CVE - CVE-2022-49667

CVE-ID
CVE-2022-49667	Learn more at National Vulnerability Database (NVD) • CVSS Severity Rating • Fix Information • Vulnerable Software Versions • SCAP Mappings • CPE Information
Description
In the Linux kernel, the following vulnerability has been resolved: net: bonding: fix use-after-free after 802.3ad slave unbind commit 0622cab0341c ("bonding: fix 802.3ad aggregator reselection"), resolve case, when there is several aggregation groups in the same bond. bond_3ad_unbind_slave will invalidate (clear) aggregator when __agg_active_ports return zero. So, ad_clear_agg can be executed even, when num_of_ports!=0. Than bond_3ad_unbind_slave can be executed again for, previously cleared aggregator. NOTE: at this time bond_3ad_unbind_slave will not update slave ports list, because lag_ports==NULL. So, here we got slave ports, pointing to freed aggregator memory. Fix with checking actual number of ports in group (as was before commit 0622cab0341c ("bonding: fix 802.3ad aggregator reselection") ), before ad_clear_agg(). The KASAN logs are as follows: [ 767.617392] ================================================================== [ 767.630776] BUG: KASAN: use-after-free in bond_3ad_state_machine_handler+0x13dc/0x1470 [ 767.638764] Read of size 2 at addr ffff00011ba9d430 by task kworker/u8:7/767 [ 767.647361] CPU: 3 PID: 767 Comm: kworker/u8:7 Tainted: G O 5.15.11 #15 [ 767.655329] Hardware name: DNI AmazonGo1 A7040 board (DT) [ 767.660760] Workqueue: lacp_1 bond_3ad_state_machine_handler [ 767.666468] Call trace: [ 767.668930] dump_backtrace+0x0/0x2d0 [ 767.672625] show_stack+0x24/0x30 [ 767.675965] dump_stack_lvl+0x68/0x84 [ 767.679659] print_address_description.constprop.0+0x74/0x2b8 [ 767.685451] kasan_report+0x1f0/0x260 [ 767.689148] __asan_load2+0x94/0xd0 [ 767.692667] bond_3ad_state_machine_handler+0x13dc/0x1470
References
Note: References are provided for the convenience of the reader to help distinguish between vulnerabilities. The list is not intended to be complete.
MISC:https://git.kernel.org/stable/c/050133e1aa2cb49bb17be847d48a4431598ef562 URL:https://git.kernel.org/stable/c/050133e1aa2cb49bb17be847d48a4431598ef562 MISC:https://git.kernel.org/stable/c/2765749def4765c5052a4c66445cf4c96fcccdbc URL:https://git.kernel.org/stable/c/2765749def4765c5052a4c66445cf4c96fcccdbc MISC:https://git.kernel.org/stable/c/63b2fe509f69b90168a75e04e14573dccf7984e6 URL:https://git.kernel.org/stable/c/63b2fe509f69b90168a75e04e14573dccf7984e6 MISC:https://git.kernel.org/stable/c/893825289ba840afd86bfffcb6f7f363c73efff8 URL:https://git.kernel.org/stable/c/893825289ba840afd86bfffcb6f7f363c73efff8 MISC:https://git.kernel.org/stable/c/a853b7a3a9fd1d74a4ccdd9cd73512b7dace2f1e URL:https://git.kernel.org/stable/c/a853b7a3a9fd1d74a4ccdd9cd73512b7dace2f1e MISC:https://git.kernel.org/stable/c/b90ac60303063a43e17dd4aec159067599d255e6 URL:https://git.kernel.org/stable/c/b90ac60303063a43e17dd4aec159067599d255e6 MISC:https://git.kernel.org/stable/c/ef0af7d08d26c5333ff4944a559279464edf6f15 URL:https://git.kernel.org/stable/c/ef0af7d08d26c5333ff4944a559279464edf6f15 MISC:https://git.kernel.org/stable/c/f162f7c348fa2a5555bafdb5cc890b89b221e69c URL:https://git.kernel.org/stable/c/f162f7c348fa2a5555bafdb5cc890b89b221e69c
Assigning CNA
kernel.org
Date Record Created
20250226	Disclaimer: The record creation date may reflect when the CVE ID was allocated or reserved, and does not necessarily indicate when this vulnerability was discovered, shared with the affected vendor, publicly disclosed, or updated in CVE.
Phase (Legacy)
Assigned (20250226)
Votes (Legacy)

Comments (Legacy)

Proposed (Legacy)
N/A
This is an record on the CVE List, which provides common identifiers for publicly known cybersecurity vulnerabilities.
Search CVE Using Keywords: You can also search by reference using the CVE Reference Maps.
For More Information: CVE Request Web Form (select "Other" from dropdown)