CVE CyberSecurity Database News

CVE-2022-48841 - Linux Kernel NULL Pointer Dereference Vulnerability Resolution in ice_update_vsi_tx_ring_stats()

Poster -

A recent vulnerability in the Linux kernel has been resolved which pertained to the potential for a NULL pointer dereference in the ice_update_vsi_tx_ring_stats() function. This post presents a detailed overview of the issue, examines the code involved, and provides information regarding the resolution and a link to the original sources.

CVE-2022-48841: Details of the Vulnerability

The Linux kernel vulnerability in question, referred to as CVE-2022-48841, deals with a situation where a NULL pointer dereference may occur while attempting to update Tx ring stats. Under normal circumstances, the stats and bytes are updated only when the ring pointer is valid. However, problems arise when the ring is accessed later in order to propagate the gathered Tx stats onto the VSI stats.

As a result, this may potentially lead to undesirable behaviors, including crashes, data corruption, or even granting unauthorized access to the system depending on the specific usage scenario and implementation.

The primary area of concern exists within the ice_update_vsi_tx_ring_stats() function, as detailed below:

static void
ice_update_vsi_tx_ring_stats(struct ice_vsi *vsi,
			     struct ice_ring_container *tx_ring_container)
{
	unsigned int i;

	if (!vsi || !tx_ring_container)
		return;

	for (i = ; i < tx_ring_container->num_rings; i++) {
		u64 bytes, pkts;
		struct ice_ring *tx_ring;

		tx_ring = tx_ring_container->ring[i];
+		if (!tx_ring)
+			continue;

		bytes = tx_ring->stats.bytes;
		pkts = tx_ring->stats.pkts;
		tx_ring->syncp->bytes = bytes;
		tx_ring->syncp->pkts = pkts;

		vsi->net_stats.tx_bytes += tx_ring->stats.bytes;
		vsi->net_stats.tx_packets += tx_ring->stats.pkts;
	}
}

Resolution of CVE-2022-48841

In order to resolve the issue, a change in the existing logic has been made and the revised code snippet is represented above with lines marked by a "+" sign. This modification ensures that if tx_ring is NULL, the code simply moves to the next ring. This prevents the occurrence of a NULL pointer dereference and, as a result, mitigates the associated risks and potential consequences.

References and Further Reading

For a more in-depth understanding of the topic and a detailed explanation of the vulnerability, its possible consequences, and the resolution, you can refer to the following resources:

1. Linux kernel source code (ice_ethtool_stats.c): https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/tree/drivers/net/ethernet/intel/ice/ice_ethtool_stats.c?id=59a85cdaac19ad06074abb6dd24aa815d85f71b1
2. CVE-2022-48841: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-48841

Conclusion

In conclusion, the Linux kernel vulnerability CVE-2022-48841 involving a potential NULL pointer dereference in the ice_update_vsi_tx_ring_stats() function has now been resolved through the implementation of updated logic. By making this important change, the risks and potential negative consequences associated with this issue have been effectively mitigated, thereby further enhancing the security and stability of Linux systems.

Timeline

Published on: 07/16/2024 13:15:11 UTC
Last modified on: 08/03/2024 15:25:01 UTC