ACK: [SRU][J][PATCH 0/1] CVE-2022-49390

Manuel Diewald manuel.diewald at canonical.com
Fri Oct 17 09:19:08 UTC 2025 

On Thu, Oct 16, 2025 at 03:59:20PM +0200, Sarah Emery wrote:
> On Tue, 14 Oct 2025 at 16:21, Massimiliano Pellizzer <
> massimiliano.pellizzer at canonical.com> wrote:
> 
> > https://ubuntu.com/security/CVE-2022-49390
> >
> > [ Impact ]
> >
> > macsec: fix UAF bug for real_dev
> >
> > Creating a new macsec device without getting a reference to real_dev may
> > trigger a use-after-free bug.
> >
> > [ Fix ]
> >
> > Backport commit 2bce1ebed17d (macsec: fix refcnt leak in module exit
> > routine)
> > from mainline.
> >
> > [ Test Plan ]
> >
> > Compile and boot tested.
> > Tested basic macsec functionalities:
> >
> > $ unshare --map-root-user --net
> > # ip link add dummy0 type dummy
> > # ip link set dummy0 up
> > # ip link add link dummy0 name macsec0 type macsec
> > # ip link set macsec0 up
> > # ip a
> > 1: lo: <LOOPBACK> mtu 65536 qdisc noop state DOWN group default qlen 1000
> >     link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
> > 2: dummy0: <BROADCAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc noqueue state
> > UNKNOWN group default qlen 1000
> >     link/ether aa:ca:71:b5:0f:dd brd ff:ff:ff:ff:ff:ff
> >     inet6 fe80::a8ca:71ff:feb5:fdd/64 scope link
> >        valid_lft forever preferred_lft forever
> > 3: macsec0 at dummy0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1468 qdisc
> > noqueue state UP group default qlen 1000
> >     link/ether aa:ca:71:b5:0f:dd brd ff:ff:ff:ff:ff:ff
> >     inet6 fe80::a8ca:71ff:feb5:fdd/64 scope link tentative
> >        valid_lft forever preferred_lft forever
> > # ip link del dummy0
> > # ip a
> > 1: lo: <LOOPBACK> mtu 65536 qdisc noop state DOWN group default qlen 1000
> >     link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
> >
> > [ Regression Potential ]
> >
> > The fix affects macsec's device handling of the lower (real) net_device
> > lifetime. An issue with this patch may introduce refcount leaks that
> > prevent lower devices from being freed, or incorrect release ordering
> > that re-introduces use-after-free and breaks interface teardown.
> >
> > Ziyang Xuan (1):
> >   macsec: fix UAF bug for real_dev
> >
> >  drivers/net/macsec.c | 5 +++++
> >  1 file changed, 5 insertions(+)
> >
> > --
> > 2.48.1
> >
> >
> > --
> > kernel-team mailing list
> > kernel-team at lists.ubuntu.com
> > https://lists.ubuntu.com/mailman/listinfo/kernel-team
> 
> 
> Acked-by: Sarah Emery <sarah.emery at canonical.com>

This was not sent in reply to the original thread. Could you re-send
this as a proper reply? Otherwise it's quite hard to keep track of
things.

-- 
 Manuel
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <https://lists.ubuntu.com/archives/kernel-team/attachments/20251017/4de2e226/attachment.sig>

More information about the kernel-team mailing list