NULL Pointer Dereference The advisory has been revoked - it doesn't affect any version of package kernel-ipaclones-internal  (opens in a new tab)


Threat Intelligence

EPSS
0.27% (18th percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk IDSNYK-RHEL8-KERNELIPACLONESINTERNAL-9240894
  • published5 Mar 2025
  • disclosed26 Feb 2025

Introduced: 26 Feb 2025

CVE-2022-49664  (opens in a new tab)
CWE-476  (opens in a new tab)

Amendment

The Red Hat security team deemed this advisory irrelevant for RHEL:8.

NVD Description

Note: Versions mentioned in the description apply only to the upstream kernel-ipaclones-internal package and not the kernel-ipaclones-internal package as distributed by RHEL.

In the Linux kernel, the following vulnerability has been resolved:

tipc: move bc link creation back to tipc_node_create

Shuang Li reported a NULL pointer dereference crash:

[] BUG: kernel NULL pointer dereference, address: 0000000000000068 [] RIP: 0010:tipc_link_is_up+0x5/0x10 [tipc] [] Call Trace: [] <IRQ> [] tipc_bcast_rcv+0xa2/0x190 [tipc] [] tipc_node_bc_rcv+0x8b/0x200 [tipc] [] tipc_rcv+0x3af/0x5b0 [tipc] [] tipc_udp_recv+0xc7/0x1e0 [tipc]

It was caused by the 'l' passed into tipc_bcast_rcv() is NULL. When it creates a node in tipc_node_check_dest(), after inserting the new node into hashtable in tipc_node_create(), it creates the bc link. However, there is a gap between this insert and bc link creation, a bc packet may come in and get the node from the hashtable then try to dereference its bc link, which is NULL.

This patch is to fix it by moving the bc link creation before inserting into the hashtable.

Note that for a preliminary node becoming "real", the bc link creation should also be called before it's rehashed, as we don't create it for preliminary nodes.