Message-ID: <2025122420-CVE-2022-50706-930a@gregkh>
Date: Wed, 24 Dec 2025 11:56:23 +0100
From: Greg Kroah-Hartman <gregkh@...uxfoundation.org>
To: linux-cve-announce@...r.kernel.org
Cc: Greg Kroah-Hartman <gregkh@...nel.org>
Subject: CVE-2022-50706: net/ieee802154: don't warn zero-sized raw_sendmsg()

From: Greg Kroah-Hartman <gregkh@...nel.org>

Description
===========

In the Linux kernel, the following vulnerability has been resolved:

net/ieee802154: don't warn zero-sized raw_sendmsg()

syzbot is hitting skb_assert_len() warning at __dev_queue_xmit() [1],
for PF_IEEE802154 socket's zero-sized raw_sendmsg() request is hitting
__dev_queue_xmit() with skb->len == 0.

Since PF_IEEE802154 socket's zero-sized raw_sendmsg() request was
able to return 0, don't call __dev_queue_xmit() if packet length is 0.

  ----------
  #include <sys/socket.h>
  #include <netinet/in.h>

  int main(int argc, char *argv[])
  {
    struct sockaddr_in addr = { .sin_family = AF_INET, .sin_addr.s_addr = htonl(INADDR_LOOPBACK) };
    struct iovec iov = { };
    struct msghdr hdr = { .msg_name = &addr, .msg_namelen = sizeof(addr), .msg_iov = &iov, .msg_iovlen = 1 };
    sendmsg(socket(PF_IEEE802154, SOCK_RAW, 0), &hdr, 0);
    return 0;
  }
  ----------

Note that this might be a sign that commit fd1894224407c484 ("bpf: Don't
redirect packets with invalid pkt_len") should be reverted, for
skb->len == 0 was acceptable for at least PF_IEEE802154 socket.

The Linux kernel CVE team has assigned CVE-2022-50706 to this issue.


Affected and fixed versions
===========================

	Issue introduced in 5.4.212 with commit 8b68e53d56697a59b5c53893b53f508bbdf272a0 and fixed in 5.4.220 with commit 4a36de8947794fa21435d1e916e089095f3246a8
	Issue introduced in 5.10.141 with commit 6204bf78b2a903b96ba43afff6abc0b04d6e0462 and fixed in 5.10.150 with commit 791489a5c56396ddfed75fc525066d4738dace46
	Issue introduced in 5.15.65 with commit a75987714bd2d8e59840667a28e15c1fa5c47554 and fixed in 5.15.75 with commit 34f31a2b667914ab701ca725554a0b447809d7ef
	Issue introduced in 5.19.7 with commit 72f2dc8993f10262092745a88cb2dd0fef094f23 and fixed in 5.19.17 with commit df0da3fc131132b6c32a15c4da4ffa3a5aea1af2
	Issue introduced in 6.0 with commit fd1894224407c484f652ad456e1ce423e89bb3eb and fixed in 6.0.3 with commit 9974d220c5073d035b5469d1d8ecd71da86c7afd
	Issue introduced in 6.0 with commit fd1894224407c484f652ad456e1ce423e89bb3eb and fixed in 6.1 with commit b12e924a2f5b960373459c8f8a514f887adf5cac

Please see https://www.kernel.org for a full list of currently supported
kernel versions by the kernel community.

Unaffected versions might change over time as fixes are backported to
older supported kernel versions.  The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2022-50706
will be updated if fixes are backported, please check that for the most
up to date information about this issue.


Affected files
==============

The file(s) affected by this issue are:
	net/ieee802154/socket.c


Mitigation
==========

The Linux kernel CVE team recommends that you update to the latest
stable kernel version for this, and many other bugfixes.  Individual
changes are never tested alone, but rather are part of a larger kernel
release.  Cherry-picking individual commits is not recommended or
supported by the Linux kernel community at all.  If however, updating to
the latest release is impossible, the individual changes to resolve this
issue can be found at these commits:
	https://git.kernel.org/stable/c/4a36de8947794fa21435d1e916e089095f3246a8
	https://git.kernel.org/stable/c/791489a5c56396ddfed75fc525066d4738dace46
	https://git.kernel.org/stable/c/34f31a2b667914ab701ca725554a0b447809d7ef
	https://git.kernel.org/stable/c/df0da3fc131132b6c32a15c4da4ffa3a5aea1af2
	https://git.kernel.org/stable/c/9974d220c5073d035b5469d1d8ecd71da86c7afd
	https://git.kernel.org/stable/c/b12e924a2f5b960373459c8f8a514f887adf5cac

Powered by blists - more mailing lists