CVE-2022-49205
Published: 26 February 2025
Description
In the Linux kernel, the following vulnerability has been resolved: bpf, sockmap: Fix double uncharge the mem of sk_msg If tcp_bpf_sendmsg is running during a tear down operation, psock may be freed. tcp_bpf_sendmsg() tcp_bpf_send_verdict() sk_msg_return() tcp_bpf_sendmsg_redir() unlikely(!psock)) sk_msg_free() The mem of msg has been uncharged in tcp_bpf_send_verdict() by sk_msg_return(), and would be uncharged by sk_msg_free() again. When psock is null, we can simply returning an error code, this would then trigger the sk_msg_free_nocharge in the error path of __SK_REDIRECT and would have the side effect of throwing an error up to user space. This would be a slight change in behavior from user side but would look the same as an error if the redirect on the socket threw an error. This issue can cause the following info: WARNING: CPU: 0 PID: 2136 at net/ipv4/af_inet.c:155 inet_sock_destruct+0x13c/0x260 Call Trace: <TASK> __sk_destruct+0x24/0x1f0 sk_psock_destroy+0x19b/0x1c0 process_one_work+0x1b3/0x3c0 worker_thread+0x30/0x350 ? process_one_work+0x3c0/0x3c0 kthread+0xe6/0x110 ? kthread_complete_and_exit+0x20/0x20 ret_from_fork+0x22/0x30 </TASK>
Security Summary
CVE-2022-49205 is a vulnerability in the Linux kernel's BPF sockmap implementation, specifically involving a double uncharge of memory associated with sk_msg structures. The issue arises during tcp_bpf_sendmsg execution amid a socket teardown operation, where psock may be freed. This leads to the memory being uncharged once in tcp_bpf_send_verdict via sk_msg_return, and potentially again in sk_msg_free if psock is null, resulting in a double-free condition classified under CWE-415. It manifests as kernel warnings, such as in inet_sock_destruct at net/ipv4/af_inet.c:155, with traces involving sk_psock_destroy and worker threads.
A local attacker with low privileges (PR:L) can exploit this vulnerability given low attack complexity (AC:L) and no user interaction (UI:N) in an unchanged security scope (S:U). Successful exploitation yields high impacts on confidentiality, integrity, and availability (C:H/I:H/A:H), scoring 7.8 on CVSS 3.1 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), potentially enabling kernel memory corruption, crashes, or escalation through the double-free.
Mitigation is provided through patches merged into Linux kernel stable trees, as detailed in the following commit references: https://git.kernel.org/stable/c/223f3c51ab163852dd4819d357dcf33039929434, https://git.kernel.org/stable/c/2486ab434b2c2a14e9237296db00b1e1b7ae3273, https://git.kernel.org/stable/c/94c6ac22abcdede72bfaa0f4c22fb370891f4002, https://git.kernel.org/stable/c/ac3ecb7760c750c8e4fc09c719241d8e6e88028c, and https://git.kernel.org/stable/c/cb6f141ae705af0101e819065a79e6d029f6e393. Security practitioners should update affected kernels to incorporate these fixes.
Details
- CWE(s)