CVE-2022-50706

syzbot is hitting skbassertlen() warning at _devqueuexmit() [1], for PFIEEE802154 socket's zero-sized rawsendmsg() request is hitting _devqueuexmit() with skb->len == 0.

Since PFIEEE802154 socket's zero-sized rawsendmsg() request was able to return 0, don't call _devqueue_xmit() if packet length is 0.

#include <sys/socket.h> #include <netinet/in.h>

int main(int argc, char *argv[]) { struct sockaddrin addr = { .sinfamily = AFINET, .sinaddr.saddr = htonl(INADDRLOOPBACK) }; struct iovec iov = { }; struct msghdr hdr = { .msgname = &addr, .msgnamelen = sizeof(addr), .msgiov = &iov, .msgiovlen = 1 }; sendmsg(socket(PFIEEE802154, SOCKRAW, 0), &hdr, 0); return 0; }

Note that this might be a sign that commit fd1894224407c484 ("bpf: Don't redirect packets with invalid pktlen") should be reverted, for skb->len == 0 was acceptable for at least PFIEEE802154 socket.

Database specific

{
    "cna_assigner": "Linux",
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2022/50xxx/CVE-2022-50706.json"
}

References

Affected packages

Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git

Affected ranges

Type: GIT
Repo: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events: Introduced

8b68e53d56697a59b5c53893b53f508bbdf272a0

Fixed

4a36de8947794fa21435d1e916e089095f3246a8

Type: GIT
Repo: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events: Introduced

6204bf78b2a903b96ba43afff6abc0b04d6e0462

Fixed

791489a5c56396ddfed75fc525066d4738dace46

Type: GIT
Repo: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events: Introduced

a75987714bd2d8e59840667a28e15c1fa5c47554

Fixed

34f31a2b667914ab701ca725554a0b447809d7ef

Type: GIT
Repo: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events: Introduced

72f2dc8993f10262092745a88cb2dd0fef094f23

Fixed

df0da3fc131132b6c32a15c4da4ffa3a5aea1af2

Type: GIT
Repo: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events: Introduced

fd1894224407c484f652ad456e1ce423e89bb3eb

Fixed

9974d220c5073d035b5469d1d8ecd71da86c7afd

Fixed

b12e924a2f5b960373459c8f8a514f887adf5cac

Affected versions

v5.*

v5.10.141

v5.10.142

v5.10.143

v5.10.144

v5.10.145

v5.10.146

v5.10.147

v5.10.148

v5.10.149

v5.15.65

v5.15.66

v5.15.67

v5.15.68

v5.15.69

v5.15.70

v5.15.71

v5.15.72

v5.15.73

v5.15.74

v5.19

v5.19-rc6

v5.19-rc7

v5.19-rc8

v5.19.10

v5.19.11

v5.19.12

v5.19.13

v5.19.14

v5.19.15

v5.19.16

v5.19.7

v5.19.8

v5.19.9

v5.4.212

v5.4.213

v5.4.214

v5.4.215

v5.4.216

v5.4.217

v5.4.218

v5.4.219

v6.*

v6.0

v6.0-rc1

v6.0-rc2

v6.0-rc3

v6.0-rc4

v6.0-rc5

v6.0-rc6

v6.0-rc7

v6.0.1

v6.0.2

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2022-50706.json"

Linux / Kernel

Package

Name: Kernel

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

5.4.220

Type: ECOSYSTEM
Events: Introduced

5.5.0

Fixed

5.10.150

Type: ECOSYSTEM
Events: Introduced

5.11.0

Fixed

5.15.75

Type: ECOSYSTEM
Events: Introduced

5.16.0

Fixed

5.19.17

Type: ECOSYSTEM
Events: Introduced

5.20.0

Fixed

6.0.3

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2022-50706.json"