CVE-2022-49812

{"id": "CVE-2022-49812", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.5, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}, "impactScore": 3.6, "exploitabilityScore": 1.8}]}, "published": "2025-05-01T15:16:04.560", "references": [{"url": "https://git.kernel.org/stable/c/347f1793b573466424c550f2748ed837b6690fe7", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/9d45921ee4cb364910097e7d1b7558559c2f9fd2", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/f8926e2d2225eb7b7e11cd3fa266aaad9075b767", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/fc16a2c81a3eb1cbba8775f5bdc67856df903a7c", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-401"}]}], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbridge: switchdev: Fix memory leaks when changing VLAN protocol\n\nThe bridge driver can offload VLANs to the underlying hardware either\nvia switchdev or the 8021q driver. When the former is used, the VLAN is\nmarked in the bridge driver with the 'BR_VLFLAG_ADDED_BY_SWITCHDEV'\nprivate flag.\n\nTo avoid the memory leaks mentioned in the cited commit, the bridge\ndriver will try to delete a VLAN via the 8021q driver if the VLAN is not\nmarked with the previously mentioned flag.\n\nWhen the VLAN protocol of the bridge changes, switchdev drivers are\nnotified via the 'SWITCHDEV_ATTR_ID_BRIDGE_VLAN_PROTOCOL' attribute, but\nthe 8021q driver is also called to add the existing VLANs with the new\nprotocol and delete them with the old protocol.\n\nIn case the VLANs were offloaded via switchdev, the above behavior is\nboth redundant and buggy. Redundant because the VLANs are already\nprogrammed in hardware and drivers that support VLAN protocol change\n(currently only mlx5) change the protocol upon the switchdev attribute\nnotification. Buggy because the 8021q driver is called despite these\nVLANs being marked with 'BR_VLFLAG_ADDED_BY_SWITCHDEV'. This leads to\nmemory leaks [1] when the VLANs are deleted.\n\nFix by not calling the 8021q driver for VLANs that were already\nprogrammed via switchdev.\n\n[1]\nunreferenced object 0xffff8881f6771200 (size 256):\n comm \"ip\", pid 446855, jiffies 4298238841 (age 55.240s)\n hex dump (first 32 bytes):\n 00 00 7f 0e 83 88 ff ff 00 00 00 00 00 00 00 00 ................\n 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\n backtrace:\n [<00000000012819ac>] vlan_vid_add+0x437/0x750\n [<00000000f2281fad>] __br_vlan_set_proto+0x289/0x920\n [<000000000632b56f>] br_changelink+0x3d6/0x13f0\n [<0000000089d25f04>] __rtnl_newlink+0x8ae/0x14c0\n [<00000000f6276baf>] rtnl_newlink+0x5f/0x90\n [<00000000746dc902>] rtnetlink_rcv_msg+0x336/0xa00\n [<000000001c2241c0>] netlink_rcv_skb+0x11d/0x340\n [<0000000010588814>] netlink_unicast+0x438/0x710\n [<00000000e1a4cd5c>] netlink_sendmsg+0x788/0xc40\n [<00000000e8992d4e>] sock_sendmsg+0xb0/0xe0\n [<00000000621b8f91>] ____sys_sendmsg+0x4ff/0x6d0\n [<000000000ea26996>] ___sys_sendmsg+0x12e/0x1b0\n [<00000000684f7e25>] __sys_sendmsg+0xab/0x130\n [<000000004538b104>] do_syscall_64+0x3d/0x90\n [<0000000091ed9678>] entry_SYSCALL_64_after_hwframe+0x46/0xb0"}, {"lang": "es", "value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: bridge: switchdev: Fix memory leakage when Changing VLAN protocol El controlador del puente puede descargar VLAN al hardware subyacente mediante switchdev o el controlador 8021q. Cuando se utiliza el primero, la VLAN se marca en el controlador del puente con el indicador privado 'BR_VLFLAG_ADDED_BY_SWITCHDEV'. Para evitar las fugas de memoria mencionadas en la confirmaci\u00f3n citada, el controlador del puente intentar\u00e1 eliminar una VLAN mediante el controlador 8021q si la VLAN no est\u00e1 marcada con el indicador mencionado anteriormente. Cuando cambia el protocolo VLAN del puente, se notifica a los controladores switchdev mediante el atributo 'SWITCHDEV_ATTR_ID_BRIDGE_VLAN_PROTOCOL', pero tambi\u00e9n se llama al controlador 8021q para agregar las VLAN existentes con el nuevo protocolo y eliminarlas con el protocolo anterior. En caso de que las VLAN se descargaran mediante switchdev, el comportamiento