[SRU][J][PATCH 0/1] CVE-2022-49390
Massimiliano Pellizzer
massimiliano.pellizzer at canonical.com
Tue Oct 14 14:20:46 UTC 2025
https://ubuntu.com/security/CVE-2022-49390
[ Impact ]
macsec: fix UAF bug for real_dev
Creating a new macsec device without getting a reference to real_dev may
trigger a use-after-free bug.
[ Fix ]
Backport commit 2bce1ebed17d (macsec: fix refcnt leak in module exit routine)
from mainline.
[ Test Plan ]
Compile and boot tested.
Tested basic macsec functionalities:
$ unshare --map-root-user --net
# ip link add dummy0 type dummy
# ip link set dummy0 up
# ip link add link dummy0 name macsec0 type macsec
# ip link set macsec0 up
# ip a
1: lo: <LOOPBACK> mtu 65536 qdisc noop state DOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
2: dummy0: <BROADCAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc noqueue state UNKNOWN group default qlen 1000
link/ether aa:ca:71:b5:0f:dd brd ff:ff:ff:ff:ff:ff
inet6 fe80::a8ca:71ff:feb5:fdd/64 scope link
valid_lft forever preferred_lft forever
3: macsec0 at dummy0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1468 qdisc noqueue state UP group default qlen 1000
link/ether aa:ca:71:b5:0f:dd brd ff:ff:ff:ff:ff:ff
inet6 fe80::a8ca:71ff:feb5:fdd/64 scope link tentative
valid_lft forever preferred_lft forever
# ip link del dummy0
# ip a
1: lo: <LOOPBACK> mtu 65536 qdisc noop state DOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
[ Regression Potential ]
The fix affects macsec's device handling of the lower (real) net_device
lifetime. An issue with this patch may introduce refcount leaks that
prevent lower devices from being freed, or incorrect release ordering
that re-introduces use-after-free and breaks interface teardown.
Ziyang Xuan (1):
macsec: fix UAF bug for real_dev
drivers/net/macsec.c | 5 +++++
1 file changed, 5 insertions(+)
--
2.48.1
More information about the kernel-team
mailing list