CVE-2022-48644

一、漏洞信息
 漏洞编号：[CVE-2022-48644](https://nvd.nist.gov/vuln/detail/CVE-2022-48644)
 漏洞归属组件：[kernel](https://gitee.com/src-openeuler/kernel)
 漏洞归属的版本：4.19.140,4.19.194,4.19.90,5.10.0,6.1.0,6.1.14,6.1.19,6.1.5,6.1.6,6.1.8,6.4.0,6.6.0
 CVSS V2.0分值：
  BaseScore：0.0 Medium
  Vector：CVSS：2.0/
 漏洞简述：
  In the Linux kernel, the following vulnerability has been resolved:net/sched: taprio: avoid disabling offload when it was never enabledIn an incredibly strange API design decision, qdisc->destroy() getscalled even if qdisc->init() never succeeded, not exclusively sincecommit 87b60cfacf9f ( net_sched: fix error recovery at qdisc creation ),but apparently also earlier (in the case of qdisc_create_dflt()).The taprio qdisc does not fully acknowledge this when it attempts fulloffload, because it starts off with q->flags = TAPRIO_FLAGS_INVALID intaprio_init(), then it replaces q->flags with TCA_TAPRIO_ATTR_FLAGSparsed from netlink (in taprio_change(), tail called from taprio_init()).But in taprio_destroy(), we call taprio_disable_offload(), and thisdetermines what to do based on FULL_OFFLOAD_IS_ENABLED(q->flags).But looking at the implementation of FULL_OFFLOAD_IS_ENABLED()(a bitwise check of bit 1 in q->flags), it is invalid to call this macroon q->flags when it contains TAPRIO_FLAGS_INVALID, because that is setto U32_MAX, and therefore FULL_OFFLOAD_IS_ENABLED() will return true onan invalid set of flags.As a result, it is possible to crash the kernel if user space forces anerror between setting q->flags = TAPRIO_FLAGS_INVALID, and the callingof taprio_enable_offload(). This is because drivers do not expect theoffload to be disabled when it was never enabled.The error that we force here is to attach taprio as a non-root qdisc,but instead as child of an mqprio root qdisc:$ tc qdisc add dev swp0 root handle 1:  	mqprio num_tc 8 map 0 1 2 3 4 5 6 7  	queues 1@0 1@1 1@2 1@3 1@4 1@5 1@6 1@7 hw 0$ tc qdisc replace dev swp0 parent 1:1  	taprio num_tc 8 map 0 1 2 3 4 5 6 7  	queues 1@0 1@1 1@2 1@3 1@4 1@5 1@6 1@7 base-time 0  	sched-entry S 0x7f 990000 sched-entry S 0x80 100000  	flags 0x0 clockid CLOCK_TAIUnable to handle kernel paging request at virtual address fffffffffffffff8[fffffffffffffff8] pgd=0000000000000000, p4d=0000000000000000Internal error: Oops: 96000004 [#1] PREEMPT SMPCall trace: taprio_dump+0x27c/0x310 vsc9959_port_setup_tc+0x1f4/0x460 felix_port_setup_tc+0x24/0x3c dsa_slave_setup_tc+0x54/0x27c taprio_disable_offload.isra.0+0x58/0xe0 taprio_destroy+0x80/0x104 qdisc_create+0x240/0x470 tc_modify_qdisc+0x1fc/0x6b0 rtnetlink_rcv_msg+0x12c/0x390 netlink_rcv_skb+0x5c/0x130 rtnetlink_rcv+0x1c/0x2cFix this by keeping track of the operations we made, and undo theoffload only if we actually did it.I ve added  bool offloaded  inside a 4 byte hole between  int clockid and  atomic64_t picos_per_byte . Now the first cache line looks likebelow:$ pahole -C taprio_sched net/sched/sch_taprio.ostruct taprio_sched {        struct Qdisc * *           qdiscs;               /*     0     8 */        struct Qdisc *             root;                 /*     8     8 */        u32                        flags;                /*    16     4 */        enum tk_offsets            tk_offset;            /*    20     4 */        int                        clockid;              /*    24     4 */        bool                       offloaded;            /*    28     1 */        /* XXX 3 bytes hole, try to pack */        atomic64_t                 picos_per_byte;       /*    32     0 */        /* XXX 8 bytes hole, try to pack */        spinlock_t                 current_entry_lock;   /*    40     0 */        /* XXX 8 bytes hole, try to pack */        struct sched_entry *       current_entry;        /*    48     8 */        struct sched_gate_list *   oper_sched;           /*    56     8 */        /* --- cacheline 1 boundary (64 bytes) --- */
 漏洞公开时间：2024-04-28 21:15:07
 漏洞创建时间：2024-04-28 22:59:06
 漏洞详情参考链接：
  https://nvd.nist.gov/vuln/detail/CVE-2022-48644
<details>
<summary>更多参考(点击展开)</summary>

