lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <2025091554-CVE-2022-50291-82e7@gregkh>
Date: Mon, 15 Sep 2025 16:45:53 +0200
From: Greg Kroah-Hartman <gregkh@...uxfoundation.org>
To: linux-cve-announce@...r.kernel.org
Cc: Greg Kroah-Hartman <gregkh@...nel.org>
Subject: CVE-2022-50291: kcm: annotate data-races around kcm->rx_psock

From: Greg Kroah-Hartman <gregkh@...nel.org>

Description
===========

In the Linux kernel, the following vulnerability has been resolved:

kcm: annotate data-races around kcm->rx_psock

kcm->rx_psock can be read locklessly in kcm_rfree().
Annotate the read and writes accordingly.

We do the same for kcm->rx_wait in the following patch.

syzbot reported:
BUG: KCSAN: data-race in kcm_rfree / unreserve_rx_kcm

write to 0xffff888123d827b8 of 8 bytes by task 2758 on cpu 1:
unreserve_rx_kcm+0x72/0x1f0 net/kcm/kcmsock.c:313
kcm_rcv_strparser+0x2b5/0x3a0 net/kcm/kcmsock.c:373
__strp_recv+0x64c/0xd20 net/strparser/strparser.c:301
strp_recv+0x6d/0x80 net/strparser/strparser.c:335
tcp_read_sock+0x13e/0x5a0 net/ipv4/tcp.c:1703
strp_read_sock net/strparser/strparser.c:358 [inline]
do_strp_work net/strparser/strparser.c:406 [inline]
strp_work+0xe8/0x180 net/strparser/strparser.c:415
process_one_work+0x3d3/0x720 kernel/workqueue.c:2289
worker_thread+0x618/0xa70 kernel/workqueue.c:2436
kthread+0x1a9/0x1e0 kernel/kthread.c:376
ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:306

read to 0xffff888123d827b8 of 8 bytes by task 5859 on cpu 0:
kcm_rfree+0x14c/0x220 net/kcm/kcmsock.c:181
skb_release_head_state+0x8e/0x160 net/core/skbuff.c:841
skb_release_all net/core/skbuff.c:852 [inline]
__kfree_skb net/core/skbuff.c:868 [inline]
kfree_skb_reason+0x5c/0x260 net/core/skbuff.c:891
kfree_skb include/linux/skbuff.h:1216 [inline]
kcm_recvmsg+0x226/0x2b0 net/kcm/kcmsock.c:1161
____sys_recvmsg+0x16c/0x2e0
___sys_recvmsg net/socket.c:2743 [inline]
do_recvmmsg+0x2f1/0x710 net/socket.c:2837
__sys_recvmmsg net/socket.c:2916 [inline]
__do_sys_recvmmsg net/socket.c:2939 [inline]
__se_sys_recvmmsg net/socket.c:2932 [inline]
__x64_sys_recvmmsg+0xde/0x160 net/socket.c:2932
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x2b/0x70 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x63/0xcd

value changed: 0xffff88812971ce00 -> 0x0000000000000000

Reported by Kernel Concurrency Sanitizer on:
CPU: 0 PID: 5859 Comm: syz-executor.3 Not tainted 6.0.0-syzkaller-12189-g19d17ab7c68b-dirty #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/22/2022

The Linux kernel CVE team has assigned CVE-2022-50291 to this issue.


Affected and fixed versions
===========================

	Issue introduced in 4.6 with commit ab7ac4eb9832e32a09f4e8042705484d2fb0aad3 and fixed in 4.9.332 with commit 13dba69e18d04c8eec7596369f2a0596b0260275
	Issue introduced in 4.6 with commit ab7ac4eb9832e32a09f4e8042705484d2fb0aad3 and fixed in 4.14.298 with commit bf46af730e58d340f6f740bc69a07c5f6b85c655
	Issue introduced in 4.6 with commit ab7ac4eb9832e32a09f4e8042705484d2fb0aad3 and fixed in 4.19.264 with commit 1b8a5692ab25db4ef1c2cc8e5d21f7a65dc3d079
	Issue introduced in 4.6 with commit ab7ac4eb9832e32a09f4e8042705484d2fb0aad3 and fixed in 5.4.223 with commit e94395e916b48a5b912a0a04570981b5b091acb0
	Issue introduced in 4.6 with commit ab7ac4eb9832e32a09f4e8042705484d2fb0aad3 and fixed in 5.10.153 with commit c325f92d8d9b223d5842609ca067e898e9d34566
	Issue introduced in 4.6 with commit ab7ac4eb9832e32a09f4e8042705484d2fb0aad3 and fixed in 5.15.77 with commit 342d918cf9a45df9cf11bbe7162b851adefd178f
	Issue introduced in 4.6 with commit ab7ac4eb9832e32a09f4e8042705484d2fb0aad3 and fixed in 6.0.7 with commit 12a0eb340c9a22e0f8c00d2c0c1a60695ead926a
	Issue introduced in 4.6 with commit ab7ac4eb9832e32a09f4e8042705484d2fb0aad3 and fixed in 6.1 with commit 15e4dabda11b0fa31d510a915d1a580f47dfc92e

Please see https://www.kernel.org for a full list of currently supported
kernel versions by the kernel community.

Unaffected versions might change over time as fixes are backported to
older supported kernel versions.  The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2022-50291
will be updated if fixes are backported, please check that for the most
up to date information about this issue.


Affected files
==============

The file(s) affected by this issue are:
	net/kcm/kcmsock.c


Mitigation
==========

The Linux kernel CVE team recommends that you update to the latest
stable kernel version for this, and many other bugfixes.  Individual
changes are never tested alone, but rather are part of a larger kernel
release.  Cherry-picking individual commits is not recommended or
supported by the Linux kernel community at all.  If however, updating to
the latest release is impossible, the individual changes to resolve this
issue can be found at these commits:
	https://git.kernel.org/stable/c/13dba69e18d04c8eec7596369f2a0596b0260275
	https://git.kernel.org/stable/c/bf46af730e58d340f6f740bc69a07c5f6b85c655
	https://git.kernel.org/stable/c/1b8a5692ab25db4ef1c2cc8e5d21f7a65dc3d079
	https://git.kernel.org/stable/c/e94395e916b48a5b912a0a04570981b5b091acb0
	https://git.kernel.org/stable/c/c325f92d8d9b223d5842609ca067e898e9d34566
	https://git.kernel.org/stable/c/342d918cf9a45df9cf11bbe7162b851adefd178f
	https://git.kernel.org/stable/c/12a0eb340c9a22e0f8c00d2c0c1a60695ead926a
	https://git.kernel.org/stable/c/15e4dabda11b0fa31d510a915d1a580f47dfc92e

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