CVE-2022-50877

Vulnerability

A race condition exists in the Broadcom BCM4908 Ethernet driver (bcm4908_enet) in the Linux kernel. The bcm4908_enet_start_xmit() function could free a socket buffer (skb) before the hardware confirmed its transmission, leading to a use-after-free and potential NULL pointer dereference. The root cause is that TX statistics were updated when packets were queued, not after actual transmission by the hardware [1].

Exploitation

An attacker with local access and the ability to send network packets over a BCM4908 interface could trigger this race. By carefully timing packet transmissions, the attacker could cause bcm4908_enet_poll_tx() to access an skb that had already been freed by bcm4908_enet_start_xmit(), resulting in a NULL dereference or other memory corruption [1].

Impact

Successful exploitation could lead to a denial of service (system crash) due to the NULL pointer dereference. In some configurations, it might be possible to escalate privileges or leak sensitive information, though the primary impact is system instability [1].

Mitigation

The fix moves TX statistics updates to after hardware confirms consumption of submitted data, eliminating the race condition. The patch has been applied to the Linux kernel stable branches [1]. Users should update to a kernel version containing the commit ef3556ee16c6 or later.