ACK: [SRU][J][PATCH 0/1] CVE-2022-49390

Sarah Emery sarah.emery at canonical.com
Thu Oct 16 13:59:20 UTC 2025 

On Tue, 14 Oct 2025 at 16:21, Massimiliano Pellizzer <
massimiliano.pellizzer at canonical.com> wrote:

> https://ubuntu.com/security/CVE-2022-49390
>
> [ Impact ]
>
> macsec: fix UAF bug for real_dev
>
> Creating a new macsec device without getting a reference to real_dev may
> trigger a use-after-free bug.
>
> [ Fix ]
>
> Backport commit 2bce1ebed17d (macsec: fix refcnt leak in module exit
> routine)
> from mainline.
>
> [ Test Plan ]
>
> Compile and boot tested.
> Tested basic macsec functionalities:
>
> $ unshare --map-root-user --net
> # ip link add dummy0 type dummy
> # ip link set dummy0 up
> # ip link add link dummy0 name macsec0 type macsec
> # ip link set macsec0 up
> # ip a
> 1: lo: <LOOPBACK> mtu 65536 qdisc noop state DOWN group default qlen 1000
>     link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
> 2: dummy0: <BROADCAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc noqueue state
> UNKNOWN group default qlen 1000
>     link/ether aa:ca:71:b5:0f:dd brd ff:ff:ff:ff:ff:ff
>     inet6 fe80::a8ca:71ff:feb5:fdd/64 scope link
>        valid_lft forever preferred_lft forever
> 3: macsec0 at dummy0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1468 qdisc
> noqueue state UP group default qlen 1000
>     link/ether aa:ca:71:b5:0f:dd brd ff:ff:ff:ff:ff:ff
>     inet6 fe80::a8ca:71ff:feb5:fdd/64 scope link tentative
>        valid_lft forever preferred_lft forever
> # ip link del dummy0
> # ip a
> 1: lo: <LOOPBACK> mtu 65536 qdisc noop state DOWN group default qlen 1000
>     link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
>
> [ Regression Potential ]
>
> The fix affects macsec's device handling of the lower (real) net_device
> lifetime. An issue with this patch may introduce refcount leaks that
> prevent lower devices from being freed, or incorrect release ordering
> that re-introduces use-after-free and breaks interface teardown.
>
> Ziyang Xuan (1):
>   macsec: fix UAF bug for real_dev
>
>  drivers/net/macsec.c | 5 +++++
>  1 file changed, 5 insertions(+)
>
> --
> 2.48.1
>
>
> --
> kernel-team mailing list
> kernel-team at lists.ubuntu.com
> https://lists.ubuntu.com/mailman/listinfo/kernel-team


Acked-by: Sarah Emery <sarah.emery at canonical.com>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.ubuntu.com/archives/kernel-team/attachments/20251016/dadb6c1c/attachment.html>

More information about the kernel-team mailing list