{
  "threat_severity" : "Moderate",
  "public_date" : "2024-08-22T00:00:00Z",
  "bugzilla" : {
    "description" : "kernel: netfilter: fix use-after-free in __nf_register_net_hook()",
    "id" : "2307165",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2307165"
  },
  "cvss3" : {
    "cvss3_base_score" : "6.7",
    "cvss3_scoring_vector" : "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
    "status" : "verified"
  },
  "cwe" : "CWE-416",
  "details" : [ "In the Linux kernel, the following vulnerability has been resolved:\nnetfilter: fix use-after-free in __nf_register_net_hook()\nWe must not dereference @new_hooks after nf_hook_mutex has been released,\nbecause other threads might have freed our allocated hooks already.\nBUG: KASAN: use-after-free in nf_hook_entries_get_hook_ops include/linux/netfilter.h:130 [inline]\nBUG: KASAN: use-after-free in hooks_validate net/netfilter/core.c:171 [inline]\nBUG: KASAN: use-after-free in __nf_register_net_hook+0x77a/0x820 net/netfilter/core.c:438\nRead of size 2 at addr ffff88801c1a8000 by task syz-executor237/4430\nCPU: 1 PID: 4430 Comm: syz-executor237 Not tainted 5.17.0-rc5-syzkaller-00306-g2293be58d6a1 #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011\nCall Trace:\n<TASK>\n__dump_stack lib/dump_stack.c:88 [inline]\ndump_stack_lvl+0xcd/0x134 lib/dump_stack.c:106\nprint_address_description.constprop.0.cold+0x8d/0x336 mm/kasan/report.c:255\n__kasan_report mm/kasan/report.c:442 [inline]\nkasan_report.cold+0x83/0xdf mm/kasan/report.c:459\nnf_hook_entries_get_hook_ops include/linux/netfilter.h:130 [inline]\nhooks_validate net/netfilter/core.c:171 [inline]\n__nf_register_net_hook+0x77a/0x820 net/netfilter/core.c:438\nnf_register_net_hook+0x114/0x170 net/netfilter/core.c:571\nnf_register_net_hooks+0x59/0xc0 net/netfilter/core.c:587\nnf_synproxy_ipv6_init+0x85/0xe0 net/netfilter/nf_synproxy_core.c:1218\nsynproxy_tg6_check+0x30d/0x560 net/ipv6/netfilter/ip6t_SYNPROXY.c:81\nxt_check_target+0x26c/0x9e0 net/netfilter/x_tables.c:1038\ncheck_target net/ipv6/netfilter/ip6_tables.c:530 [inline]\nfind_check_entry.constprop.0+0x7f1/0x9e0 net/ipv6/netfilter/ip6_tables.c:573\ntranslate_table+0xc8b/0x1750 net/ipv6/netfilter/ip6_tables.c:735\ndo_replace net/ipv6/netfilter/ip6_tables.c:1153 [inline]\ndo_ip6t_set_ctl+0x56e/0xb90 net/ipv6/netfilter/ip6_tables.c:1639\nnf_setsockopt+0x83/0xe0 net/netfilter/nf_sockopt.c:101\nipv6_setsockopt+0x122/0x180 net/ipv6/ipv6_sockglue.c:1024\nrawv6_setsockopt+0xd3/0x6a0 net/ipv6/raw.c:1084\n__sys_setsockopt+0x2db/0x610 net/socket.c:2180\n__do_sys_setsockopt net/socket.c:2191 [inline]\n__se_sys_setsockopt net/socket.c:2188 [inline]\n__x64_sys_setsockopt+0xba/0x150 net/socket.c:2188\ndo_syscall_x64 arch/x86/entry/common.c:50 [inline]\ndo_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80\nentry_SYSCALL_64_after_hwframe+0x44/0xae\nRIP: 0033:0x7f65a1ace7d9\nCode: 28 00 00 00 75 05 48 83 c4 28 c3 e8 71 15 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48\nRSP: 002b:00007f65a1a7f308 EFLAGS: 00000246 ORIG_RAX: 0000000000000036\nRAX: ffffffffffffffda RBX: 0000000000000006 RCX: 00007f65a1ace7d9\nRDX: 0000000000000040 RSI: 0000000000000029 RDI: 0000000000000003\nRBP: 00007f65a1b574c8 R08: 0000000000000001 R09: 0000000000000000\nR10: 0000000020000000 R11: 0000000000000246 R12: 00007f65a1b55130\nR13: 00007f65a1b574c0 R14: 00007f65a1b24090 R15: 0000000000022000\n</TASK>\nThe buggy address belongs to the page:\npage:ffffea0000706a00 refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1c1a8\nflags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff)\nraw: 00fff00000000000 ffffea0001c1b108 ffffea000046dd08 0000000000000000\nraw: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000\npage dumped because: kasan: bad access detected\npage_owner tracks the page as freed\npage last allocated via order 2, migratetype Unmovable, gfp_mask 0x52dc0(GFP_KERNEL|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_ZERO), pid 4430, ts 1061781545818, free_ts 1061791488993\nprep_new_page mm/page_alloc.c:2434 [inline]\nget_page_from_freelist+0xa72/0x2f50 mm/page_alloc.c:4165\n__alloc_pages+0x1b2/0x500 mm/page_alloc.c:5389\n__alloc_pages_node include/linux/gfp.h:572 [inline]\nalloc_pages_node include/linux/gfp.h:595 [inline]\nkmalloc_large_node+0x62/0x130 mm/slub.c:4438\n__kmalloc_node+0x35a/0x4a0 mm/slub.\n---truncated---", "A possible use-after-free was found in the Linux kernel in __nf_register_net_hook()." ],
  "statement" : "This issue is fixed in RHEL-9.1 and above (including 8.10):\n~~~\nin (rhel-8.7, rhel-8.8, rhel-8.9, rhel-8.10) netfilter: fix use-after-free in __nf_register_net_hook()\nin (rhel-9.1, rhel-9.2, rhel-9.3, rhel-9.4, rhel-9.5) netfilter: fix use-after-free in __nf_register_net_hook()\n~~~\nPlease note that while RHEL-9 kernel-rt still appears as affected, it has been fixed in the same RHSA as RHEL-9 kernel. This is because from RHEL-9.3 onwards, the kernel and kernel-rt fixes are bundled together in a single errata.",
  "affected_release" : [ {
    "product_name" : "Red Hat Enterprise Linux 8",
    "release_date" : "2022-11-08T00:00:00Z",
    "advisory" : "RHSA-2022:7683",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8",
    "package" : "kernel-0:4.18.0-425.3.1.el8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "release_date" : "2022-11-15T00:00:00Z",
    "advisory" : "RHSA-2022:8267",
    "cpe" : "cpe:/a:redhat:enterprise_linux:9",
    "package" : "kernel-0:5.14.0-162.6.1.el9_1"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "release_date" : "2022-11-15T00:00:00Z",
    "advisory" : "RHSA-2022:8267",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9",
    "package" : "kernel-0:5.14.0-162.6.1.el9_1"
  } ],
  "package_state" : [ {
    "product_name" : "Red Hat Enterprise Linux 6",
    "fix_state" : "Out of support scope",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:6"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "fix_state" : "Out of support scope",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "fix_state" : "Out of support scope",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "fix_state" : "Will not fix",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "fix_state" : "Affected",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2022-48912\nhttps://nvd.nist.gov/vuln/detail/CVE-2022-48912\nhttps://lore.kernel.org/linux-cve-announce/2024082215-CVE-2022-48912-3f55@gregkh/T" ],
  "name" : "CVE-2022-48912",
  "csaw" : false
}