CVE-2022-49346: Linux Kernel Net DSA Lantiq GSWIP RefCount Leak Vulnerability Resolved

A new vulnerability identified as CVE-2022-49346 has been resolved in the Linux kernel, specifically in the net: dsa: lantiq_gswip component. This vulnerability involved a refcount leak in gswip_gphy_fw_list, and it has now been fixed. This post will discuss the details of the exploit, including a code snippet, and provide links to original references for further information.

Vulnerability Details

The vulnerability was discovered in the net: dsa: lantiq_gswip component of the Linux kernel, which involves the management of Ethernet switches. The issue was a refcount leak in gswip_gphy_fw_list, which could result in a potential DoS (Denial of Service) attack for an affected system.

The problem comes from the fact that every iteration of for_each_available_child_of_node() decrements the reference count of the previous node. When breaking early from a for_each_available_child_of_node() loop, it is necessary to explicitly call of_node_put() on the gphy_fw_np. The missing of_node_put() call was causing the refcount leak, leading to the vulnerability.

Below is a code snippet of the patch that fixes this vulnerability

--- a/drivers/net/dsa/lantiq_gswip.c
+++ b/drivers/net/dsa/lantiq_gswip.c
@@ -865,6 +865,7 @@ static int gswip_gsw_probe(struct platform_device *pdev)
                if (of_get_available_child_count(gphy_fw_np) != GSWIP_PORTS) {
                        dev_err(gsw->dev, "gphy-fw list contains too many entries\n");
                        of_node_put(gphy_fw_np);
+                       of_node_put(gswip_gsw_fw_node);
                        return -EINVAL;
                }

In this snippet, the missing of_node_put() call has been added to avoid the refcount leak and resolve the vulnerability.

Original References

For more information about this vulnerability and the patch that fixes it, refer to the following resources:

1. Linux Kernel Patch: https://git.kernel.org/pub/scm/linux/kernel/git/netdev/net.git/commit/?id=a9b6d91892ee29d8e7208e8a98a1bc52ffd9071d

2. Linux Weekly News Archive: https://lwn.net/Articles/890392/

Conclusion

The CVE-2022-49346 vulnerability in the Linux kernel's net: dsa: lantiq_gswip component has been fixed via a patch that addresses the refcount leak issue in gswip_gphy_fw_list. Linux kernel maintainers and developers using the affected component should apply the appropriate patch to prevent any potential security issues related to this vulnerability.

Timeline

Published on: 02/26/2025 07:01:11 UTC
Last modified on: 05/04/2025 08:35:46 UTC