Bug 1207048 - (CVE-2022-3977) VUL-0: CVE-2022-3977: kernel-source-rt,kernel-source,kernel-source-azure: kernel: use-after-free bug in mctp_sk_unhash in net/mctp/af_mctp.c
(CVE-2022-3977)
VUL-0: CVE-2022-3977: kernel-source-rt,kernel-source,kernel-source-azure: ker...
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P5 - None : Normal
: ---
Assigned To: Kernel Bugs
Security Team bot
https://smash.suse.de/issue/347879/
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2023-01-11 11:48 UTC by Hu
Modified: 2023-01-11 11:48 UTC (History)
1 user (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Hu 2023-01-11 11:48:03 UTC
rh#2142371

A flaw use after free found in the Linux Kernel MCTP (Management Component Transport Protocol) implementation.
Starting from Kernel version 5.18.0, after commit 63ed1aab3d40aa61aaa66819bdce9377ac7f40fa that introduces ioctls SIOCMCTPALLOCTAG and
SIOCMCTPDROPTAG (DROPTAGS), there is a bug in mctp_sk_unhash function. The reason of the bug that the simultaneous DROPTAG ioctl and socket close may lead to race condition.

Reference:
https://seclists.org/oss-sec/2022/q4/36

References:
https://bugzilla.redhat.com/show_bug.cgi?id=2142371
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-3977
https://seclists.org/oss-sec/2022/q4/139
https://access.redhat.com/security/cve/CVE-2022-3977
Comment 1 Hu 2023-01-11 11:48:38 UTC
Introduced in stable with 63ed1aab3d40aa61aaa66819bdce9377ac7f40fa
Fixed in stable with 3a732b46736cd8a29092e4b0b1a9ba83e672bf89

Closing