Attacker Value

Unknown

(0 users assessed)

Exploitability

Unknown

(0 users assessed)

User Interaction

Unknown

Privileges Required

Unknown

Attack Vector

Unknown

CVE-2022-48640

Disclosure Date: April 28, 2024 •

CVE-2022-48640

MITRE ATT&CK

Add MITRE ATT&CK tactics and techniques that apply to this CVE.

Description

In the Linux kernel, the following vulnerability has been resolved:

bonding: fix NULL deref in bond_rr_gen_slave_id

Fix a NULL dereference of the struct bonding.rr_tx_counter member because
if a bond is initially created with an initial mode != zero (Round Robin)
the memory required for the counter is never created and when the mode is
changed there is never any attempt to verify the memory is allocated upon
switching modes.

This causes the following Oops on an aarch64 machine:

[  334.686773] Unable to handle kernel paging request at virtual address ffff2c91ac905000
[  334.694703] Mem abort info:
[  334.697486]   ESR = 0x0000000096000004
[  334.701234]   EC = 0x25: DABT (current EL), IL = 32 bits
[  334.706536]   SET = 0, FnV = 0
[  334.709579]   EA = 0, S1PTW = 0
[  334.712719]   FSC = 0x04: level 0 translation fault
[  334.717586] Data abort info:
[  334.720454]   ISV = 0, ISS = 0x00000004
[  334.724288]   CM = 0, WnR = 0
[  334.727244] swapper pgtable: 4k pages, 48-bit VAs, pgdp=000008044d662000
[  334.733944] [ffff2c91ac905000] pgd=0000000000000000, p4d=0000000000000000
[  334.740734] Internal error: Oops: 96000004 [#1] SMP
[  334.745602] Modules linked in: bonding tls veth rfkill sunrpc arm_spe_pmu vfat fat acpi_ipmi ipmi_ssif ixgbe igb i40e mdio ipmi_devintf ipmi_msghandler arm_cmn arm_dsu_pmu cppc_cpufreq acpi_tad fuse zram crct10dif_ce ast ghash_ce sbsa_gwdt nvme drm_vram_helper drm_ttm_helper nvme_core ttm xgene_hwmon
[  334.772217] CPU: 7 PID: 2214 Comm: ping Not tainted 6.0.0-rc4-00133-g64ae13ed4784 #4
[  334.779950] Hardware name: GIGABYTE R272-P31-00/MP32-AR1-00, BIOS F18v (SCP: 1.08.20211002) 12/01/2021
[  334.789244] pstate: 60400009 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)
[  334.796196] pc : bond_rr_gen_slave_id+0x40/0x124 [bonding]
[  334.801691] lr : bond_xmit_roundrobin_slave_get+0x38/0xdc [bonding]
[  334.807962] sp : ffff8000221733e0
[  334.811265] x29: ffff8000221733e0 x28: ffffdbac8572d198 x27: ffff80002217357c
[  334.818392] x26: 000000000000002a x25: ffffdbacb33ee000 x24: ffff07ff980fa000
[  334.825519] x23: ffffdbacb2e398ba x22: ffff07ff98102000 x21: ffff07ff981029c0
[  334.832646] x20: 0000000000000001 x19: ffff07ff981029c0 x18: 0000000000000014
[  334.839773] x17: 0000000000000000 x16: ffffdbacb1004364 x15: 0000aaaabe2f5a62
[  334.846899] x14: ffff07ff8e55d968 x13: ffff07ff8e55db30 x12: 0000000000000000
[  334.854026] x11: ffffdbacb21532e8 x10: 0000000000000001 x9 : ffffdbac857178ec
[  334.861153] x8 : ffff07ff9f6e5a28 x7 : 0000000000000000 x6 : 000000007c2b3742
[  334.868279] x5 : ffff2c91ac905000 x4 : ffff2c91ac905000 x3 : ffff07ff9f554400
[  334.875406] x2 : ffff2c91ac905000 x1 : 0000000000000001 x0 : ffff07ff981029c0
[  334.882532] Call trace:
[  334.884967]  bond_rr_gen_slave_id+0x40/0x124 [bonding]
[  334.890109]  bond_xmit_roundrobin_slave_get+0x38/0xdc [bonding]
[  334.896033]  __bond_start_xmit+0x128/0x3a0 [bonding]
[  334.901001]  bond_start_xmit+0x54/0xb0 [bonding]
[  334.905622]  dev_hard_start_xmit+0xb4/0x220
[  334.909798]  __dev_queue_xmit+0x1a0/0x720
[  334.913799]  arp_xmit+0x3c/0xbc
[  334.916932]  arp_send_dst+0x98/0xd0
[  334.920410]  arp_solicit+0xe8/0x230
[  334.923888]  neigh_probe+0x60/0xb0
[  334.927279]  __neigh_event_send+0x3b0/0x470
[  334.931453]  neigh_resolve_output+0x70/0x90
[  334.935626]  ip_finish_output2+0x158/0x514
[  334.939714]  __ip_finish_output+0xac/0x1a4
[  334.943800]  ip_finish_output+0x40/0xfc
[  334.947626]  ip_output+0xf8/0x1a4
[  334.950931]  ip_send_skb+0x5c/0x100
[  334.954410]  ip_push_pending_frames+0x3c/0x60
[  334.958758]  raw_sendmsg+0x458/0x6d0
[  334.962325]  inet_sendmsg+0x50/0x80
[  334.965805]  sock_sendmsg+0x60/0x6c
[  334.969286]  __sys_sendto+0xc8/0x134
[  334.972853]  __arm64_sys_sendto+0x34/0x4c

—-truncated—-

Add Assessment

No one has assessed this topic. Be the first to add your voice to the community.

CVSS V3 Severity and Metrics

Data provided by the National Vulnerability Database (NVD)

Base Score:

None

Impact Score:

Unknown

Exploitability Score:

Unknown

Vector:

Unknown

Attack Vector (AV):

Unknown

Attack Complexity (AC):

Unknown

Privileges Required (PR):

Unknown

User Interaction (UI):

Unknown

Scope (S):

Unknown

Confidentiality (C):

Unknown

Integrity (I):

Unknown

Availability (A):

Unknown

Vendors

Linux

Products

Linux

References

Canonical

CVE-2022-48640 (https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-48640)

Miscellaneous

https://git.kernel.org/stable/c/ec3a6f4ffe556a28f6f5028bf7c4412557e7051b

https://git.kernel.org/stable/c/2c8e8ab53acfc78da0b4a65f30cb5d306e7d78f7

https://git.kernel.org/stable/c/0e400d602f46360752e4b32ce842dba3808e15e6

Rapid7

Unknown

CVE-2022-48640

Unknown

Unknown

Unknown

Unknown

Unknown

CVE-2022-48640

Description

Add Assessment

CVSS V3 Severity and Metrics

General Information

Vendors

Products

References

Canonical

Miscellaneous

Additional Info

Technical Analysis

Unknown

CVE-2022-48640

Unknown

Unknown

Unknown

Unknown

Unknown

CVE-2022-48640

Description

Add Assessment

CVSS V3 Severity and Metrics

General Information

Vendors

Products

References

Canonical

Miscellaneous

Additional Info

Technical Analysis

Quick Cookie Notification