| 参考来源 | 参考链接 | 来源链接 |
| ------- | -------- | -------- |
| 416baaa9-dc9f-4396-8d5f-8c081fb06d67 | https://git.kernel.org/stable/c/586def6ebed195f3594a4884f7c5334d0e1ad1bb |  |
| 416baaa9-dc9f-4396-8d5f-8c081fb06d67 | https://git.kernel.org/stable/c/c7c9c7eb305ab8b4e93e4e4e1b78d8cfcbc26323 |  |
| 416baaa9-dc9f-4396-8d5f-8c081fb06d67 | https://git.kernel.org/stable/c/d12a1eb07003e597077329767c6aa86a7e972c76 |  |
| 416baaa9-dc9f-4396-8d5f-8c081fb06d67 | https://git.kernel.org/stable/c/db46e3a88a09c5cf7e505664d01da7238cd56c92 |  |
| 416baaa9-dc9f-4396-8d5f-8c081fb06d67 | https://git.kernel.org/stable/c/f58e43184226e5e9662088ccf1389e424a3a4cbd |  |
| suse_bugzilla | http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-48644 | https://bugzilla.suse.com/show_bug.cgi?id=1223511 |
| suse_bugzilla | https://www.cve.org/CVERecord?id=CVE-2022-48644 | https://bugzilla.suse.com/show_bug.cgi?id=1223511 |
| suse_bugzilla | https://git.kernel.org/stable/c/586def6ebed195f3594a4884f7c5334d0e1ad1bb | https://bugzilla.suse.com/show_bug.cgi?id=1223511 |
| suse_bugzilla | https://git.kernel.org/stable/c/c7c9c7eb305ab8b4e93e4e4e1b78d8cfcbc26323 | https://bugzilla.suse.com/show_bug.cgi?id=1223511 |
| suse_bugzilla | https://git.kernel.org/stable/c/d12a1eb07003e597077329767c6aa86a7e972c76 | https://bugzilla.suse.com/show_bug.cgi?id=1223511 |
| suse_bugzilla | https://git.kernel.org/stable/c/db46e3a88a09c5cf7e505664d01da7238cd56c92 | https://bugzilla.suse.com/show_bug.cgi?id=1223511 |
| suse_bugzilla | https://git.kernel.org/stable/c/f58e43184226e5e9662088ccf1389e424a3a4cbd | https://bugzilla.suse.com/show_bug.cgi?id=1223511 |
| suse_bugzilla | https://git.kernel.org/pub/scm/linux/security/vulns.git/plain/cve/published/2022/CVE-2022-48644.mbox | https://bugzilla.suse.com/show_bug.cgi?id=1223511 |
| redhat_bugzilla | https://lore.kernel.org/linux-cve-announce/2024042856-CVE-2022-48644-757e@gregkh/T | https://bugzilla.redhat.com/show_bug.cgi?id=2277819 |
| ubuntu | https://www.cve.org/CVERecord?id=CVE-2022-48644 | https://ubuntu.com/security/CVE-2022-48644 |
| ubuntu | https://git.kernel.org/linus/db46e3a88a09c5cf7e505664d01da7238cd56c92 (6.0-rc7) | https://ubuntu.com/security/CVE-2022-48644 |
| ubuntu | https://git.kernel.org/stable/c/d12a1eb07003e597077329767c6aa86a7e972c76 | https://ubuntu.com/security/CVE-2022-48644 |
| ubuntu | https://git.kernel.org/stable/c/586def6ebed195f3594a4884f7c5334d0e1ad1bb | https://ubuntu.com/security/CVE-2022-48644 |
| ubuntu | https://git.kernel.org/stable/c/f58e43184226e5e9662088ccf1389e424a3a4cbd | https://ubuntu.com/security/CVE-2022-48644 |
| ubuntu | https://git.kernel.org/stable/c/c7c9c7eb305ab8b4e93e4e4e1b78d8cfcbc26323 | https://ubuntu.com/security/CVE-2022-48644 |
| ubuntu | https://git.kernel.org/stable/c/db46e3a88a09c5cf7e505664d01da7238cd56c92 | https://ubuntu.com/security/CVE-2022-48644 |
| ubuntu | https://nvd.nist.gov/vuln/detail/CVE-2022-48644 | https://ubuntu.com/security/CVE-2022-48644 |
| ubuntu | https://launchpad.net/bugs/cve/CVE-2022-48644 | https://ubuntu.com/security/CVE-2022-48644 |
| ubuntu | https://security-tracker.debian.org/tracker/CVE-2022-48644 | https://ubuntu.com/security/CVE-2022-48644 |
| cve_search |  | https://git.kernel.org/stable/c/d12a1eb07003e597077329767c6aa86a7e972c76 |
| cve_search |  | https://git.kernel.org/stable/c/586def6ebed195f3594a4884f7c5334d0e1ad1bb |
| cve_search |  | https://git.kernel.org/stable/c/f58e43184226e5e9662088ccf1389e424a3a4cbd |
| cve_search |  | https://git.kernel.org/stable/c/c7c9c7eb305ab8b4e93e4e4e1b78d8cfcbc26323 |
| cve_search |  | https://git.kernel.org/stable/c/db46e3a88a09c5cf7e505664d01da7238cd56c92 |

