11:04:01.098141Z
Summary
net: dsa: don't leak tagger-owned storage on switch driver unbind
Details

In the Linux kernel, the following vulnerability has been resolved:

net: dsa: don't leak tagger-owned storage on switch driver unbind

In the initial commit dc452a471dba ("net: dsa: introduce tagger-owned storage for private and shared data"), we had a call to tagops->disconnect(dst) issued from dsatree_free(), which is called at tree teardown time.

There were problems with connecting to a switch tree as a whole, so this got reworked to connecting to individual switches within the tree. In this process, tag_ops->disconnect(ds) was made to be called only from switch.c (cross-chip notifiers emitted as a result of dynamic tag proto changes), but the normal driver teardown code path wasn't replaced with anything.

Solve this problem by adding a function that does the opposite of dsaswitchsetuptagprotocol(), which is called from the equivalent spot in dsaswitchteardown(). The positioning here also ensures that we won't have any use-after-free in tagging protocol (*rcv) ops, since the teardown sequence is as follows:

dsatreeteardown -> dsatreeteardownmaster -> dsamasterteardown -> unsets master->dsaptr, making no further packets match the ETHPXDSA packet type handler -> dsatreeteardownports -> dsaportteardown -> dsaslavedestroy -> unregisters DSA net devices, there is even a synchronizenet() in unregisternetdevicemany() -> dsatreeteardownswitches -> dsaswitchteardown -> dsaswitchteardowntag_protocol -> finally frees the tagger-owned storage

References

Affected packages

Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git

Affected ranges

Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
7f2973149c22e7a6fee4c0c9fa6b8e4108e9c208
Fixed
5809fb03942dbac25144db5bebea84fa003ecaca
Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
7f2973149c22e7a6fee4c0c9fa6b8e4108e9c208
Fixed
4e0c19fcb8b5323716140fa82b79aa9f60e60407

Affected versions

v5.*

v5.16
v5.16-rc5
v5.16-rc6
v5.16-rc7
v5.16-rc8
v5.17
v5.17-rc1
v5.17-rc2
v5.17-rc3
v5.17-rc4
v5.17-rc5
v5.17-rc6
v5.17-rc7
v5.17-rc8
v5.18
v5.18-rc1
v5.18-rc2
v5.18-rc3
v5.18-rc4
v5.18-rc5
v5.18-rc6
v5.18-rc7
v5.19
v5.19-rc1
v5.19-rc2
v5.19-rc3
v5.19-rc4
v5.19-rc5
v5.19-rc6
v5.19-rc7
v5.19-rc8

v6.*

v6.0
v6.0-rc1
v6.0-rc2
v6.0-rc3
v6.0-rc4
v6.0-rc5
v6.0-rc6
v6.0-rc7
v6.0.1
v6.0.2
v6.0.3
v6.0.4
v6.0.5
v6.0.6
v6.0.7
v6.0.8
v6.0.9
v6.1-rc1
v6.1-rc2
v6.1-rc3
v6.1-rc4

Database specific

vanir_signatures

[
    {
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@4e0c19fcb8b5323716140fa82b79aa9f60e60407",
        "id": "CVE-2022-49808-1a3ef4e8",
        "deprecated": false,
        "signature_version": "v1",
        "target": {
            "function": "dsa_switch_teardown",
            "file": "net/dsa/dsa2.c"
        },
        "signature_type": "Function",
        "digest": {
            "length": 503.0,
            "function_hash": "262306442273627996729999340857864948783"
        }
    },
    {
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@4e0c19fcb8b5323716140fa82b79aa9f60e60407",
        "id": "CVE-2022-49808-2a044516",
        "deprecated": false,
        "signature_version": "v1",
        "target": {
            "file": "net/dsa/dsa2.c"
        },
        "signature_type": "Line",
        "digest": {
            "threshold": 0.9,
            "line_hashes": [
                "306379964440165204072762880649147856245",
                "162252479949874957462740639938741146119",
                "52984031974623290640689620264321765138",
                "295081750913215504484615245007408156917",
                "194114221299626651071042656109999872695",
                "322126310157689974064580397668738345680"
            ]
        }
    },
    {
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@5809fb03942dbac25144db5bebea84fa003ecaca",
        "id": "CVE-2022-49808-684009a0",
        "deprecated": false,
        "signature_version": "v1",
        "target": {
            "file": "net/dsa/dsa2.c"
        },
        "signature_type": "Line",
        "digest": {
            "threshold": 0.9,
            "line_hashes": [
                "306379964440165204072762880649147856245",
                "162252479949874957462740639938741146119",
                "52984031974623290640689620264321765138",
                "295081750913215504484615245007408156917",
                "194114221299626651071042656109999872695",
                "322126310157689974064580397668738345680"
            ]
        }
    },
    {
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@5809fb03942dbac25144db5bebea84fa003ecaca",
        "id": "CVE-2022-49808-df2d29e0",
        "deprecated": false,
        "signature_version": "v1",
        "target": {
            "function": "dsa_switch_teardown",
            "file": "net/dsa/dsa2.c"
        },
        "signature_type": "Function",
        "digest": {
            "length": 577.0,
            "function_hash": "239719435088303529139189103110906751147"
        }
    }
]

Linux / Kernel

Package

Name
Kernel

Affected ranges

Type
ECOSYSTEM
Events
Introduced
5.17.0
Fixed
6.0.10