CVE-2022-48690 - Vulnerability Details - OpenCVE

In the Linux kernel, the following vulnerability has been resolved: ice: Fix DMA mappings leak Fix leak, when user changes ring parameters. During reallocation of RX buffers, new DMA mappings are created for those buffers. New buffers with different RX ring count should substitute older ones, but those buffers were freed in ice_vsi_cfg_rxq and reallocated again with ice_alloc_rx_buf. kfree on rx_buf caused leak of already mapped DMA. Reallocate ZC with xdp_buf struct, when BPF program loads. Reallocate back to rx_buf, when BPF program unloads. If BPF program is loaded/unloaded and XSK pools are created, reallocate RX queues accordingly in XDP_SETUP_XSK_POOL handler. Steps for reproduction: while : do for ((i=0; i<=8160; i=i+32)) do ethtool -G enp130s0f0 rx $i tx $i sleep 0.5 ethtool -g enp130s0f0 done done

No CVSS v4.0

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Exploitation none

Automatable no

Technical Impact partial

Vendors	Products
Linux	Linux Kernel

No data.

No data.

References

Link	Providers
https://git.kernel.org/stable/c/07f40e9f0ff342eb3e97d5c544783b7cb641689c
https://git.kernel.org/stable/c/7e753eb675f0523207b184558638ee2eed6c9ac2
https://lore.kernel.org/linux-cve-announce/2024050346-CVE-2022-48690-53bc@gregkh/T
https://nvd.nist.gov/vuln/detail/CVE-2022-48690
https://www.cve.org/CVERecord?id=CVE-2022-48690

History

No history.