</details>

漏洞分析指导链接：
  https://gitee.com/openeuler/cve-manager/blob/master/cve-vulner-manager/doc/md/manual.md
 漏洞数据来源:
  openBrain开源漏洞感知系统
 漏洞补丁信息：
  <details>
<summary>详情(点击展开)</summary>

| 影响的包 | 修复版本 | 修复补丁 | 问题引入补丁 | 来源  |
| ------- | -------- | ------- | -------- | --------- |
| linux |  | https://git.kernel.org/linus/db46e3a88a09c5cf7e505664d01da7238cd56c92 | https://git.kernel.org/linus/9c66d15646760eb8982242b4531c4d4fd36118fd | ubuntu |

</details>

二、漏洞分析结构反馈
 影响性分析说明：
    Reserved. 
 openEuler评分：
  4.0
 Vector：CVSS：2.0/AV:L/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:N
 受影响版本排查(受影响/不受影响)：
  1.openEuler-22.03-LTS-SP1(5.10.0):受影响
2.openEuler-20.03-LTS-SP4(4.19.90):不受影响
3.openEuler-22.03-LTS-SP3(5.10.0):不受影响
4.openEuler-22.03-LTS-SP4(5.10.0):不受影响
5.master(6.1.0):不受影响
6.openEuler-24.03-LTS(6.6.0):不受影响
7.openEuler-24.03-LTS-Next(6.6.0):不受影响

修复是否涉及abi变化(是/否)：
  1.openEuler-20.03-LTS-SP4(4.19.90):否
2.openEuler-22.03-LTS-SP1(5.10.0):否
3.openEuler-22.03-LTS-SP3(5.10.0):否
4.master(6.1.0):否
5.openEuler-24.03-LTS(6.6.0):否
6.openEuler-24.03-LTS-Next(6.6.0):否
7.openEuler-22.03-LTS-SP4(5.10.0):否

三、漏洞修复
安全公告链接：https://www.openeuler.org/zh/security/safety-bulletin/detail/?id=openEuler-SA-2024-2080

Hi openeuler-ci-bot, welcome to the openEuler Community.
I'm the Bot here serving you. You can find the instructions on how to interact with me at Here.
If you have any questions, please contact the SIG: Kernel, and any of the maintainers.

@yangyingliang ,@gatieme ,@jiaoff ,@guohaocs2c ,@hanjun-guo ,@woqidaideshi ,@newbeats ,@zhangyi089 ,@colyli ,@thundertown ,@htforge ,@chiqijun ,@lengchao ,@zhujianwei001 ,@kylin-mayukun ,@wangxiongfeng ,@wkfxxx ,@SuperSix173 ,@jentlestea ,@oskernel0719 
**issue处理注意事项:** 
**1. 当前issue受影响的分支提交pr时, 须在pr描述中填写当前issue编号进行关联, 否则无法关闭当前issue;**
**2. 模板内容需要填写完整, 无论是受影响或者不受影响都需要填写完整内容,未引入的分支不需要填写, 否则无法关闭当前issue;**
**3. 以下为模板中需要填写完整的内容, 请复制到评论区回复, 注: 内容的标题名称(影响性分析说明, openEuler评分, 受影响版本排查(受影响/不受影响), 修复是否涉及abi变化(是/否))不能省略,省略后cve-manager将无法正常解析填写内容.**
************************************************************************
影响性分析说明:

openEuler评分: (评分和向量)

