| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <2025100700-CVE-2022-50555-18e1@gregkh> Date: Tue, 7 Oct 2025 17:21:13 +0200 From: Greg Kroah-Hartman <gregkh@...uxfoundation.org> To: linux-cve-announce@...r.kernel.org Cc: Greg Kroah-Hartman <gregkh@...nel.org> Subject: CVE-2022-50555: tipc: fix a null-ptr-deref in tipc_topsrv_accept From: Greg Kroah-Hartman <gregkh@...nel.org> Description =========== In the Linux kernel, the following vulnerability has been resolved: tipc: fix a null-ptr-deref in tipc_topsrv_accept syzbot found a crash in tipc_topsrv_accept: KASAN: null-ptr-deref in range [0x0000000000000008-0x000000000000000f] Workqueue: tipc_rcv tipc_topsrv_accept RIP: 0010:kernel_accept+0x22d/0x350 net/socket.c:3487 Call Trace: <TASK> tipc_topsrv_accept+0x197/0x280 net/tipc/topsrv.c:460 process_one_work+0x991/0x1610 kernel/workqueue.c:2289 worker_thread+0x665/0x1080 kernel/workqueue.c:2436 kthread+0x2e4/0x3a0 kernel/kthread.c:376 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:306 It was caused by srv->listener that might be set to null by tipc_topsrv_stop() in net .exit whereas it's still used in tipc_topsrv_accept() worker. srv->listener is protected by srv->idr_lock in tipc_topsrv_stop(), so add a check for srv->listener under srv->idr_lock in tipc_topsrv_accept() to avoid the null-ptr-deref. To ensure the lsock is not released during the tipc_topsrv_accept(), move sock_release() after tipc_topsrv_work_stop() where it's waiting until the tipc_topsrv_accept worker to be done. Note that sk_callback_lock is used to protect sk->sk_user_data instead of srv->listener, and it should check srv in tipc_topsrv_listener_data_ready() instead. This also ensures that no more tipc_topsrv_accept worker will be started after tipc_conn_close() is called in tipc_topsrv_stop() where it sets sk->sk_user_data to null. The Linux kernel CVE team has assigned CVE-2022-50555 to this issue. Affected and fixed versions =========================== Issue introduced in 4.17 with commit 0ef897be12b8b4cf297b6016e79ec97ec90f2cf6 and fixed in 4.19.264 with commit ce69bdac2310152bb70845024d5d704c52aabfc3 Issue introduced in 4.17 with commit 0ef897be12b8b4cf297b6016e79ec97ec90f2cf6 and fixed in 5.4.223 with commit 24b129aed8730e48f47d852d58d76825ab6f407c Issue introduced in 4.17 with commit 0ef897be12b8b4cf297b6016e79ec97ec90f2cf6 and fixed in 5.10.153 with commit 32a3d4660b34ce49ac0162338ebe362098e2f5df Issue introduced in 4.17 with commit 0ef897be12b8b4cf297b6016e79ec97ec90f2cf6 and fixed in 5.15.77 with commit 7a939503fc32bff4ed60800b73ff7fbb4aea2142 Issue introduced in 4.17 with commit 0ef897be12b8b4cf297b6016e79ec97ec90f2cf6 and fixed in 6.0.7 with commit cedb41664e27b2cae7e21487f1bee22dcd84037d Issue introduced in 4.17 with commit 0ef897be12b8b4cf297b6016e79ec97ec90f2cf6 and fixed in 6.1 with commit 82cb4e4612c633a9ce320e1773114875604a3cce Please see https://www.kernel.org for a full list of currently supported kernel versions by the kernel community. Unaffected versions might change over time as fixes are backported to older supported kernel versions. The official CVE entry at https://cve.org/CVERecord/?id=CVE-2022-50555 will be updated if fixes are backported, please check that for the most up to date information about this issue. Affected files ============== The file(s) affected by this issue are: net/tipc/topsrv.c Mitigation ========== The Linux kernel CVE team recommends that you update to the latest stable kernel version for this, and many other bugfixes. Individual changes are never tested alone, but rather are part of a larger kernel release. Cherry-picking individual commits is not recommended or supported by the Linux kernel community at all. If however, updating to the latest release is impossible, the individual changes to resolve this issue can be found at these commits: https://git.kernel.org/stable/c/ce69bdac2310152bb70845024d5d704c52aabfc3 https://git.kernel.org/stable/c/24b129aed8730e48f47d852d58d76825ab6f407c https://git.kernel.org/stable/c/32a3d4660b34ce49ac0162338ebe362098e2f5df https://git.kernel.org/stable/c/7a939503fc32bff4ed60800b73ff7fbb4aea2142 https://git.kernel.org/stable/c/cedb41664e27b2cae7e21487f1bee22dcd84037d https://git.kernel.org/stable/c/82cb4e4612c633a9ce320e1773114875604a3cce
Powered by blists - more mailing lists