Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

CVE-2022-49207

Severity CVSS v4.0:
Pending analysis
Type:
Unavailable / Other
Publication date:
26/02/2025
Last modified:
01/10/2025

Description

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> bpf, sockmap: Fix memleak in sk_psock_queue_msg<br /> <br /> If tcp_bpf_sendmsg is running during a tear down operation we may enqueue<br /> data on the ingress msg queue while tear down is trying to free it.<br /> <br /> sk1 (redirect sk2) sk2<br /> ------------------- ---------------<br /> tcp_bpf_sendmsg()<br /> tcp_bpf_send_verdict()<br /> tcp_bpf_sendmsg_redir()<br /> bpf_tcp_ingress()<br /> sock_map_close()<br /> lock_sock()<br /> lock_sock() ... blocking<br /> sk_psock_stop<br /> sk_psock_clear_state(psock, SK_PSOCK_TX_ENABLED);<br /> release_sock(sk);<br /> lock_sock()<br /> sk_mem_charge()<br /> get_page()<br /> sk_psock_queue_msg()<br /> sk_psock_test_state(psock, SK_PSOCK_TX_ENABLED);<br /> drop_sk_msg()<br /> release_sock()<br /> <br /> While drop_sk_msg(), the msg has charged memory form sk by sk_mem_charge<br /> and has sg pages need to put. To fix we use sk_msg_free() and then kfee()<br /> msg.<br /> <br /> This issue can cause the following info:<br /> WARNING: CPU: 0 PID: 9202 at net/core/stream.c:205 sk_stream_kill_queues+0xc8/0xe0<br /> Call Trace:<br /> <br /> inet_csk_destroy_sock+0x55/0x110<br /> tcp_rcv_state_process+0xe5f/0xe90<br /> ? sk_filter_trim_cap+0x10d/0x230<br /> ? tcp_v4_do_rcv+0x161/0x250<br /> tcp_v4_do_rcv+0x161/0x250<br /> tcp_v4_rcv+0xc3a/0xce0<br /> ip_protocol_deliver_rcu+0x3d/0x230<br /> ip_local_deliver_finish+0x54/0x60<br /> ip_local_deliver+0xfd/0x110<br /> ? ip_protocol_deliver_rcu+0x230/0x230<br /> ip_rcv+0xd6/0x100<br /> ? ip_local_deliver+0x110/0x110<br /> __netif_receive_skb_one_core+0x85/0xa0<br /> process_backlog+0xa4/0x160<br /> __napi_poll+0x29/0x1b0<br /> net_rx_action+0x287/0x300<br /> __do_softirq+0xff/0x2fc<br /> do_softirq+0x79/0x90<br /> <br /> <br /> WARNING: CPU: 0 PID: 531 at net/ipv4/af_inet.c:154 inet_sock_destruct+0x175/0x1b0<br /> Call Trace:<br /> <br /> __sk_destruct+0x24/0x1f0<br /> sk_psock_destroy+0x19b/0x1c0<br /> process_one_work+0x1b3/0x3c0<br /> ? process_one_work+0x3c0/0x3c0<br /> worker_thread+0x30/0x350<br /> ? process_one_work+0x3c0/0x3c0<br /> kthread+0xe6/0x110<br /> ? kthread_complete_and_exit+0x20/0x20<br /> ret_from_fork+0x22/0x30<br />

Impact

Vector 3.x
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVSS v3.1 Severity and Metrics:

Base Score: 5.50 MEDIUM
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Attack Vector (AV): Local
Attack Complexity (AC): Low
Privileges Required (PR): Low
User Interaction (UI): None
Scope (S): Unchanged
Confidentiality (C): None
Integrity (I): None
Availability (A): High

Base Score 3.x
5.50
Severity 3.x
MEDIUM

Vulnerable products and versions

CPE From Up to
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 5.14 (including) 5.15.33 (excluding)
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 5.16 (including) 5.16.19 (excluding)
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 5.17 (including) 5.17.2 (excluding)

To consult the complete list of CPE names with products and versions, see this page


References to Advisories, Solutions, and Tools