受影响版本排查(受影响/不受影响): 
1.master(6.1.0):
2.openEuler-20.03-LTS-SP1(4.19.90):
3.openEuler-20.03-LTS-SP4(4.19.90):
4.openEuler-22.03-LTS(5.10.0):
5.openEuler-22.03-LTS-Next(5.10.0):
6.openEuler-22.03-LTS-SP1(5.10.0):
7.openEuler-22.03-LTS-SP2(5.10.0):
8.openEuler-22.03-LTS-SP3(5.10.0):
9.openEuler-24.03-LTS:
10.openEuler-24.03-LTS-Next:

修复是否涉及abi变化(是/否)：
1.master(6.1.0):
2.openEuler-20.03-LTS-SP1(4.19.90):
3.openEuler-20.03-LTS-SP4(4.19.90):
4.openEuler-22.03-LTS(5.10.0):
5.openEuler-22.03-LTS-Next(5.10.0):
6.openEuler-22.03-LTS-SP1(5.10.0):
7.openEuler-22.03-LTS-SP2(5.10.0):
8.openEuler-22.03-LTS-SP3(5.10.0):
9.openEuler-24.03-LTS:
10.openEuler-24.03-LTS-Next:

-----------------------------------------------------------------------
issue处理具体操作请参考: 
https://gitee.com/openeuler/cve-manager/blob/master/cve-vulner-manager/doc/md/manual.md
pr关联issue具体操作请参考:
https://gitee.com/help/articles/4142

参考网址	关联pr	状态	补丁链接
https://nvd.nist.gov/vuln/detail/CVE-2022-48644	None	None	https://git.kernel.org/stable/c/c7c9c7eb305ab8b4e93e4e4e1b78d8cfcbc26323 https://git.kernel.org/stable/c/586def6ebed195f3594a4884f7c5334d0e1ad1bb https://git.kernel.org/stable/c/db46e3a88a09c5cf7e505664d01da7238cd56c92 https://git.kernel.org/stable/c/f58e43184226e5e9662088ccf1389e424a3a4cbd https://git.kernel.org/stable/c/d12a1eb07003e597077329767c6aa86a7e972c76
https://ubuntu.com/security/CVE-2022-48644	None	None	https://discourse.ubuntu.com/c/ubuntu-pro
https://www.opencve.io/cve/CVE-2022-48644	None	None	https://git.kernel.org/stable/c/c7c9c7eb305ab8b4e93e4e4e1b78d8cfcbc26323 https://git.kernel.org/stable/c/586def6ebed195f3594a4884f7c5334d0e1ad1bb https://git.kernel.org/stable/c/db46e3a88a09c5cf7e505664d01da7238cd56c92 https://git.kernel.org/stable/c/f58e43184226e5e9662088ccf1389e424a3a4cbd https://git.kernel.org/stable/c/d12a1eb07003e597077329767c6aa86a7e972c76
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2022-48644
https://security-tracker.debian.org/tracker/CVE-2022-48644

说明：补丁链接仅供初步排查参考，实际可用性请人工再次确认，补丁下载验证可使用CVE补丁工具。
若补丁不准确，烦请在此issue下评论 '/report-patch 参考网址补丁链接1,补丁链接2' 反馈正确信息，便于我们不断优化工具，不胜感激。
如 /report-patch https://security-tracker.debian.org/tracker/CVE-2021-3997 https://github.com/systemd/systemd/commit/5b1cf7a9be37e20133c0208005274ce4a5b5c6a1

CVE-2022-48644

影响性分析说明：
Reserved.

openEuler评分:(评分和向量)
0.0
CVSS: 3.0/AV:L/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:N

受影响版本排查(受影响/不受影响):
1.openEuler-20.03-LTS-SP1:不受影响
2.openEuler-20.03-LTS-SP4:不受影响
3.openEuler-22.03-LTS:受影响
4.openEuler-22.03-LTS-SP1:受影响
5.openEuler-22.03-LTS-SP2:不受影响
6.openEuler-22.03-LTS-SP3:不受影响
7.openEuler-22.03-LTS-SP4:不受影响
8.master(6.1.0):不受影响
9.openEuler-22.03-LTS-Next:不受影响
10.openEuler-24.03-LTS:不受影响
11.openEuler-24.03-LTS-Next:不受影响