MITRE

Status: PUBLISHED

Assigner: Linux

Published: 2024-05-03T17:44:31.180Z

Updated: 2025-05-04T08:21:08.464Z

Reserved: 2024-05-03T14:55:07.144Z

Link: CVE-2022-48690

Vulnrichment

Updated: 2024-08-03T15:17:55.727Z

NVD

Status : Awaiting Analysis

Published: 2024-05-03T18:15:08.167

Modified: 2024-11-21T07:33:47.507

Link: CVE-2022-48690

Redhat

Severity : Low

Publid Date: 2024-05-03T00:00:00Z

Links: CVE-2022-48690 - Bugzilla

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2022-48690", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2024-05-03T14:55:07.144Z", "datePublished": "2024-05-03T17:44:31.180Z", "dateUpdated": "2025-05-04T08:21:08.464Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2025-05-04T08:21:08.464Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nice: Fix DMA mappings leak\n\nFix leak, when user changes ring parameters.\nDuring reallocation of RX buffers, new DMA mappings are created for\nthose buffers. New buffers with different RX ring count should\nsubstitute older ones, but those buffers were freed in ice_vsi_cfg_rxq\nand reallocated again with ice_alloc_rx_buf. kfree on rx_buf caused\nleak of already mapped DMA.\nReallocate ZC with xdp_buf struct, when BPF program loads. Reallocate\nback to rx_buf, when BPF program unloads.\nIf BPF program is loaded/unloaded and XSK pools are created, reallocate\nRX queues accordingly in XDP_SETUP_XSK_POOL handler.\n\nSteps for reproduction:\nwhile :\ndo\n\tfor ((i=0; i<=8160; i=i+32))\n\tdo\n\t\tethtool -G enp130s0f0 rx $i tx $i\n\t\tsleep 0.5\n\t\tethtool -g enp130s0f0\n\tdone\ndone"}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["drivers/net/ethernet/intel/ice/ice_base.c", "drivers/net/ethernet/intel/ice/ice_main.c", "drivers/net/ethernet/intel/ice/ice_xsk.c", "drivers/net/ethernet/intel/ice/ice_xsk.h"], "versions": [{"version": "617f3e1b588c802517c236087561c6bcb0b4afd6", "lessThan": "07f40e9f0ff342eb3e97d5c544783b7cb641689c", "status": "affected", "versionType": "git"}, {"version": "617f3e1b588c802517c236087561c6bcb0b4afd6", "lessThan": "7e753eb675f0523207b184558638ee2eed6c9ac2", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["drivers/net/ethernet/intel/ice/ice_base.c", "drivers/net/ethernet/intel/ice/ice_main.c", "drivers/net/ethernet/intel/ice/ice_xsk.c", "drivers/net/ethernet/intel/ice/ice_xsk.h"], "versions": [{"version": "5.16", "status": "affected"}, {"version": "0", "lessThan": "5.16", "status": "unaffected", "versionType": "semver"}, {"version": "5.19.9", "lessThanOrEqual": "5.19.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.0", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.16", "versionEndExcluding": "5.19.9"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.16", "versionEndExcluding": "6.0"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/07f40e9f0ff342eb3e97d5c544783b7cb641689c"}, {"url": "https://git.kernel.org/stable/c/7e753eb675f0523207b184558638ee2eed6c9ac2"}], "title": "ice: Fix DMA mappings leak", "x_generator": {"engine": "bippy-1.2.0"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-06-17T17:39:48.743720Z", "id": "CVE-2022-48690", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-06-17T17:44:28.370Z"}}, {"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T15:17:55.727Z"}, "title": "CVE Program Container", "references": [{"url": "https://git.kernel.org/stable/c/07f40e9f0ff342eb3e97d5c544783b7cb641689c", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/7e753eb675f0523207b184558638ee2eed6c9ac2", "tags": ["x_transferred"]}]}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://git.kernel.org/stable/c/07f40e9f0ff342eb3e97d5c544783b7cb641689c", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/7e753eb675f0523207b184558638ee2eed6c9ac2", "tags": ["x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T15:17:55.727Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2022-48690", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-06-17T17:39:48.743720Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-06-17T17:39:49.705Z"}}], "cna": {"title": "ice: Fix DMA mappings leak", "affected": [{"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "product": "Linux", "versions": [{"status": "affected", "version": "617f3e1b588c802517c236087561c6bcb0b4afd6", "lessThan": "07f40e9f0ff342eb3e97d5c544783b7cb641689c", "versionType": "git"}, {"status": "affected", "version": "617f3e1b588c802517c236087561c6bcb0b4afd6", "lessThan": "7e753eb675f0523207b184558638ee2eed6c9ac2", "versionType": "git"}], "programFiles": ["drivers/net/ethernet/intel/ice/ice_base.c", "drivers/net/ethernet/intel/ice/ice_main.c", "drivers/net/ethernet/intel/ice/ice_xsk.c", "drivers/net/ethernet/intel/ice/ice_xsk.h"], "defaultStatus": "unaffected"}, {"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "product": "Linux", "versions": [{"status": "affected", "version": "5.16"}, {"status": "unaffected", "version": "0", "lessThan": "5.16", "versionType": "semver"}, {"status": "unaffected", "version": "5.19.9", "versionType": "semver", "lessThanOrEqual": "5.19.*"}, {"status": "unaffected", "version": "6.0", "versionType": "original_commit_for_fix", "lessThanOrEqual": "*"}], "programFiles": ["drivers/net/ethernet/intel/ice/ice_base.c", "drivers/net/ethernet/intel/ice/ice_main.c", "drivers/net/ethernet/intel/ice/ice_xsk.c", "drivers/net/ethernet/intel/ice/ice_xsk.h"], "defaultStatus": "affected"}], "references": [{"url": "https://git.kernel.org/stable/c/07f40e9f0ff342eb3e97d5c544783b7cb641689c"}, {"url": "https://git.kernel.org/stable/c/7e753eb675f0523207b184558638ee2eed6c9ac2"}], "x_generator": {"engine": "bippy-1.2.0"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nice: Fix DMA mappings leak\n\nFix leak, when user changes ring parameters.\nDuring reallocation of RX buffers, new DMA mappings are created for\nthose buffers. New buffers with different RX ring count should\nsubstitute older ones, but those buffers were freed in ice_vsi_cfg_rxq\nand reallocated again with ice_alloc_rx_buf. kfree on rx_buf caused\nleak of already mapped DMA.\nReallocate ZC with xdp_buf struct, when BPF program loads. Reallocate\nback to rx_buf, when BPF program unloads.\nIf BPF program is loaded/unloaded and XSK pools are created, reallocate\nRX queues accordingly in XDP_SETUP_XSK_POOL handler.\n\nSteps for reproduction:\nwhile :\ndo\n\tfor ((i=0; i<=8160; i=i+32))\n\tdo\n\t\tethtool -G enp130s0f0 rx $i tx $i\n\t\tsleep 0.5\n\t\tethtool -g enp130s0f0\n\tdone\ndone"}], "cpeApplicability": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "versionEndExcluding": "5.19.9", "versionStartIncluding": "5.16"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "versionEndExcluding": "6.0", "versionStartIncluding": "5.16"}], "operator": "OR"}]}], "providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2025-05-04T08:21:08.464Z"}}}, "cveMetadata": {"cveId": "CVE-2022-48690", "state": "PUBLISHED", "dateUpdated": "2025-05-04T08:21:08.464Z", "dateReserved": "2024-05-03T14:55:07.144Z", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "datePublished": "2024-05-03T17:44:31.180Z", "assignerShortName": "Linux"}, "dataVersion": "5.1"}

