CVE-2022-50259
Severity CVSS v4.0:
Pending analysis
Type:
Unavailable / Other
Publication date:
15/09/2025
Last modified:
15/09/2025
Description
In the Linux kernel, the following vulnerability has been resolved:<br />
<br />
bpf, sockmap: fix race in sock_map_free()<br />
<br />
sock_map_free() calls release_sock(sk) without owning a reference<br />
on the socket. This can cause use-after-free as syzbot found [1]<br />
<br />
Jakub Sitnicki already took care of a similar issue<br />
in sock_hash_free() in commit 75e68e5bf2c7 ("bpf, sockhash:<br />
Synchronize delete from bucket list on map free")<br />
<br />
[1]<br />
refcount_t: decrement hit 0; leaking memory.<br />
WARNING: CPU: 0 PID: 3785 at lib/refcount.c:31 refcount_warn_saturate+0x17c/0x1a0 lib/refcount.c:31<br />
Modules linked in:<br />
CPU: 0 PID: 3785 Comm: kworker/u4:6 Not tainted 6.1.0-rc7-syzkaller-00103-gef4d3ea40565 #0<br />
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022<br />
Workqueue: events_unbound bpf_map_free_deferred<br />
RIP: 0010:refcount_warn_saturate+0x17c/0x1a0 lib/refcount.c:31<br />
Code: 68 8b 31 c0 e8 75 71 15 fd 0f 0b e9 64 ff ff ff e8 d9 6e 4e fd c6 05 62 9c 3d 0a 01 48 c7 c7 80 bb 68 8b 31 c0 e8 54 71 15 fd 0b e9 43 ff ff ff 89 d9 80 e1 07 80 c1 03 38 c1 0f 8c a2 fe ff<br />
RSP: 0018:ffffc9000456fb60 EFLAGS: 00010246<br />
RAX: eae59bab72dcd700 RBX: 0000000000000004 RCX: ffff8880207057c0<br />
RDX: 0000000000000000 RSI: 0000000000000201 RDI: 0000000000000000<br />
RBP: 0000000000000004 R08: ffffffff816fdabd R09: fffff520008adee5<br />
R10: fffff520008adee5 R11: 1ffff920008adee4 R12: 0000000000000004<br />
R13: dffffc0000000000 R14: ffff88807b1c6c00 R15: 1ffff1100f638dcf<br />
FS: 0000000000000000(0000) GS:ffff8880b9800000(0000) knlGS:0000000000000000<br />
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033<br />
CR2: 0000001b30c30000 CR3: 000000000d08e000 CR4: 00000000003506f0<br />
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000<br />
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400<br />
Call Trace:<br />
<br />
__refcount_dec include/linux/refcount.h:344 [inline]<br />
refcount_dec include/linux/refcount.h:359 [inline]<br />
__sock_put include/net/sock.h:779 [inline]<br />
tcp_release_cb+0x2d0/0x360 net/ipv4/tcp_output.c:1092<br />
release_sock+0xaf/0x1c0 net/core/sock.c:3468<br />
sock_map_free+0x219/0x2c0 net/core/sock_map.c:356<br />
process_one_work+0x81c/0xd10 kernel/workqueue.c:2289<br />
worker_thread+0xb14/0x1330 kernel/workqueue.c:2436<br />
kthread+0x266/0x300 kernel/kthread.c:376<br />
ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:306<br />
Impact
References to Advisories, Solutions, and Tools
- https://git.kernel.org/stable/c/0a182f8d607464911756b4dbef5d6cad8de22469
- https://git.kernel.org/stable/c/4cabc3af4a6f36c222fecb15858c1060e59218e7
- https://git.kernel.org/stable/c/5c3568166129bc73fd6b37748d2d8f95cd8f22f3
- https://git.kernel.org/stable/c/a443c55d96dede82a724df6e70a318ad15c199e1
- https://git.kernel.org/stable/c/be719496ae6a7fc325e9e5056a52f63ebc84cc0c
- https://git.kernel.org/stable/c/e8b2b392a646bf5cb9413c1cc7a39d99c1b65a62