CVE-2022-49207
- Source
- https://nvd.nist.gov/vuln/detail/CVE-2022-49207
- Import Source
- https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2022-49207.json
- JSON Data
- https://api.osv.dev/v1/vulns/CVE-2022-49207
- Downstream
- Related
- Published
- 2025-02-26T01:55:46Z
- Modified
- 2025-10-14T22:07:28.854734Z
- Severity
-
- 5.5 (Medium) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVSS Calculator
- Summary
- bpf, sockmap: Fix memleak in sk_psock_queue_msg
- Details
-
In the Linux kernel, the following vulnerability has been resolved:
bpf, sockmap: Fix memleak in skpsockqueue_msg
If tcpbpfsendmsg is running during a tear down operation we may enqueue data on the ingress msg queue while tear down is trying to free it.
sk1 (redirect sk2) sk2 ------------------- --------------- tcpbpfsendmsg() tcpbpfsendverdict() tcpbpfsendmsgredir() bpftcpingress() sockmapclose() locksock() locksock() ... blocking skpsockstop skpsockclearstate(psock, SKPSOCKTXENABLED); releasesock(sk); locksock() skmemcharge() getpage() skpsockqueuemsg() skpsockteststate(psock, SKPSOCKTXENABLED); dropskmsg() release_sock()
While dropskmsg(), the msg has charged memory form sk by skmemcharge and has sg pages need to put. To fix we use skmsgfree() and then kfee() msg.
This issue can cause the following info: WARNING: CPU: 0 PID: 9202 at net/core/stream.c:205 skstreamkillqueues+0xc8/0xe0 Call Trace: <IRQ> inetcskdestroysock+0x55/0x110 tcprcvstateprocess+0xe5f/0xe90 ? skfiltertrimcap+0x10d/0x230 ? tcpv4dorcv+0x161/0x250 tcpv4dorcv+0x161/0x250 tcpv4rcv+0xc3a/0xce0 ipprotocoldeliverrcu+0x3d/0x230 iplocaldeliverfinish+0x54/0x60 iplocaldeliver+0xfd/0x110 ? ipprotocoldeliverrcu+0x230/0x230 iprcv+0xd6/0x100 ? iplocaldeliver+0x110/0x110 _netifreceiveskbonecore+0x85/0xa0 processbacklog+0xa4/0x160 _napipoll+0x29/0x1b0 netrxaction+0x287/0x300 _dosoftirq+0xff/0x2fc do_softirq+0x79/0x90 </IRQ>
WARNING: CPU: 0 PID: 531 at net/ipv4/afinet.c:154 inetsockdestruct+0x175/0x1b0 Call Trace: <TASK> _skdestruct+0x24/0x1f0 skpsockdestroy+0x19b/0x1c0 processonework+0x1b3/0x3c0 ? processonework+0x3c0/0x3c0 workerthread+0x30/0x350 ? processonework+0x3c0/0x3c0 kthread+0xe6/0x110 ? kthreadcompleteandexit+0x20/0x20 retfrom_fork+0x22/0x30 </TASK>
- References
-
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- https://git.kernel.org/stable/c/03948ed6553960db62f1c33bec29e64d7c191a3f
- https://git.kernel.org/stable/c/4dd2e947d3be13a4de3b3028859b9a6497266bcf
- https://git.kernel.org/stable/c/938d3480b92fa5e454b7734294f12a7b75126f09
- https://git.kernel.org/stable/c/ef9785f429794567792561a584901faa9291d3ee
Affected packages
Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Affected ranges
- Type
- GIT
- Repo
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- Events
-
Introduced9635720b7c88592214562cb72605bdab6708006cFixedef9785f429794567792561a584901faa9291d3ee
- Type
- GIT
- Repo
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- Events
-
Introduced9635720b7c88592214562cb72605bdab6708006cFixed4dd2e947d3be13a4de3b3028859b9a6497266bcf
- Type
- GIT
- Repo
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- Events
-
Introduced9635720b7c88592214562cb72605bdab6708006cFixed03948ed6553960db62f1c33bec29e64d7c191a3f
- Type
- GIT
- Repo
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- Events
-
Introduced9635720b7c88592214562cb72605bdab6708006cFixed938d3480b92fa5e454b7734294f12a7b75126f09
Affected versions
v5.*
v5.14
v5.14-rc2
v5.14-rc3
v5.14-rc4
v5.14-rc5
v5.14-rc6
v5.14-rc7
v5.15
v5.15-rc1
v5.15-rc2
v5.15-rc3
v5.15-rc4
v5.15-rc5
v5.15-rc6
v5.15-rc7
v5.15.1
v5.15.10
v5.15.11
v5.15.12
v5.15.13
v5.15.14
v5.15.15
v5.15.16
v5.15.17
v5.15.18
v5.15.19
v5.15.2
v5.15.20
v5.15.21
v5.15.22
v5.15.23
v5.15.24
v5.15.25
v5.15.26
v5.15.27
v5.15.28
v5.15.29
v5.15.3
v5.15.30
v5.15.31
v5.15.32