{"descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nice: Fix DMA mappings leak\n\nFix leak, when user changes ring parameters.\nDuring reallocation of RX buffers, new DMA mappings are created for\nthose buffers. New buffers with different RX ring count should\nsubstitute older ones, but those buffers were freed in ice_vsi_cfg_rxq\nand reallocated again with ice_alloc_rx_buf. kfree on rx_buf caused\nleak of already mapped DMA.\nReallocate ZC with xdp_buf struct, when BPF program loads. Reallocate\nback to rx_buf, when BPF program unloads.\nIf BPF program is loaded/unloaded and XSK pools are created, reallocate\nRX queues accordingly in XDP_SETUP_XSK_POOL handler.\n\nSteps for reproduction:\nwhile :\ndo\n\tfor ((i=0; i<=8160; i=i+32))\n\tdo\n\t\tethtool -G enp130s0f0 rx $i tx $i\n\t\tsleep 0.5\n\t\tethtool -g enp130s0f0\n\tdone\ndone"}, {"lang": "es", "value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: ice: Reparar fuga de asignaciones DMA. Reparar fuga cuando el usuario cambia los par\u00e1metros del anillo. Durante la reasignaci\u00f3n de b\u00faferes RX, se crean nuevas asignaciones DMA para esos b\u00faferes. Los nuevos b\u00faferes con diferente n\u00famero de anillos RX deber\u00edan sustituir a los m\u00e1s antiguos, pero esos b\u00faferes se liberaron en ice_vsi_cfg_rxq y se reasignaron nuevamente con ice_alloc_rx_buf. kfree en rx_buf provoc\u00f3 una fuga de DMA ya mapeado. Reasigne ZC con la estructura xdp_buf, cuando se cargue el programa BPF. Reasigne nuevamente a rx_buf, cuando se descargue el programa BPF. Si se carga/descarga el programa BPF y se crean grupos XSK, reasigne las colas RX en consecuencia en el controlador XDP_SETUP_XSK_POOL. Pasos para la reproducci\u00f3n: while: do for ((i=0; i<=8160; i=i+32)) do ethtool -G enp130s0f0 rx $i tx $i sleep 0.5 ethtool -g enp130s0f0 done done"}], "id": "CVE-2022-48690", "lastModified": "2024-11-21T07:33:47.507", "metrics": {}, "published": "2024-05-03T18:15:08.167", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/07f40e9f0ff342eb3e97d5c544783b7cb641689c"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/7e753eb675f0523207b184558638ee2eed6c9ac2"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://git.kernel.org/stable/c/07f40e9f0ff342eb3e97d5c544783b7cb641689c"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://git.kernel.org/stable/c/7e753eb675f0523207b184558638ee2eed6c9ac2"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Awaiting Analysis"}

{"bugzilla": {"description": "kernel: ice: Fix DMA mappings leak", "id": "2279001", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2279001"}, "csaw": false, "cvss3": {"cvss3_base_score": "5.5", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "draft"}, "details": ["In the Linux kernel, the following vulnerability has been resolved:\nice: Fix DMA mappings leak\nFix leak, when user changes ring parameters.\nDuring reallocation of RX buffers, new DMA mappings are created for\nthose buffers. New buffers with different RX ring count should\nsubstitute older ones, but those buffers were freed in ice_vsi_cfg_rxq\nand reallocated again with ice_alloc_rx_buf. kfree on rx_buf caused\nleak of already mapped DMA.\nReallocate ZC with xdp_buf struct, when BPF program loads. Reallocate\nback to rx_buf, when BPF program unloads.\nIf BPF program is loaded/unloaded and XSK pools are created, reallocate\nRX queues accordingly in XDP_SETUP_XSK_POOL handler.\nSteps for reproduction:\nwhile :\ndo\nfor ((i=0; i<=8160; i=i+32))\ndo\nethtool -G enp130s0f0 rx $i tx $i\nsleep 0.5\nethtool -g enp130s0f0\ndone\ndone"], "name": "CVE-2022-48690", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Out of support scope", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Out of support scope", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2024-05-03T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2022-48690\nhttps://nvd.nist.gov/vuln/detail/CVE-2022-48690\nhttps://lore.kernel.org/linux-cve-announce/2024050346-CVE-2022-48690-53bc@gregkh/T"], "threat_severity": "Low"}