CVE-2022-50531 (GCVE-0-2022-50531)
Vulnerability from cvelistv5
Published
2025-10-07 15:19
Modified
2025-10-07 15:19
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
tipc: fix an information leak in tipc_topsrv_kern_subscr
Use a 8-byte write to initialize sub.usr_handle in
tipc_topsrv_kern_subscr(), otherwise four bytes remain uninitialized
when issuing setsockopt(..., SOL_TIPC, ...).
This resulted in an infoleak reported by KMSAN when the packet was
received:
=====================================================
BUG: KMSAN: kernel-infoleak in copyout+0xbc/0x100 lib/iov_iter.c:169
instrument_copy_to_user ./include/linux/instrumented.h:121
copyout+0xbc/0x100 lib/iov_iter.c:169
_copy_to_iter+0x5c0/0x20a0 lib/iov_iter.c:527
copy_to_iter ./include/linux/uio.h:176
simple_copy_to_iter+0x64/0xa0 net/core/datagram.c:513
__skb_datagram_iter+0x123/0xdc0 net/core/datagram.c:419
skb_copy_datagram_iter+0x58/0x200 net/core/datagram.c:527
skb_copy_datagram_msg ./include/linux/skbuff.h:3903
packet_recvmsg+0x521/0x1e70 net/packet/af_packet.c:3469
____sys_recvmsg+0x2c4/0x810 net/socket.c:?
___sys_recvmsg+0x217/0x840 net/socket.c:2743
__sys_recvmsg net/socket.c:2773
__do_sys_recvmsg net/socket.c:2783
__se_sys_recvmsg net/socket.c:2780
__x64_sys_recvmsg+0x364/0x540 net/socket.c:2780
do_syscall_x64 arch/x86/entry/common.c:50
do_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x63/0xcd arch/x86/entry/entry_64.S:120
...
Uninit was stored to memory at:
tipc_sub_subscribe+0x42d/0xb50 net/tipc/subscr.c:156
tipc_conn_rcv_sub+0x246/0x620 net/tipc/topsrv.c:375
tipc_topsrv_kern_subscr+0x2e8/0x400 net/tipc/topsrv.c:579
tipc_group_create+0x4e7/0x7d0 net/tipc/group.c:190
tipc_sk_join+0x2a8/0x770 net/tipc/socket.c:3084
tipc_setsockopt+0xae5/0xe40 net/tipc/socket.c:3201
__sys_setsockopt+0x87f/0xdc0 net/socket.c:2252
__do_sys_setsockopt net/socket.c:2263
__se_sys_setsockopt net/socket.c:2260
__x64_sys_setsockopt+0xe0/0x160 net/socket.c:2260
do_syscall_x64 arch/x86/entry/common.c:50
do_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x63/0xcd arch/x86/entry/entry_64.S:120
Local variable sub created at:
tipc_topsrv_kern_subscr+0x57/0x400 net/tipc/topsrv.c:562
tipc_group_create+0x4e7/0x7d0 net/tipc/group.c:190
Bytes 84-87 of 88 are uninitialized
Memory access of size 88 starts at ffff88801ed57cd0
Data copied to user address 0000000020000400
...
