{
  "threat_severity" : "Moderate",
  "public_date" : "2024-07-16T00:00:00Z",
  "bugzilla" : {
    "description" : "kernel: ibmvnic: don't release napi in __ibmvnic_open()",
    "id" : "2298147",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2298147"
  },
  "cvss3" : {
    "cvss3_base_score" : "5.5",
    "cvss3_scoring_vector" : "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
    "status" : "draft"
  },
  "details" : [ "In the Linux kernel, the following vulnerability has been resolved:\nibmvnic: don't release napi in __ibmvnic_open()\nIf __ibmvnic_open() encounters an error such as when setting link state,\nit calls release_resources() which frees the napi structures needlessly.\nInstead, have __ibmvnic_open() only clean up the work it did so far (i.e.\ndisable napi and irqs) and leave the rest to the callers.\nIf caller of __ibmvnic_open() is ibmvnic_open(), it should release the\nresources immediately. If the caller is do_reset() or do_hard_reset(),\nthey will release the resources on the next reset.\nThis fixes following crash that occurred when running the drmgr command\nseveral times to add/remove a vnic interface:\n[102056] ibmvnic 30000003 env3: Disabling rx_scrq[6] irq\n[102056] ibmvnic 30000003 env3: Disabling rx_scrq[7] irq\n[102056] ibmvnic 30000003 env3: Replenished 8 pools\nKernel attempted to read user page (10) - exploit attempt? (uid: 0)\nBUG: Kernel NULL pointer dereference on read at 0x00000010\nFaulting instruction address: 0xc000000000a3c840\nOops: Kernel access of bad area, sig: 11 [#1]\nLE PAGE_SIZE=64K MMU=Radix SMP NR_CPUS=2048 NUMA pSeries\n...\nCPU: 9 PID: 102056 Comm: kworker/9:2 Kdump: loaded Not tainted 5.16.0-rc5-autotest-g6441998e2e37 #1\nWorkqueue: events_long __ibmvnic_reset [ibmvnic]\nNIP:  c000000000a3c840 LR: c0080000029b5378 CTR: c000000000a3c820\nREGS: c0000000548e37e0 TRAP: 0300   Not tainted  (5.16.0-rc5-autotest-g6441998e2e37)\nMSR:  8000000000009033 <SF,EE,ME,IR,DR,RI,LE>  CR: 28248484  XER: 00000004\nCFAR: c0080000029bdd24 DAR: 0000000000000010 DSISR: 40000000 IRQMASK: 0\nGPR00: c0080000029b55d0 c0000000548e3a80 c0000000028f0200 0000000000000000\n...\nNIP [c000000000a3c840] napi_enable+0x20/0xc0\nLR [c0080000029b5378] __ibmvnic_open+0xf0/0x430 [ibmvnic]\nCall Trace:\n[c0000000548e3a80] [0000000000000006] 0x6 (unreliable)\n[c0000000548e3ab0] [c0080000029b55d0] __ibmvnic_open+0x348/0x430 [ibmvnic]\n[c0000000548e3b40] [c0080000029bcc28] __ibmvnic_reset+0x500/0xdf0 [ibmvnic]\n[c0000000548e3c60] [c000000000176228] process_one_work+0x288/0x570\n[c0000000548e3d00] [c000000000176588] worker_thread+0x78/0x660\n[c0000000548e3da0] [c0000000001822f0] kthread+0x1c0/0x1d0\n[c0000000548e3e10] [c00000000000cf64] ret_from_kernel_thread+0x5c/0x64\nInstruction dump:\n7d2948f8 792307e0 4e800020 60000000 3c4c01eb 384239e0 f821ffd1 39430010\n38a0fff6 e92d1100 f9210028 39200000 <e9030010> f9010020 60420000 e9210020\n---[ end trace 5f8033b08fd27706 ]---", "A vulnerability was found in the Linux kernel's ibmvnic driver, where the __ibmvnic_open() function improperly releases NAPI structures on error. This occurs when the function encounters an issue while setting the link state, leading to a NULL pointer dereference. The impact of this vulnerability could result in system crashes, disrupting network operations." ],
  "package_state" : [ {
    "product_name" : "Red Hat Enterprise Linux 6",
    "fix_state" : "Not affected",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:6"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "fix_state" : "Out of support scope",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "fix_state" : "Out of support scope",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "fix_state" : "Will not fix",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "fix_state" : "Will not fix",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "fix_state" : "Will not fix",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "fix_state" : "Will not fix",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2022-48811\nhttps://nvd.nist.gov/vuln/detail/CVE-2022-48811\nhttps://lore.kernel.org/linux-cve-announce/2024071647-CVE-2022-48811-5c54@gregkh/T" ],
  "name" : "CVE-2022-48811",
  "mitigation" : {
    "value" : "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
    "lang" : "en:us"
  },
  "csaw" : false
}