Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

CVE-2022-50817

Severity CVSS v4.0:
Pending analysis
Type:
Unavailable / Other
Publication date:
30/12/2025
Last modified:
31/12/2025

Description

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> net: hsr: avoid possible NULL deref in skb_clone()<br /> <br /> syzbot got a crash [1] in skb_clone(), caused by a bug<br /> in hsr_get_untagged_frame().<br /> <br /> When/if create_stripped_skb_hsr() returns NULL, we must<br /> not attempt to call skb_clone().<br /> <br /> While we are at it, replace a WARN_ONCE() by netdev_warn_once().<br /> <br /> [1]<br /> general protection fault, probably for non-canonical address 0xdffffc000000000f: 0000 [#1] PREEMPT SMP KASAN<br /> KASAN: null-ptr-deref in range [0x0000000000000078-0x000000000000007f]<br /> CPU: 1 PID: 754 Comm: syz-executor.0 Not tainted 6.0.0-syzkaller-02734-g0326074ff465 #0<br /> Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/22/2022<br /> RIP: 0010:skb_clone+0x108/0x3c0 net/core/skbuff.c:1641<br /> Code: 93 02 00 00 49 83 7c 24 28 00 0f 85 e9 00 00 00 e8 5d 4a 29 fa 4c 8d 75 7e 48 b8 00 00 00 00 00 fc ff df 4c 89 f2 48 c1 ea 03 b6 04 02 4c 89 f2 83 e2 07 38 d0 7f 08 84 c0 0f 85 9e 01 00 00<br /> RSP: 0018:ffffc90003ccf4e0 EFLAGS: 00010207<br /> <br /> RAX: dffffc0000000000 RBX: ffffc90003ccf5f8 RCX: ffffc9000c24b000<br /> RDX: 000000000000000f RSI: ffffffff8751cb13 RDI: 0000000000000000<br /> RBP: 0000000000000000 R08: 00000000000000f0 R09: 0000000000000140<br /> R10: fffffbfff181d972 R11: 0000000000000000 R12: ffff888161fc3640<br /> R13: 0000000000000a20 R14: 000000000000007e R15: ffffffff8dc5f620<br /> FS: 00007feb621e4700(0000) GS:ffff8880b9b00000(0000) knlGS:0000000000000000<br /> CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033<br /> CR2: 00007feb621e3ff8 CR3: 00000001643a9000 CR4: 00000000003506e0<br /> DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000<br /> DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400<br /> Call Trace:<br /> <br /> hsr_get_untagged_frame+0x4e/0x610 net/hsr/hsr_forward.c:164<br /> hsr_forward_do net/hsr/hsr_forward.c:461 [inline]<br /> hsr_forward_skb+0xcca/0x1d50 net/hsr/hsr_forward.c:623<br /> hsr_handle_frame+0x588/0x7c0 net/hsr/hsr_slave.c:69<br /> __netif_receive_skb_core+0x9fe/0x38f0 net/core/dev.c:5379<br /> __netif_receive_skb_one_core+0xae/0x180 net/core/dev.c:5483<br /> __netif_receive_skb+0x1f/0x1c0 net/core/dev.c:5599<br /> netif_receive_skb_internal net/core/dev.c:5685 [inline]<br /> netif_receive_skb+0x12f/0x8d0 net/core/dev.c:5744<br /> tun_rx_batched+0x4ab/0x7a0 drivers/net/tun.c:1544<br /> tun_get_user+0x2686/0x3a00 drivers/net/tun.c:1995<br /> tun_chr_write_iter+0xdb/0x200 drivers/net/tun.c:2025<br /> call_write_iter include/linux/fs.h:2187 [inline]<br /> new_sync_write fs/read_write.c:491 [inline]<br /> vfs_write+0x9e9/0xdd0 fs/read_write.c:584<br /> ksys_write+0x127/0x250 fs/read_write.c:637<br /> do_syscall_x64 arch/x86/entry/common.c:50 [inline]<br /> do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80<br /> entry_SYSCALL_64_after_hwframe+0x63/0xcd

Impact

References to Advisories, Solutions, and Tools