=====================================================
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Linux | Linux |
Version: 026321c6d056a54b4145522492245d2b5913ee1d Version: 026321c6d056a54b4145522492245d2b5913ee1d Version: 026321c6d056a54b4145522492245d2b5913ee1d Version: 026321c6d056a54b4145522492245d2b5913ee1d Version: 026321c6d056a54b4145522492245d2b5913ee1d Version: 026321c6d056a54b4145522492245d2b5913ee1d |
||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/tipc/topsrv.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "3d1b83ff7b6575a4e41283203e6b2e25ea700cd7",
"status": "affected",
"version": "026321c6d056a54b4145522492245d2b5913ee1d",
"versionType": "git"
},
{
"lessThan": "567f8de358b61015dcfb8878a1f06c5369a45f54",
"status": "affected",
"version": "026321c6d056a54b4145522492245d2b5913ee1d",
"versionType": "git"
},
{
"lessThan": "e558e148938442dd49628cd7ef61c360832bef31",
"status": "affected",
"version": "026321c6d056a54b4145522492245d2b5913ee1d",
"versionType": "git"
},
{
"lessThan": "dbc01c0a4e202a7e925dad1d4b7c1d6eb0c81154",
"status": "affected",
"version": "026321c6d056a54b4145522492245d2b5913ee1d",
"versionType": "git"
},
{
"lessThan": "fef70f978bc289642501d88d2a3f5e841bd31a67",
"status": "affected",
"version": "026321c6d056a54b4145522492245d2b5913ee1d",
"versionType": "git"
},
{
"lessThan": "777ecaabd614d47c482a5c9031579e66da13989a",
"status": "affected",
"version": "026321c6d056a54b4145522492245d2b5913ee1d",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/tipc/topsrv.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "4.17"
},
{
"lessThan": "4.17",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.264",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.221",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.152",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.76",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.0.*",
"status": "unaffected",
"version": "6.0.6",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.264",
"versionStartIncluding": "4.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.221",
"versionStartIncluding": "4.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.152",
"versionStartIncluding": "4.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.76",
"versionStartIncluding": "4.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.0.6",
"versionStartIncluding": "4.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1",
"versionStartIncluding": "4.17",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ntipc: fix an information leak in tipc_topsrv_kern_subscr\n\nUse a 8-byte write to initialize sub.usr_handle in\ntipc_topsrv_kern_subscr(), otherwise four bytes remain uninitialized\nwhen issuing setsockopt(..., SOL_TIPC, ...).\nThis resulted in an infoleak reported by KMSAN when the packet was\nreceived:\n\n =====================================================\n BUG: KMSAN: kernel-infoleak in copyout+0xbc/0x100 lib/iov_iter.c:169\n instrument_copy_to_user ./include/linux/instrumented.h:121\n copyout+0xbc/0x100 lib/iov_iter.c:169\n _copy_to_iter+0x5c0/0x20a0 lib/iov_iter.c:527\n copy_to_iter ./include/linux/uio.h:176\n simple_copy_to_iter+0x64/0xa0 net/core/datagram.c:513\n __skb_datagram_iter+0x123/0xdc0 net/core/datagram.c:419\n skb_copy_datagram_iter+0x58/0x200 net/core/datagram.c:527\n skb_copy_datagram_msg ./include/linux/skbuff.h:3903\n packet_recvmsg+0x521/0x1e70 net/packet/af_packet.c:3469\n ____sys_recvmsg+0x2c4/0x810 net/socket.c:?\n ___sys_recvmsg+0x217/0x840 net/socket.c:2743\n __sys_recvmsg net/socket.c:2773\n __do_sys_recvmsg net/socket.c:2783\n __se_sys_recvmsg net/socket.c:2780\n __x64_sys_recvmsg+0x364/0x540 net/socket.c:2780\n do_syscall_x64 arch/x86/entry/common.c:50\n do_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:80\n entry_SYSCALL_64_after_hwframe+0x63/0xcd arch/x86/entry/entry_64.S:120\n\n ...