CVE-2022-50531
Severity CVSS v4.0:
Pending analysis
Type:
Unavailable / Other
Publication date:
07/10/2025
Last modified:
08/10/2025
Description
In the Linux kernel, the following vulnerability has been resolved:<br />
<br />
tipc: fix an information leak in tipc_topsrv_kern_subscr<br />
<br />
Use a 8-byte write to initialize sub.usr_handle in<br />
tipc_topsrv_kern_subscr(), otherwise four bytes remain uninitialized<br />
when issuing setsockopt(..., SOL_TIPC, ...).<br />
This resulted in an infoleak reported by KMSAN when the packet was<br />
received:<br />
<br />
=====================================================<br />
BUG: KMSAN: kernel-infoleak in copyout+0xbc/0x100 lib/iov_iter.c:169<br />
instrument_copy_to_user ./include/linux/instrumented.h:121<br />
copyout+0xbc/0x100 lib/iov_iter.c:169<br />
_copy_to_iter+0x5c0/0x20a0 lib/iov_iter.c:527<br />
copy_to_iter ./include/linux/uio.h:176<br />
simple_copy_to_iter+0x64/0xa0 net/core/datagram.c:513<br />
__skb_datagram_iter+0x123/0xdc0 net/core/datagram.c:419<br />
skb_copy_datagram_iter+0x58/0x200 net/core/datagram.c:527<br />
skb_copy_datagram_msg ./include/linux/skbuff.h:3903<br />
packet_recvmsg+0x521/0x1e70 net/packet/af_packet.c:3469<br />
____sys_recvmsg+0x2c4/0x810 net/socket.c:?<br />
___sys_recvmsg+0x217/0x840 net/socket.c:2743<br />
__sys_recvmsg net/socket.c:2773<br />
__do_sys_recvmsg net/socket.c:2783<br />
__se_sys_recvmsg net/socket.c:2780<br />
__x64_sys_recvmsg+0x364/0x540 net/socket.c:2780<br />
do_syscall_x64 arch/x86/entry/common.c:50<br />
do_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:80<br />
entry_SYSCALL_64_after_hwframe+0x63/0xcd arch/x86/entry/entry_64.S:120<br />
<br />
...<br />
<br />
Uninit was stored to memory at:<br />
tipc_sub_subscribe+0x42d/0xb50 net/tipc/subscr.c:156<br />
tipc_conn_rcv_sub+0x246/0x620 net/tipc/topsrv.c:375<br />
tipc_topsrv_kern_subscr+0x2e8/0x400 net/tipc/topsrv.c:579<br />
tipc_group_create+0x4e7/0x7d0 net/tipc/group.c:190<br />
tipc_sk_join+0x2a8/0x770 net/tipc/socket.c:3084<br />
tipc_setsockopt+0xae5/0xe40 net/tipc/socket.c:3201<br />
__sys_setsockopt+0x87f/0xdc0 net/socket.c:2252<br />
__do_sys_setsockopt net/socket.c:2263<br />
__se_sys_setsockopt net/socket.c:2260<br />
__x64_sys_setsockopt+0xe0/0x160 net/socket.c:2260<br />
do_syscall_x64 arch/x86/entry/common.c:50<br />
do_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:80<br />
entry_SYSCALL_64_after_hwframe+0x63/0xcd arch/x86/entry/entry_64.S:120<br />
<br />
Local variable sub created at:<br />
tipc_topsrv_kern_subscr+0x57/0x400 net/tipc/topsrv.c:562<br />
tipc_group_create+0x4e7/0x7d0 net/tipc/group.c:190<br />
<br />
Bytes 84-87 of 88 are uninitialized<br />
Memory access of size 88 starts at ffff88801ed57cd0<br />
Data copied to user address 0000000020000400<br />
...<br />
=====================================================
Impact
References to Advisories, Solutions, and Tools
- https://git.kernel.org/stable/c/3d1b83ff7b6575a4e41283203e6b2e25ea700cd7
- https://git.kernel.org/stable/c/567f8de358b61015dcfb8878a1f06c5369a45f54
- https://git.kernel.org/stable/c/777ecaabd614d47c482a5c9031579e66da13989a
- https://git.kernel.org/stable/c/dbc01c0a4e202a7e925dad1d4b7c1d6eb0c81154
- https://git.kernel.org/stable/c/e558e148938442dd49628cd7ef61c360832bef31
- https://git.kernel.org/stable/c/fef70f978bc289642501d88d2a3f5e841bd31a67