v5.15.4
v5.15.5
v5.15.6
v5.15.7
v5.15.8
v5.15.9
v5.16
v5.16-rc1
v5.16-rc2
v5.16-rc3
v5.16-rc4
v5.16-rc5
v5.16-rc6
v5.16-rc7
v5.16-rc8
v5.16.1
v5.16.10
v5.16.11
v5.16.12
v5.16.13
v5.16.14
v5.16.15
v5.16.16
v5.16.17
v5.16.18
v5.16.2
v5.16.3
v5.16.4
v5.16.5
v5.16.6
v5.16.7
v5.16.8
v5.16.9
v5.17
v5.17-rc1
v5.17-rc2
v5.17-rc3
v5.17-rc4
v5.17-rc5
v5.17-rc6
v5.17-rc7
v5.17-rc8
v5.17.1
Database specific
{
"vanir_signatures": [
{
"digest": {
"length": 282.0,
"function_hash": "44097140197283893479078045568081170561"
},
"target": {
"function": "sk_psock_queue_msg",
"file": "include/linux/skmsg.h"
},
"signature_type": "Function",
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@4dd2e947d3be13a4de3b3028859b9a6497266bcf",
"deprecated": false,
"signature_version": "v1",
"id": "CVE-2022-49207-0a13a741"
},
{
"digest": {
"length": 282.0,
"function_hash": "44097140197283893479078045568081170561"
},
"target": {
"function": "sk_psock_queue_msg",
"file": "include/linux/skmsg.h"
},
"signature_type": "Function",
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@03948ed6553960db62f1c33bec29e64d7c191a3f",
"deprecated": false,
"signature_version": "v1",
"id": "CVE-2022-49207-26032c53"
},
{
"digest": {
"line_hashes": [
"192899186734178142369551629861073469730",
"158001589014005701027985273730605042499",
"217806889127226734831982947129734713521",
"289276624005125166220330768741541212860",
"320560485223018440510053400016223394634",
"138618742501168261075703453823615400572",
"200291382335321086897173462962518419333",
"299225783202667300419350691525403627009",
"182888595509341412476128831371841840058",
"205364036142345018632200653016084573832",
"60545495263353923343269470652297331310",
"52076247972707424691091268770819528161",
"332210977122461283855479998050765541303",
"308070519189065551016872439760215143966",
"10154597648955086645758210120559995882",
"233413987872263595515421479785733714149",
"300885899772070784484600361380204682305"
],
"threshold": 0.9
},
"target": {
"file": "include/linux/skmsg.h"
},
"signature_type": "Line",
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@938d3480b92fa5e454b7734294f12a7b75126f09",
"deprecated": false,
"signature_version": "v1",
"id": "CVE-2022-49207-5abc721f"
},
{
"digest": {
"length": 149.0,
"function_hash": "321638140342476760902909089643327693137"
},
"target": {
"function": "drop_sk_msg",
"file": "include/linux/skmsg.h"
},
"signature_type": "Function",
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@ef9785f429794567792561a584901faa9291d3ee",
"deprecated": false,
"signature_version": "v1",
"id": "CVE-2022-49207-814ec122"
},
{
"digest": {
"line_hashes": [
"192899186734178142369551629861073469730",
"158001589014005701027985273730605042499",
"217806889127226734831982947129734713521",
"289276624005125166220330768741541212860",
"320560485223018440510053400016223394634",
"138618742501168261075703453823615400572",
"200291382335321086897173462962518419333",
"299225783202667300419350691525403627009",
"182888595509341412476128831371841840058",
"205364036142345018632200653016084573832",
"60545495263353923343269470652297331310",
"52076247972707424691091268770819528161",
"332210977122461283855479998050765541303",
"308070519189065551016872439760215143966",
"10154597648955086645758210120559995882",
"233413987872263595515421479785733714149",
"300885899772070784484600361380204682305"
],
"threshold": 0.9
},
"target": {
"file": "include/linux/skmsg.h"
},
"signature_type": "Line",
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@03948ed6553960db62f1c33bec29e64d7c191a3f",
"deprecated": false,
"signature_version": "v1",
"id": "CVE-2022-49207-99e3cf41"
},
{
"digest": {
"length": 282.0,
"function_hash": "44097140197283893479078045568081170561"
},
"target": {
"function": "sk_psock_queue_msg",
"file": "include/linux/skmsg.h"
