Bugzilla – Bug 1207048
VUL-0: CVE-2022-3977: kernel-source-rt,kernel-source,kernel-source-azure: kernel: use-after-free bug in mctp_sk_unhash in net/mctp/af_mctp.c
Last modified: 2023-01-11 11:48:38 UTC
A flaw use after free found in the Linux Kernel MCTP (Management Component Transport Protocol) implementation.
Starting from Kernel version 5.18.0, after commit 63ed1aab3d40aa61aaa66819bdce9377ac7f40fa that introduces ioctls SIOCMCTPALLOCTAG and
SIOCMCTPDROPTAG (DROPTAGS), there is a bug in mctp_sk_unhash function. The reason of the bug that the simultaneous DROPTAG ioctl and socket close may lead to race condition.
Introduced in stable with 63ed1aab3d40aa61aaa66819bdce9377ac7f40fa
Fixed in stable with 3a732b46736cd8a29092e4b0b1a9ba83e672bf89