DEBIAN-CVE-2022-49808

See a problem?
Please try reporting it to the source first.
Source
https://security-tracker.debian.org/tracker/CVE-2022-49808
Import Source
https://storage.googleapis.com/debian-osv/debian-cve-osv/DEBIAN-CVE-2022-49808.json
JSON Data
https://api.osv.dev/v1/vulns/DEBIAN-CVE-2022-49808
Upstream
Published
2025-05-01T15:16:04Z
Modified
2025-09-25T03:20:00.417454Z
Summary
[none]
Details

In the Linux kernel, the following vulnerability has been resolved: net: dsa: don't leak tagger-owned storage on switch driver unbind In the initial commit dc452a471dba ("net: dsa: introduce tagger-owned storage for private and shared data"), we had a call to tagops->disconnect(dst) issued from dsatreefree(), which is called at tree teardown time. There were problems with connecting to a switch tree as a whole, so this got reworked to connecting to individual switches within the tree. In this process, tagops->disconnect(ds) was made to be called only from switch.c (cross-chip notifiers emitted as a result of dynamic tag proto changes), but the normal driver teardown code path wasn't replaced with anything. Solve this problem by adding a function that does the opposite of dsaswitchsetuptagprotocol(), which is called from the equivalent spot in dsaswitchteardown(). The positioning here also ensures that we won't have any use-after-free in tagging protocol (*rcv) ops, since the teardown sequence is as follows: dsatreeteardown -> dsatreeteardownmaster -> dsamasterteardown -> unsets master->dsaptr, making no further packets match the ETHPXDSA packet type handler -> dsatreeteardownports -> dsaportteardown -> dsaslavedestroy -> unregisters DSA net devices, there is even a synchronizenet() in unregisternetdevicemany() -> dsatreeteardownswitches -> dsaswitchteardown -> dsaswitchteardowntag_protocol -> finally frees the tagger-owned storage

References

Affected packages

Debian:12 / linux

Package

Name
linux
Purl
pkg:deb/debian/linux?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
6.0.10-1

Ecosystem specific 

{
    "urgency": "not yet assigned"
}

Debian:13 / linux

Package

Name
linux
Purl
pkg:deb/debian/linux?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
6.0.10-1

Ecosystem specific 

{
    "urgency": "not yet assigned"
}

Debian:14 / linux

Package

Name
linux
Purl
pkg:deb/debian/linux?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
6.0.10-1

Ecosystem specific 

{
    "urgency": "not yet assigned"
}