lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <2025091551-CVE-2022-50259-6276@gregkh>
Date: Mon, 15 Sep 2025 16:02:07 +0200
From: Greg Kroah-Hartman <gregkh@...uxfoundation.org>
To: linux-cve-announce@...r.kernel.org
Cc: Greg Kroah-Hartman <gregkh@...nel.org>
Subject: CVE-2022-50259: bpf, sockmap: fix race in sock_map_free()

From: Greg Kroah-Hartman <gregkh@...nel.org>

Description
===========

In the Linux kernel, the following vulnerability has been resolved:

bpf, sockmap: fix race in sock_map_free()

sock_map_free() calls release_sock(sk) without owning a reference
on the socket. This can cause use-after-free as syzbot found [1]

Jakub Sitnicki already took care of a similar issue
in sock_hash_free() in commit 75e68e5bf2c7 ("bpf, sockhash:
Synchronize delete from bucket list on map free")

[1]
refcount_t: decrement hit 0; leaking memory.
WARNING: CPU: 0 PID: 3785 at lib/refcount.c:31 refcount_warn_saturate+0x17c/0x1a0 lib/refcount.c:31
Modules linked in:
CPU: 0 PID: 3785 Comm: kworker/u4:6 Not tainted 6.1.0-rc7-syzkaller-00103-gef4d3ea40565 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022
Workqueue: events_unbound bpf_map_free_deferred
RIP: 0010:refcount_warn_saturate+0x17c/0x1a0 lib/refcount.c:31
Code: 68 8b 31 c0 e8 75 71 15 fd 0f 0b e9 64 ff ff ff e8 d9 6e 4e fd c6 05 62 9c 3d 0a 01 48 c7 c7 80 bb 68 8b 31 c0 e8 54 71 15 fd <0f> 0b e9 43 ff ff ff 89 d9 80 e1 07 80 c1 03 38 c1 0f 8c a2 fe ff
RSP: 0018:ffffc9000456fb60 EFLAGS: 00010246
RAX: eae59bab72dcd700 RBX: 0000000000000004 RCX: ffff8880207057c0
RDX: 0000000000000000 RSI: 0000000000000201 RDI: 0000000000000000
RBP: 0000000000000004 R08: ffffffff816fdabd R09: fffff520008adee5
R10: fffff520008adee5 R11: 1ffff920008adee4 R12: 0000000000000004
R13: dffffc0000000000 R14: ffff88807b1c6c00 R15: 1ffff1100f638dcf
FS: 0000000000000000(0000) GS:ffff8880b9800000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000001b30c30000 CR3: 000000000d08e000 CR4: 00000000003506f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<TASK>
__refcount_dec include/linux/refcount.h:344 [inline]
refcount_dec include/linux/refcount.h:359 [inline]
__sock_put include/net/sock.h:779 [inline]
tcp_release_cb+0x2d0/0x360 net/ipv4/tcp_output.c:1092
release_sock+0xaf/0x1c0 net/core/sock.c:3468
sock_map_free+0x219/0x2c0 net/core/sock_map.c:356
process_one_work+0x81c/0xd10 kernel/workqueue.c:2289
worker_thread+0xb14/0x1330 kernel/workqueue.c:2436
kthread+0x266/0x300 kernel/kthread.c:376
ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:306
</TASK>

The Linux kernel CVE team has assigned CVE-2022-50259 to this issue.


Affected and fixed versions
===========================

	Issue introduced in 5.4.14 with commit 20ae0cb8983b05136d5293c47fadc99a8ca8ca2d and fixed in 5.4.229 with commit 4cabc3af4a6f36c222fecb15858c1060e59218e7
	Issue introduced in 5.5 with commit 7e81a35302066c5a00b4c72d83e3ea4cad6eeb5b and fixed in 5.10.163 with commit be719496ae6a7fc325e9e5056a52f63ebc84cc0c
	Issue introduced in 5.5 with commit 7e81a35302066c5a00b4c72d83e3ea4cad6eeb5b and fixed in 5.15.86 with commit a443c55d96dede82a724df6e70a318ad15c199e1
	Issue introduced in 5.5 with commit 7e81a35302066c5a00b4c72d83e3ea4cad6eeb5b and fixed in 6.0.16 with commit e8b2b392a646bf5cb9413c1cc7a39d99c1b65a62
	Issue introduced in 5.5 with commit 7e81a35302066c5a00b4c72d83e3ea4cad6eeb5b and fixed in 6.1.2 with commit 5c3568166129bc73fd6b37748d2d8f95cd8f22f3
	Issue introduced in 5.5 with commit 7e81a35302066c5a00b4c72d83e3ea4cad6eeb5b and fixed in 6.2 with commit 0a182f8d607464911756b4dbef5d6cad8de22469

Please see https://www.kernel.org for a full list of currently supported
kernel versions by the kernel community.

Unaffected versions might change over time as fixes are backported to
older supported kernel versions.  The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2022-50259
will be updated if fixes are backported, please check that for the most
up to date information about this issue.


Affected files
==============

The file(s) affected by this issue are:
	net/core/sock_map.c


Mitigation
==========

The Linux kernel CVE team recommends that you update to the latest
stable kernel version for this, and many other bugfixes.  Individual
changes are never tested alone, but rather are part of a larger kernel
release.  Cherry-picking individual commits is not recommended or
supported by the Linux kernel community at all.  If however, updating to
the latest release is impossible, the individual changes to resolve this
issue can be found at these commits:
	https://git.kernel.org/stable/c/4cabc3af4a6f36c222fecb15858c1060e59218e7
	https://git.kernel.org/stable/c/be719496ae6a7fc325e9e5056a52f63ebc84cc0c
	https://git.kernel.org/stable/c/a443c55d96dede82a724df6e70a318ad15c199e1
	https://git.kernel.org/stable/c/e8b2b392a646bf5cb9413c1cc7a39d99c1b65a62
	https://git.kernel.org/stable/c/5c3568166129bc73fd6b37748d2d8f95cd8f22f3
	https://git.kernel.org/stable/c/0a182f8d607464911756b4dbef5d6cad8de22469

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