anterior es redundante y presenta errores. Redundante porque las VLAN ya est\u00e1n programadas en el hardware y los controladores compatibles con el cambio de protocolo de VLAN (actualmente solo mlx5) cambian el protocolo al recibir la notificaci\u00f3n del atributo switchdev. Presenta errores porque se llama al controlador 8021q a pesar de que estas VLAN est\u00e1n marcadas con 'BR_VLFLAG_ADDED_BY_SWITCHDEV'. Esto provoca fugas de memoria [1] al eliminar las VLAN. Se soluciona no llamando al controlador 8021q para las VLAN ya programadas mediante switchdev. [1] objeto sin referencia 0xffff8881f6771200 (tama\u00f1o 256): comm \"ip\", pid 446855, jiffies 4298238841 (edad 55.240s) volcado hexadecimal (primeros 32 bytes): 00 00 7f 0e 83 88 ff ff 00 00 00 00 00 00 00 00 ................ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ backtrace: [&lt;00000000012819ac&gt;] vlan_vid_add+0x437/0x750 [&lt;00000000f2281fad&gt;] __br_vlan_set_proto+0x289/0x920 [&lt;000000000632b56f&gt;] br_changelink+0x3d6/0x13f0 [&lt;0000000089d25f04&gt;] __rtnl_newlink+0x8ae/0x14c0 [&lt;00000000f6276baf&gt;] rtnl_newlink+0x5f/0x90 [&lt;00000000746dc902&gt;] rtnetlink_rcv_msg+0x336/0xa00 [&lt;000000001c2241c0&gt;] netlink_rcv_skb+0x11d/0x340 [&lt;0000000010588814&gt;] netlink_unicast+0x438/0x710 [&lt;00000000e1a4cd5c&gt;] netlink_sendmsg+0x788/0xc40 [&lt;00000000e8992d4e&gt;] sock_sendmsg+0xb0/0xe0 [&lt;00000000621b8f91&gt;] ____sys_sendmsg+0x4ff/0x6d0 [&lt;000000000ea26996&gt;] ___sys_sendmsg+0x12e/0x1b0 [&lt;00000000684f7e25&gt;] __sys_sendmsg+0xab/0x130 [&lt;000000004538b104&gt;] do_syscall_64+0x3d/0x90 [&lt;0000000091ed9678&gt;] entry_SYSCALL_64_after_hwframe+0x46/0xb0 "}], "lastModified": "2025-11-07T18:54:04.903", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "B5B3E31C-BDC7-42A7-BE36-E25882042FD6", "versionEndExcluding": "5.10.157", "versionStartIncluding": "5.0.1"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "51BBEF3B-79F5-4D4C-ADBA-F34DA0E2465C", "versionEndExcluding": "5.15.80", "versionStartIncluding": "5.11"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "64F9ADD1-3ADB-4D66-A00F-4A83010B05F0", "versionEndExcluding": "6.0.10", "versionStartIncluding": "5.16"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:5.0:-:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "1D0FE595-0CFE-4491-808B-CEF691CE7B0A"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:5.0:rc3:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "963CFC36-FBAD-465F-9891-CDBBF962DFDD"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:5.0:rc4:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "1B084A7A-6047-4804-9395-6000E4A43828"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:5.0:rc5:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "C3430640-AC87-44BF-ABF5-09E0A97E3758"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:5.0:rc6:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "FDF49B77-4688-4908-9239-89B729456D22"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:5.0:rc7:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "77F342FB-3D7B-4EAE-BF8B-57B7B860BAFD"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:5.0:rc8:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "47D61679-6515-4E18-83C7-A71982CCD83C"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.1:rc1:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "E7E331DA-1FB0-4DEC-91AC-7DA69D461C11"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.1:rc2:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "17F0B248-42CF-4AE6-A469-BB1BAE7F4705"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.1:rc3:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "E2422816-0C14-4B5E-A1E6-A9D776E5C49B"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.1:rc4:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "1C6E00FE-5FB9-4D20-A1A1-5A32128F9B76"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.1:rc5:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "35B26BE4-43A6-4A36-A7F6-5B3F572D9186"}], "operator": "OR"}]}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}