修复是否涉及abi变化(是/否)：
1.openEuler-20.03-LTS-SP1(4.19.90):否
2.openEuler-20.03-LTS-SP4:否
3.openEuler-22.03-LTS:否
4.openEuler-22.03-LTS-SP1:否
5.openEuler-22.03-LTS-SP2:否
6.openEuler-22.03-LTS-SP3:否
7.master(6.1.0):否
8.openEuler-22.03-LTS-Next:否
9.openEuler-24.03-LTS:否
10.openEuler-24.03-LTS-Next:否
11.openEuler-22.03-LTS-SP4:否

===========================================================

CVE-2022-48644

影响性分析说明：
Reserved.

openEuler评分:(评分和向量)
4.0
CVSS: 3.0/AV:L/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:N

受影响版本排查(受影响/不受影响):
1.openEuler-20.03-LTS-SP1:不受影响
2.openEuler-20.03-LTS-SP4:不受影响
3.openEuler-22.03-LTS:受影响
4.openEuler-22.03-LTS-SP1:受影响
5.openEuler-22.03-LTS-SP2:不受影响
6.openEuler-22.03-LTS-SP3:不受影响
7.openEuler-22.03-LTS-SP4:不受影响
8.master(6.1.0):不受影响
9.openEuler-22.03-LTS-Next:不受影响
10.openEuler-24.03-LTS:不受影响
11.openEuler-24.03-LTS-Next:不受影响

修复是否涉及abi变化(是/否)：
1.openEuler-20.03-LTS-SP1(4.19.90):否
2.openEuler-20.03-LTS-SP4:否
3.openEuler-22.03-LTS:否
4.openEuler-22.03-LTS-SP1:否
5.openEuler-22.03-LTS-SP2:否
6.openEuler-22.03-LTS-SP3:否
7.master(6.1.0):否
8.openEuler-22.03-LTS-Next:否
9.openEuler-24.03-LTS:否
10.openEuler-24.03-LTS-Next:否
11.openEuler-22.03-LTS-SP4:否

===========================================================

@ 经过 cve-manager 解析, 已分析的内容如下表所示:

状态	需分析	内容
已分析	1.影响性分析说明	Reserved.
已分析	2.openEulerScore	4
已分析	3.openEulerVector	AV:L/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:N
已分析	4.受影响版本排查	openEuler-22.03-LTS:受影响,openEuler-22.03-LTS-SP1:受影响,openEuler-20.03-LTS-SP1:不受影响,openEuler-20.03-LTS-SP4:不受影响,openEuler-22.03-LTS-SP2:不受影响,openEuler-22.03-LTS-SP3:不受影响,openEuler-22.03-LTS-SP4:不受影响,master:不受影响,openEuler-22.03-LTS-Next:不受影响,openEuler-24.03-LTS:不受影响,openEuler-24.03-LTS-Next:不受影响
已分析	5.修复是否涉及abi变化	openEuler-20.03-LTS-SP1:否,openEuler-20.03-LTS-SP4:否,openEuler-22.03-LTS:否,openEuler-22.03-LTS-SP1:否,openEuler-22.03-LTS-SP2:否,openEuler-22.03-LTS-SP3:否,master:否,openEuler-22.03-LTS-Next:否,openEuler-24.03-LTS:否,openEuler-24.03-LTS-Next:否,openEuler-22.03-LTS-SP4:否

请确认分析内容的准确性, 确认无误后, 您可以进行后续步骤, 否则您可以继续分析.

CVE-2022-48644

影响性分析说明：
Reserved.

openEuler评分:(评分和向量)
4.0
CVSS: 3.0/AV:L/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:N

受影响版本排查(受影响/不受影响):
1.openEuler-20.03-LTS-SP4:不受影响
2.openEuler-22.03-LTS-SP1:受影响
3.openEuler-22.03-LTS-SP3:不受影响
4.openEuler-22.03-LTS-SP4:不受影响
5.master(6.1.0):不受影响
6.openEuler-24.03-LTS:不受影响
7.openEuler-24.03-LTS-Next:不受影响

修复是否涉及abi变化(是/否)：
1.openEuler-20.03-LTS-SP4:否
2.openEuler-22.03-LTS-SP1:否
3.openEuler-22.03-LTS-SP3:否
4.master(6.1.0):否
5.openEuler-24.03-LTS:否
6.openEuler-24.03-LTS-Next:否
7.openEuler-22.03-LTS-SP4:否

===========================================================

src-openEuler/kernel

内容风险标识

评论 (12)

src-openEuler/kernel .gitee-modal { width: 500px !important; }

内容风险标识

CVE-2022-48644

评论 (12)

搜索帮助

src-openEuler/kernel