{"timestamp":"2024-10-22T13:18:28.477565Z","id":"CVE-2022-48976","options":[{"exploitation":"none"},{"automatable":"no"},{"technicalImpact":"partial"}],"role":"CISA Coordinator","version":"2.0.3"}

[{"vendor":"Linux","product":"Linux","defaultStatus":"unaffected","programFiles":["net/netfilter/nf_flow_table_offload.c"],"repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","versions":[{"version":"b038177636f83bbf87c2b238706474145dd2cd04","lessThan":"a220a11fda012fba506b35929672374c2723ae6d","versionType":"git","status":"affected"},{"version":"b038177636f83bbf87c2b238706474145dd2cd04","lessThan":"a81047154e7ce4eb8769d5d21adcbc9693542a79","versionType":"git","status":"affected"},{"version":"5345d78ae64d5a760c211cd2da995dc71c5b29e4","versionType":"git","status":"affected"},{"version":"5.15.157","lessThan":"5.16","versionType":"semver","status":"affected"}]},{"vendor":"Linux","product":"Linux","defaultStatus":"affected","programFiles":["net/netfilter/nf_flow_table_offload.c"],"repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","versions":[{"version":"6.0","status":"affected"},{"version":"0","lessThan":"6.0","versionType":"semver","status":"unaffected"},{"version":"6.0.13","lessThanOrEqual":"6.0.*","versionType":"semver","status":"unaffected"},{"version":"6.1","lessThanOrEqual":"*","versionType":"original_commit_for_fix","status":"unaffected"}]}]

NIST AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

NIST NVD-CWE-noinfo

OR
     *cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* versions from (including) 5.15.157 up to (excluding) 6.0.13
     *cpe:2.3:o:linux:linux_kernel:6.11:rc1:*:*:*:*:*:*
     *cpe:2.3:o:linux:linux_kernel:6.11:rc2:*:*:*:*:*:*
     *cpe:2.3:o:linux:linux_kernel:6.11:rc3:*:*:*:*:*:*
     *cpe:2.3:o:linux:linux_kernel:6.11:rc4:*:*:*:*:*:*
     *cpe:2.3:o:linux:linux_kernel:6.11:rc5:*:*:*:*:*:*
     *cpe:2.3:o:linux:linux_kernel:6.11:rc6:*:*:*:*:*:*
     *cpe:2.3:o:linux:linux_kernel:6.11:rc7:*:*:*:*:*:*
     *cpe:2.3:o:linux:linux_kernel:6.11:rc8:*:*:*:*:*:*

https://git.kernel.org/stable/c/a220a11fda012fba506b35929672374c2723ae6d No Types Assigned

https://git.kernel.org/stable/c/a220a11fda012fba506b35929672374c2723ae6d Patch

https://git.kernel.org/stable/c/a81047154e7ce4eb8769d5d21adcbc9693542a79 No Types Assigned

https://git.kernel.org/stable/c/a81047154e7ce4eb8769d5d21adcbc9693542a79 Patch

In the Linux kernel, the following vulnerability has been resolved:

netfilter: flowtable_offload: fix using __this_cpu_add in preemptible

flow_offload_queue_work() can be called in workqueue without
bh disabled, like the call trace showed in my act_ct testing,
calling NF_FLOW_TABLE_STAT_INC() there would cause a call
trace:

  BUG: using __this_cpu_add() in preemptible [00000000] code: kworker/u4:0/138560
  caller is flow_offload_queue_work+0xec/0x1b0 [nf_flow_table]
  Workqueue: act_ct_workqueue tcf_ct_flow_table_cleanup_work [act_ct]
  Call Trace:
   <TASK>
   dump_stack_lvl+0x33/0x46
   check_preemption_disabled+0xc3/0xf0
   flow_offload_queue_work+0xec/0x1b0 [nf_flow_table]
   nf_flow_table_iterate+0x138/0x170 [nf_flow_table]
   nf_flow_table_free+0x140/0x1a0 [nf_flow_table]
   tcf_ct_flow_table_cleanup_work+0x2f/0x2b0 [act_ct]
   process_one_work+0x6a3/0x1030
   worker_thread+0x8a/0xdf0

This patch fixes it by using NF_FLOW_TABLE_STAT_INC_ATOMIC()
instead in flow_offload_queue_work().

Note that for FLOW_CLS_REPLACE branch in flow_offload_queue_work(),
it may not be called in preemptible path, but it's good to use
NF_FLOW_TABLE_STAT_INC_ATOMIC() for all cases in
flow_offload_queue_work().

kernel.org https://git.kernel.org/stable/c/a220a11fda012fba506b35929672374c2723ae6d [No types assigned]

kernel.org https://git.kernel.org/stable/c/a81047154e7ce4eb8769d5d21adcbc9693542a79 [No types assigned]