{
  "threat_severity" : "Moderate",
  "public_date" : "2025-02-26T00:00:00Z",
  "bugzilla" : {
    "description" : "kernel: skbuff: fix coalescing for page_pool fragment recycling",
    "id" : "2347813",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2347813"
  },
  "cvss3" : {
    "cvss3_base_score" : "7.0",
    "cvss3_scoring_vector" : "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
    "status" : "verified"
  },
  "cwe" : "CWE-416",
  "details" : [ "In the Linux kernel, the following vulnerability has been resolved:\nskbuff: fix coalescing for page_pool fragment recycling\nFix a use-after-free when using page_pool with page fragments. We\nencountered this problem during normal RX in the hns3 driver:\n(1) Initially we have three descriptors in the RX queue. The first one\nallocates PAGE1 through page_pool, and the other two allocate one\nhalf of PAGE2 each. Page references look like this:\nRX_BD1 _______ PAGE1\nRX_BD2 _______ PAGE2\nRX_BD3 _________/\n(2) Handle RX on the first descriptor. Allocate SKB1, eventually added\nto the receive queue by tcp_queue_rcv().\n(3) Handle RX on the second descriptor. Allocate SKB2 and pass it to\nnetif_receive_skb():\nnetif_receive_skb(SKB2)\nip_rcv(SKB2)\nSKB3 = skb_clone(SKB2)\nSKB2 and SKB3 share a reference to PAGE2 through\nskb_shinfo()->dataref. The other ref to PAGE2 is still held by\nRX_BD3:\nSKB2 ---+- PAGE2\nSKB3 __/   /\nRX_BD3 _________/\n(3b) Now while handling TCP, coalesce SKB3 with SKB1:\ntcp_v4_rcv(SKB3)\ntcp_try_coalesce(to=SKB1, from=SKB3)    // succeeds\nkfree_skb_partial(SKB3)\nskb_release_data(SKB3)                // drops one dataref\nSKB1 _____ PAGE1\n\\____\nSKB2 _____ PAGE2\n/\nRX_BD3 _________/\nIn skb_try_coalesce(), __skb_frag_ref() takes a page reference to\nPAGE2, where it should instead have increased the page_pool frag\nreference, pp_frag_count. Without coalescing, when releasing both\nSKB2 and SKB3, a single reference to PAGE2 would be dropped. Now\nwhen releasing SKB1 and SKB2, two references to PAGE2 will be\ndropped, resulting in underflow.\n(3c) Drop SKB2:\naf_packet_rcv(SKB2)\nconsume_skb(SKB2)\nskb_release_data(SKB2)                // drops second dataref\npage_pool_return_skb_page(PAGE2)    // drops one pp_frag_count\nSKB1 _____ PAGE1\n\\____\nPAGE2\n/\nRX_BD3 _________/\n(4) Userspace calls recvmsg()\nCopies SKB1 and releases it. Since SKB3 was coalesced with SKB1, we\nrelease the SKB3 page as well:\ntcp_eat_recv_skb(SKB1)\nskb_release_data(SKB1)\npage_pool_return_skb_page(PAGE1)\npage_pool_return_skb_page(PAGE2)        // drops second pp_frag_count\n(5) PAGE2 is freed, but the third RX descriptor was still using it!\nIn our case this causes IOMMU faults, but it would silently corrupt\nmemory if the IOMMU was disabled.\nChange the logic that checks whether pp_recycle SKBs can be coalesced.\nWe still reject differing pp_recycle between 'from' and 'to' SKBs, but\nin order to avoid the situation described above, we also reject\ncoalescing when both 'from' and 'to' are pp_recycled and 'from' is\ncloned.\nThe new logic allows coalescing a cloned pp_recycle SKB into a page\nrefcounted one, because in this case the release (4) will drop the right\nreference, the one taken by skb_try_coalesce()." ],
  "statement" : "The bug in memory management of networking that can lead to IOMMU faults or to use after free. The attack complexity is high, because few complex conditions should happen together (that hard to trigger). For the Red Hat Enterprise Linux (all versions) bug not actual, because already fixed.",
  "affected_release" : [ {
    "product_name" : "Red Hat Enterprise Linux 9",
    "release_date" : "2022-11-15T00:00:00Z",
    "advisory" : "RHSA-2022:8267",
    "cpe" : "cpe:/a:redhat:enterprise_linux:9",
    "package" : "kernel-0:5.14.0-162.6.1.el9_1"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "release_date" : "2022-11-15T00:00:00Z",
    "advisory" : "RHSA-2022:8267",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9",
    "package" : "kernel-0:5.14.0-162.6.1.el9_1"
  } ],
  "package_state" : [ {
    "product_name" : "Red Hat Enterprise Linux 10",
    "fix_state" : "Not affected",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:10"
  }, {
    "product_name" : "Red Hat Enterprise Linux 6",
    "fix_state" : "Out of support scope",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:6"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "fix_state" : "Not affected",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "fix_state" : "Not affected",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "fix_state" : "Not affected",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "fix_state" : "Not affected",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "fix_state" : "Not affected",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2022-49093\nhttps://nvd.nist.gov/vuln/detail/CVE-2022-49093\nhttps://lore.kernel.org/linux-cve-announce/2025022659-CVE-2022-49093-0ccf@gregkh/T" ],
  "name" : "CVE-2022-49093",
  "mitigation" : {
    "value" : "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
    "lang" : "en:us"
  },
  "csaw" : false
}