CVE-2022-49622 Information

Mar 01, 2025 cve

Description

In the Linux kernel the following vulnerability has been resolved:

netfilter: nf_tables: avoid skb access on nf_stolen

When verdict is NF_STOLEN the skb might have been freed.

When tracing is enabled this can result in a use-after-free:

  1. access to skb->nf_trace
  2. access to skb->mark
  3. computation of trace id
  4. dump of packet payload

To avoid 1 keep a cached copy of skb->nf_trace in the trace state struct. Refresh this copy whenever verdict is != STOLEN.

Avoid 2 by skipping skb->mark access if verdict is STOLEN.

3 is avoided by precomputing the trace id.

Only dump the packet when verdict is not \STOLEN.

Reference

https://git.kernel.org/stable/c/0016d5d46d7440729a3132f61a8da3bf7f84e2ba https://git.kernel.org/stable/c/e34b9ed96ce3b06c79bf884009b16961ca478f87

Share on: