CVE-2022-48914

Name of the Vulnerable Software and Affected Versions Linux kernel versions prior to 5.16.10-1.32.fc32.qubes.x86 64+ #226

Description The vulnerability is related to the xen/netfront component of the Linux kernel. It occurs because xennet destroy queues() relies on info->netdev->real num tx queues to delete queues. However, since the update in the unregistration path, unregister netdev() indirectly sets real num tx queues to 0. As a result, xennet destroy queues() called from xennet remove() cannot perform its job because it is called after unregister netdev(). This leads to kfree-ing queues that are still linked in napi, causing a crash due to a kernel NULL pointer dereference.

Recommendations To resolve this issue, call xennet destroy queues() from xennet uninit() when real num tx queues is still available. This ensures that queues are destroyed when real num tx queues is set to 0, regardless of how unregister netdev() was called. At the moment, there is no information about a newer version that contains a fix for this vulnerability.