GHSA-4WHG-GH4G-7J3J

Vulnerability from github – Published: 2025-05-01 15:31 – Updated: 2025-05-01 15:31
VLAI?
Details

In the Linux kernel, the following vulnerability has been resolved:

net: tun: call napi_schedule_prep() to ensure we own a napi

A recent patch exposed another issue in napi_get_frags() caught by syzbot [1]

Before feeding packets to GRO, and calling napi_complete() we must first grab NAPI_STATE_SCHED.

[1] WARNING: CPU: 0 PID: 3612 at net/core/dev.c:6076 napi_complete_done+0x45b/0x880 net/core/dev.c:6076 Modules linked in: CPU: 0 PID: 3612 Comm: syz-executor408 Not tainted 6.1.0-rc3-syzkaller-00175-g1118b2049d77 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022 RIP: 0010:napi_complete_done+0x45b/0x880 net/core/dev.c:6076 Code: c1 ea 03 0f b6 14 02 4c 89 f0 83 e0 07 83 c0 03 38 d0 7c 08 84 d2 0f 85 24 04 00 00 41 89 5d 1c e9 73 fc ff ff e8 b5 53 22 fa <0f> 0b e9 82 fe ff ff e8 a9 53 22 fa 48 8b 5c 24 08 31 ff 48 89 de RSP: 0018:ffffc90003c4f920 EFLAGS: 00010293 RAX: 0000000000000000 RBX: 0000000000000030 RCX: 0000000000000000 RDX: ffff8880251c0000 RSI: ffffffff875a58db RDI: 0000000000000007 RBP: 0000000000000001 R08: 0000000000000007 R09: 0000000000000000 R10: 0000000000000001 R11: 0000000000000001 R12: ffff888072d02628 R13: ffff888072d02618 R14: ffff888072d02634 R15: 0000000000000000 FS: 0000555555f13300(0000) GS:ffff8880b9a00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 000055c44d3892b8 CR3: 00000000172d2000 CR4: 00000000003506f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: napi_complete include/linux/netdevice.h:510 [inline] tun_get_user+0x206d/0x3a60 drivers/net/tun.c:1980 tun_chr_write_iter+0xdb/0x200 drivers/net/tun.c:2027 call_write_iter include/linux/fs.h:2191 [inline] do_iter_readv_writev+0x20b/0x3b0 fs/read_write.c:735 do_iter_write+0x182/0x700 fs/read_write.c:861 vfs_writev+0x1aa/0x630 fs/read_write.c:934 do_writev+0x133/0x2f0 fs/read_write.c:977 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x63/0xcd RIP: 0033:0x7f37021a3c19

Show details on source website
To clipboard 

{
  "affected": [],
  "aliases": [
    "CVE-2022-49856"
  ],
  "database_specific": {
    "cwe_ids": [],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-05-01T15:16:09Z",
    "severity": null
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: tun: call napi_schedule_prep() to ensure we own a napi\n\nA recent patch exposed another issue in napi_get_frags()\ncaught by syzbot [1]\n\nBefore feeding packets to GRO, and calling napi_complete()\nwe must first grab NAPI_STATE_SCHED.\n\n[1]\nWARNING: CPU: 0 PID: 3612 at net/core/dev.c:6076 napi_complete_done+0x45b/0x880 net/core/dev.c:6076\nModules linked in:\nCPU: 0 PID: 3612 Comm: syz-executor408 Not tainted 6.1.0-rc3-syzkaller-00175-g1118b2049d77 #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022\nRIP: 0010:napi_complete_done+0x45b/0x880 net/core/dev.c:6076\nCode: c1 ea 03 0f b6 14 02 4c 89 f0 83 e0 07 83 c0 03 38 d0 7c 08 84 d2 0f 85 24 04 00 00 41 89 5d 1c e9 73 fc ff ff e8 b5 53 22 fa \u003c0f\u003e 0b e9 82 fe ff ff e8 a9 53 22 fa 48 8b 5c 24 08 31 ff 48 89 de\nRSP: 0018:ffffc90003c4f920 EFLAGS: 00010293\nRAX: 0000000000000000 RBX: 0000000000000030 RCX: 0000000000000000\nRDX: ffff8880251c0000 RSI: ffffffff875a58db RDI: 0000000000000007\nRBP: 0000000000000001 R08: 0000000000000007 R09: 0000000000000000\nR10: 0000000000000001 R11: 0000000000000001 R12: ffff888072d02628\nR13: ffff888072d02618 R14: ffff888072d02634 R15: 0000000000000000\nFS: 0000555555f13300(0000) GS:ffff8880b9a00000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 000055c44d3892b8 CR3: 00000000172d2000 CR4: 00000000003506f0\nDR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\nDR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\nCall Trace:\n\u003cTASK\u003e\nnapi_complete include/linux/netdevice.h:510 [inline]\ntun_get_user+0x206d/0x3a60 drivers/net/tun.c:1980\ntun_chr_write_iter+0xdb/0x200 drivers/net/tun.c:2027\ncall_write_iter include/linux/fs.h:2191 [inline]\ndo_iter_readv_writev+0x20b/0x3b0 fs/read_write.c:735\ndo_iter_write+0x182/0x700 fs/read_write.c:861\nvfs_writev+0x1aa/0x630 fs/read_write.c:934\ndo_writev+0x133/0x2f0 fs/read_write.c:977\ndo_syscall_x64 arch/x86/entry/common.c:50 [inline]\ndo_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80\nentry_SYSCALL_64_after_hwframe+0x63/0xcd\nRIP: 0033:0x7f37021a3c19",
  "id": "GHSA-4whg-gh4g-7j3j",
  "modified": "2025-05-01T15:31:50Z",
  "published": "2025-05-01T15:31:50Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-49856"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/07d120aa33cc9d9115753d159f64d20c94458781"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/30b0263d0366ea63aa7cad0407dfd945cc348580"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/310f0855352ee4b2eb38855c99185c23e6e1496b"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/534762e261c84d43e5d56a780e40278b94c20540"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/9132fa043f96ac545254ab326db5c6fd47d54acb"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/999550c8cbb3fcb535f542d652fe1cb936839e5f"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.