},
"signature_type": "Function",
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@ef9785f429794567792561a584901faa9291d3ee",
"deprecated": false,
"signature_version": "v1",
"id": "CVE-2022-49207-a326a57c"
},
{
"digest": {
"line_hashes": [
"192899186734178142369551629861073469730",
"158001589014005701027985273730605042499",
"217806889127226734831982947129734713521",
"289276624005125166220330768741541212860",
"320560485223018440510053400016223394634",
"138618742501168261075703453823615400572",
"200291382335321086897173462962518419333",
"299225783202667300419350691525403627009",
"182888595509341412476128831371841840058",
"205364036142345018632200653016084573832",
"60545495263353923343269470652297331310",
"52076247972707424691091268770819528161",
"332210977122461283855479998050765541303",
"308070519189065551016872439760215143966",
"10154597648955086645758210120559995882",
"233413987872263595515421479785733714149",
"300885899772070784484600361380204682305"
],
"threshold": 0.9
},
"target": {
"file": "include/linux/skmsg.h"
},
"signature_type": "Line",
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@4dd2e947d3be13a4de3b3028859b9a6497266bcf",
"deprecated": false,
"signature_version": "v1",
"id": "CVE-2022-49207-a44b5b8f"
},
{
"digest": {
"line_hashes": [
"192899186734178142369551629861073469730",
"158001589014005701027985273730605042499",
"217806889127226734831982947129734713521",
"289276624005125166220330768741541212860",
"320560485223018440510053400016223394634",
"138618742501168261075703453823615400572",
"200291382335321086897173462962518419333",
"299225783202667300419350691525403627009",
"182888595509341412476128831371841840058",
"205364036142345018632200653016084573832",
"60545495263353923343269470652297331310",
"52076247972707424691091268770819528161",
"332210977122461283855479998050765541303",
"308070519189065551016872439760215143966",
"10154597648955086645758210120559995882",
"233413987872263595515421479785733714149",
"300885899772070784484600361380204682305"
],
"threshold": 0.9
},
"target": {
"file": "include/linux/skmsg.h"
},
"signature_type": "Line",
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@ef9785f429794567792561a584901faa9291d3ee",
"deprecated": false,
"signature_version": "v1",
"id": "CVE-2022-49207-a520b883"
},
{
"digest": {
"length": 149.0,
"function_hash": "321638140342476760902909089643327693137"
},
"target": {
"function": "drop_sk_msg",
"file": "include/linux/skmsg.h"
},
"signature_type": "Function",
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@938d3480b92fa5e454b7734294f12a7b75126f09",
"deprecated": false,
"signature_version": "v1",
"id": "CVE-2022-49207-cfe94253"
},
{
"digest": {
"length": 282.0,
"function_hash": "44097140197283893479078045568081170561"
},
"target": {
"function": "sk_psock_queue_msg",
"file": "include/linux/skmsg.h"
},
"signature_type": "Function",
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@938d3480b92fa5e454b7734294f12a7b75126f09",
"deprecated": false,
"signature_version": "v1",
"id": "CVE-2022-49207-d0e60ba9"
},
{
"digest": {
"length": 149.0,
"function_hash": "321638140342476760902909089643327693137"
},
"target": {
"function": "drop_sk_msg",
"file": "include/linux/skmsg.h"
},
"signature_type": "Function",
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@4dd2e947d3be13a4de3b3028859b9a6497266bcf",
"deprecated": false,
"signature_version": "v1",
"id": "CVE-2022-49207-ea08dccf"
},
{
"digest": {
"length": 149.0,
"function_hash": "321638140342476760902909089643327693137"
},
"target": {
"function": "drop_sk_msg",
"file": "include/linux/skmsg.h"
},
"signature_type": "Function",
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@03948ed6553960db62f1c33bec29e64d7c191a3f",
"deprecated": false,
"signature_version": "v1",
"id": "CVE-2022-49207-f6e179bf"
}
]
}