Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

CVE-2022-50003

Severity CVSS v4.0:
Pending analysis
Type:
CWE-476 NULL Pointer Dereference
Publication date:
18/06/2025
Last modified:
14/11/2025

Description

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> ice: xsk: prohibit usage of non-balanced queue id<br /> <br /> Fix the following scenario:<br /> 1. ethtool -L $IFACE rx 8 tx 96<br /> 2. xdpsock -q 10 -t -z<br /> <br /> Above refers to a case where user would like to attach XSK socket in<br /> txonly mode at a queue id that does not have a corresponding Rx queue.<br /> At this moment ice&amp;#39;s XSK logic is tightly bound to act on a "queue pair",<br /> e.g. both Tx and Rx queues at a given queue id are disabled/enabled and<br /> both of them will get XSK pool assigned, which is broken for the presented<br /> queue configuration. This results in the splat included at the bottom,<br /> which is basically an OOB access to Rx ring array.<br /> <br /> To fix this, allow using the ids only in scope of "combined" queues<br /> reported by ethtool. However, logic should be rewritten to allow such<br /> configurations later on, which would end up as a complete rewrite of the<br /> control path, so let us go with this temporary fix.<br /> <br /> [420160.558008] BUG: kernel NULL pointer dereference, address: 0000000000000082<br /> [420160.566359] #PF: supervisor read access in kernel mode<br /> [420160.572657] #PF: error_code(0x0000) - not-present page<br /> [420160.579002] PGD 0 P4D 0<br /> [420160.582756] Oops: 0000 [#1] PREEMPT SMP NOPTI<br /> [420160.588396] CPU: 10 PID: 21232 Comm: xdpsock Tainted: G OE 5.19.0-rc7+ #10<br /> [420160.597893] Hardware name: Intel Corporation S2600WFT/S2600WFT, BIOS SE5C620.86B.02.01.0008.031920191559 03/19/2019<br /> [420160.609894] RIP: 0010:ice_xsk_pool_setup+0x44/0x7d0 [ice]<br /> [420160.616968] Code: f3 48 83 ec 40 48 8b 4f 20 48 8b 3f 65 48 8b 04 25 28 00 00 00 48 89 44 24 38 31 c0 48 8d 04 ed 00 00 00 00 48 01 c1 48 8b 11 b7 92 82 00 00 00 48 85 d2 0f 84 2d 75 00 00 48 8d 72 ff 48 85<br /> [420160.639421] RSP: 0018:ffffc9002d2afd48 EFLAGS: 00010282<br /> [420160.646650] RAX: 0000000000000050 RBX: ffff88811d8bdd00 RCX: ffff888112c14ff8<br /> [420160.655893] RDX: 0000000000000000 RSI: ffff88811d8bdd00 RDI: ffff888109861000<br /> [420160.665166] RBP: 000000000000000a R08: 000000000000000a R09: 0000000000000000<br /> [420160.674493] R10: 000000000000889f R11: 0000000000000000 R12: 000000000000000a<br /> [420160.683833] R13: 000000000000000a R14: 0000000000000000 R15: ffff888117611828<br /> [420160.693211] FS: 00007fa869fc1f80(0000) GS:ffff8897e0880000(0000) knlGS:0000000000000000<br /> [420160.703645] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033<br /> [420160.711783] CR2: 0000000000000082 CR3: 00000001d076c001 CR4: 00000000007706e0<br /> [420160.721399] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000<br /> [420160.731045] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400<br /> [420160.740707] PKRU: 55555554<br /> [420160.745960] Call Trace:<br /> [420160.750962] <br /> [420160.755597] ? kmalloc_large_node+0x79/0x90<br /> [420160.762703] ? __kmalloc_node+0x3f5/0x4b0<br /> [420160.769341] xp_assign_dev+0xfd/0x210<br /> [420160.775661] ? shmem_file_read_iter+0x29a/0x420<br /> [420160.782896] xsk_bind+0x152/0x490<br /> [420160.788943] __sys_bind+0xd0/0x100<br /> [420160.795097] ? exit_to_user_mode_prepare+0x20/0x120<br /> [420160.802801] __x64_sys_bind+0x16/0x20<br /> [420160.809298] do_syscall_64+0x38/0x90<br /> [420160.815741] entry_SYSCALL_64_after_hwframe+0x63/0xcd<br /> [420160.823731] RIP: 0033:0x7fa86a0dd2fb<br /> [420160.830264] Code: c3 66 0f 1f 44 00 00 48 8b 15 69 8b 0c 00 f7 d8 64 89 02 b8 ff ff ff ff eb bc 0f 1f 44 00 00 f3 0f 1e fa b8 31 00 00 00 0f 05 3d 01 f0 ff ff 73 01 c3 48 8b 0d 3d 8b 0c 00 f7 d8 64 89 01 48<br /> [420160.855410] RSP: 002b:00007ffc1146f618 EFLAGS: 00000246 ORIG_RAX: 0000000000000031<br /> [420160.866366] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007fa86a0dd2fb<br /> [420160.876957] RDX: 0000000000000010 RSI: 00007ffc1146f680 RDI: 0000000000000003<br /> [420160.887604] RBP: 000055d7113a0520 R08: 00007fa868fb8000 R09: 0000000080000000<br /> [420160.898293] R10: 0000000000008001 R11: 0000000000000246 R12: 000055d7113a04e0<br /> [420160.909038] R13: 000055d7113a0320 R14: 000000000000000a R15: 0000000000000000<br /> [420160.919817] <br /> [420160.925659] Modules linked in: ice(OE) af_packet binfmt_misc<br /> ---truncated---

Impact

Vector 3.x
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVSS v3.1 Severity and Metrics:

Base Score: 5.50 MEDIUM
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Attack Vector (AV): Local
Attack Complexity (AC): Low
Privileges Required (PR): Low
User Interaction (UI): None
Scope (S): Unchanged
Confidentiality (C): None
Integrity (I): None
Availability (A): High

Base Score 3.x
5.50
Severity 3.x
MEDIUM

Vulnerable products and versions

CPE From Up to
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 5.5 (including) 5.10.140 (excluding)
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 5.11 (including) 5.15.64 (excluding)
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 5.16 (including) 5.19.6 (excluding)
cpe:2.3:o:linux:linux_kernel:6.0:rc1:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.0:rc2:*:*:*:*:*:*

To consult the complete list of CPE names with products and versions, see this page


References to Advisories, Solutions, and Tools