CVE-2022-48640

Name of the Vulnerable Software and Affected Versions Linux kernel versions prior to 6.0.0-rc4-00133-g64ae13ed4784

Description The vulnerability is related to a NULL dereference in the bond rr gen slave id function of the bonding driver. This occurs when a bond is initially created with an initial mode that is not zero (Round Robin), and the memory required for the counter is never created. When the mode is changed, there is no attempt to verify that the memory is allocated, resulting in a NULL dereference. This causes an Oops on an aarch64 machine.

Recommendations To resolve this issue, update the Linux kernel to a version that includes the fix for the bond rr gen slave id function. Specifically, update to a version later than 6.0.0-rc4-00133-g64ae13ed4784.

As a temporary workaround, consider disabling the bond rr gen slave id function until a patch is available. However, this may have performance implications and should be carefully evaluated before implementation.

It is also recommended to restrict access to the bonding module to minimize the risk of exploitation until the issue is resolved.

Note: The provided information does not specify the exact version that includes the fix, so it is recommended to update to the latest available version of the Linux kernel.