ACK: Re: [SRU][J][PATCH 0/1] CVE-2022-49390

Paolo Pisati paolo.pisati at canonical.com
Tue Oct 14 14:43:31 UTC 2025 

On Tue, Oct 14, 2025 at 04:20:46PM +0200, Massimiliano Pellizzer wrote:
> https://ubuntu.com/security/CVE-2022-49390
> 
> [ Impact ]
> 
> macsec: fix UAF bug for real_dev
> 
> Creating a new macsec device without getting a reference to real_dev may
> trigger a use-after-free bug.
> 
> [ Fix ]
> 
> Backport commit 2bce1ebed17d (macsec: fix refcnt leak in module exit routine)
> from mainline.
> 
> [ Test Plan ]
> 
> Compile and boot tested.
> Tested basic macsec functionalities:
> 
> $ unshare --map-root-user --net
> # ip link add dummy0 type dummy
> # ip link set dummy0 up
> # ip link add link dummy0 name macsec0 type macsec
> # ip link set macsec0 up
> # ip a
> 1: lo: <LOOPBACK> mtu 65536 qdisc noop state DOWN group default qlen 1000
>     link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
> 2: dummy0: <BROADCAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc noqueue state UNKNOWN group default qlen 1000
>     link/ether aa:ca:71:b5:0f:dd brd ff:ff:ff:ff:ff:ff
>     inet6 fe80::a8ca:71ff:feb5:fdd/64 scope link 
>        valid_lft forever preferred_lft forever
> 3: macsec0 at dummy0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1468 qdisc noqueue state UP group default qlen 1000
>     link/ether aa:ca:71:b5:0f:dd brd ff:ff:ff:ff:ff:ff
>     inet6 fe80::a8ca:71ff:feb5:fdd/64 scope link tentative 
>        valid_lft forever preferred_lft forever
> # ip link del dummy0
> # ip a
> 1: lo: <LOOPBACK> mtu 65536 qdisc noop state DOWN group default qlen 1000
>     link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
> 
> [ Regression Potential ]
> 
> The fix affects macsec's device handling of the lower (real) net_device
> lifetime. An issue with this patch may introduce refcount leaks that
> prevent lower devices from being freed, or incorrect release ordering
> that re-introduces use-after-free and breaks interface teardown.
> 
> Ziyang Xuan (1):
>   macsec: fix UAF bug for real_dev
> 
>  drivers/net/macsec.c | 5 +++++
>  1 file changed, 5 insertions(+)

Acked-by: Paolo Pisati <paolo.pisati at canonical.com>
-- 
bye,
p.

More information about the kernel-team mailing list