high
7.8
CWE
416
Advisory Published
Updated

CVE-2022-49667: net: bonding: fix use-after-free after 802.3ad slave unbind

First published: Wed Feb 26 2025(Updated: )

In the Linux kernel, the following vulnerability has been resolved: net: bonding: fix use-after-free after 802.3ad slave unbind commit 0622cab0341c ("bonding: fix 802.3ad aggregator reselection"), resolve case, when there is several aggregation groups in the same bond. bond_3ad_unbind_slave will invalidate (clear) aggregator when __agg_active_ports return zero. So, ad_clear_agg can be executed even, when num_of_ports!=0. Than bond_3ad_unbind_slave can be executed again for, previously cleared aggregator. NOTE: at this time bond_3ad_unbind_slave will not update slave ports list, because lag_ports==NULL. So, here we got slave ports, pointing to freed aggregator memory. Fix with checking actual number of ports in group (as was before commit 0622cab0341c ("bonding: fix 802.3ad aggregator reselection") ), before ad_clear_agg(). The KASAN logs are as follows: [ 767.617392] ================================================================== [ 767.630776] BUG: KASAN: use-after-free in bond_3ad_state_machine_handler+0x13dc/0x1470 [ 767.638764] Read of size 2 at addr ffff00011ba9d430 by task kworker/u8:7/767 [ 767.647361] CPU: 3 PID: 767 Comm: kworker/u8:7 Tainted: G O 5.15.11 #15 [ 767.655329] Hardware name: DNI AmazonGo1 A7040 board (DT) [ 767.660760] Workqueue: lacp_1 bond_3ad_state_machine_handler [ 767.666468] Call trace: [ 767.668930] dump_backtrace+0x0/0x2d0 [ 767.672625] show_stack+0x24/0x30 [ 767.675965] dump_stack_lvl+0x68/0x84 [ 767.679659] print_address_description.constprop.0+0x74/0x2b8 [ 767.685451] kasan_report+0x1f0/0x260 [ 767.689148] __asan_load2+0x94/0xd0 [ 767.692667] bond_3ad_state_machine_handler+0x13dc/0x1470

Credit: 416baaa9-dc9f-4396-8d5f-8c081fb06d67

Affected SoftwareAffected VersionHow to fix
Linux Kernel
Linux Kernel>=4.7<4.9.322
Linux Kernel>=4.10<4.14.287
Linux Kernel>=4.15<4.19.251
Linux Kernel>=4.20<5.4.204
Linux Kernel>=5.5<5.10.129
Linux Kernel>=5.11<5.15.53
Linux Kernel>=5.16<5.18.10
Linux Kernel=5.19-rc1
Linux Kernel=5.19-rc2
Linux Kernel=5.19-rc3
Linux Kernel=5.19-rc4

Remedy

https://git.kernel.org/stable/c/050133e1aa2cb49bb17be847d48a4431598ef562

Remedy

https://git.kernel.org/stable/c/2765749def4765c5052a4c66445cf4c96fcccdbc

Remedy

https://git.kernel.org/stable/c/63b2fe509f69b90168a75e04e14573dccf7984e6

Remedy

https://git.kernel.org/stable/c/893825289ba840afd86bfffcb6f7f363c73efff8

Remedy

https://git.kernel.org/stable/c/a853b7a3a9fd1d74a4ccdd9cd73512b7dace2f1e

Remedy

https://git.kernel.org/stable/c/b90ac60303063a43e17dd4aec159067599d255e6

Remedy

https://git.kernel.org/stable/c/ef0af7d08d26c5333ff4944a559279464edf6f15

Remedy

https://git.kernel.org/stable/c/f162f7c348fa2a5555bafdb5cc890b89b221e69c

Never miss a vulnerability like this again

Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.

Read MoreStart Free Trial

Reference Links

Frequently Asked Questions

  • What is the severity of CVE-2022-49667?

    The severity of CVE-2022-49667 is rated as high due to the potential for use-after-free vulnerabilities in the Linux kernel.

  • How do I fix CVE-2022-49667?

    To fix CVE-2022-49667, update the Linux kernel to the latest patched version that resolves the use-after-free vulnerability.

  • What are the potential impacts of CVE-2022-49667?

    CVE-2022-49667 can lead to system crashes or arbitrary code execution if exploited by an attacker.

  • Which systems are affected by CVE-2022-49667?

    CVE-2022-49667 affects systems running vulnerable versions of the Linux kernel that utilize the bonding feature.

  • Is CVE-2022-49667 being actively exploited?

    As of now, there is no public indication that CVE-2022-49667 is being actively exploited in the wild.

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co
By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.
© 2025 SecAlerts Pty Ltd.
ABN: 70 645 966 203, ACN: 645 966 203