\n\n Uninit was stored to memory at:\n tipc_sub_subscribe+0x42d/0xb50 net/tipc/subscr.c:156\n tipc_conn_rcv_sub+0x246/0x620 net/tipc/topsrv.c:375\n tipc_topsrv_kern_subscr+0x2e8/0x400 net/tipc/topsrv.c:579\n tipc_group_create+0x4e7/0x7d0 net/tipc/group.c:190\n tipc_sk_join+0x2a8/0x770 net/tipc/socket.c:3084\n tipc_setsockopt+0xae5/0xe40 net/tipc/socket.c:3201\n __sys_setsockopt+0x87f/0xdc0 net/socket.c:2252\n __do_sys_setsockopt net/socket.c:2263\n __se_sys_setsockopt net/socket.c:2260\n __x64_sys_setsockopt+0xe0/0x160 net/socket.c:2260\n do_syscall_x64 arch/x86/entry/common.c:50\n do_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:80\n entry_SYSCALL_64_after_hwframe+0x63/0xcd arch/x86/entry/entry_64.S:120\n\n Local variable sub created at:\n tipc_topsrv_kern_subscr+0x57/0x400 net/tipc/topsrv.c:562\n tipc_group_create+0x4e7/0x7d0 net/tipc/group.c:190\n\n Bytes 84-87 of 88 are uninitialized\n Memory access of size 88 starts at ffff88801ed57cd0\n Data copied to user address 0000000020000400\n ...\n ====================================================="
}
],
"providerMetadata": {
"dateUpdated": "2025-10-07T15:19:21.911Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/3d1b83ff7b6575a4e41283203e6b2e25ea700cd7"
},
{
"url": "https://git.kernel.org/stable/c/567f8de358b61015dcfb8878a1f06c5369a45f54"
},
{
"url": "https://git.kernel.org/stable/c/e558e148938442dd49628cd7ef61c360832bef31"
},
{
"url": "https://git.kernel.org/stable/c/dbc01c0a4e202a7e925dad1d4b7c1d6eb0c81154"
},
{
"url": "https://git.kernel.org/stable/c/fef70f978bc289642501d88d2a3f5e841bd31a67"
},
{
"url": "https://git.kernel.org/stable/c/777ecaabd614d47c482a5c9031579e66da13989a"
}
],
"title": "tipc: fix an information leak in tipc_topsrv_kern_subscr",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-50531",
"datePublished": "2025-10-07T15:19:21.911Z",
"dateReserved": "2025-10-07T15:15:38.664Z",
"dateUpdated": "2025-10-07T15:19:21.911Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1",
"vulnerability-lookup:meta": {
"nvd": "{\"cve\":{\"id\":\"CVE-2022-50531\",\"sourceIdentifier\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"published\":\"2025-10-07T16:15:37.143\",\"lastModified\":\"2025-10-08T19:38:32.610\",\"vulnStatus\":\"Awaiting Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"In the Linux kernel, the following vulnerability has been resolved:\\n\\ntipc: fix an information leak in tipc_topsrv_kern_subscr\\n\\nUse a 8-byte write to initialize sub.usr_handle in\\ntipc_topsrv_kern_subscr(), otherwise four bytes remain uninitialized\\nwhen issuing setsockopt(..., SOL_TIPC, ...).\\nThis resulted in an infoleak reported by KMSAN when the packet was\\nreceived:\\n\\n =====================================================\\n BUG: KMSAN: kernel-infoleak in copyout+0xbc/0x100 lib/iov_iter.c:169\\n instrument_copy_to_user ./include/linux/instrumented.h:121\\n copyout+0xbc/0x100 lib/iov_iter.c:169\\n _copy_to_iter+0x5c0/0x20a0 lib/iov_iter.c:527\\n copy_to_iter ./include/linux/uio.h:176\\n simple_copy_to_iter+0x64/0xa0 net/core/datagram.c:513\\n __skb_datagram_iter+0x123/0xdc0 net/core/datagram.c:419\\n skb_copy_datagram_iter+0x58/0x200 net/core/datagram.c:527\\n skb_copy_datagram_msg ./include/linux/skbuff.h:3903\\n packet_recvmsg+0x521/0x1e70 net/packet/af_packet.c:3469\\n ____sys_recvmsg+0x2c4/0x810 net/socket.c:?\\n ___sys_recvmsg+0x217/0x840 net/socket.c:2743\\n __sys_recvmsg net/socket.c:2773\\n __do_sys_recvmsg net/socket.c:2783\\n __se_sys_recvmsg net/socket.c:2780\\n __x64_sys_recvmsg+0x364/0x540 net/socket.c:2780\\n do_syscall_x64 arch/x86/entry/common.c:50\\n do_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:80\\n entry_SYSCALL_64_after_hwframe+0x63/0xcd arch/x86/entry/entry_64.S:120\\n\\n ...\\n\\n Uninit was stored to memory at:\\n tipc_sub_subscribe+0x42d/0xb50 net/tipc/subscr.c:156\\n tipc_conn_rcv_sub+0x246/0x620 net/tipc/topsrv.c:375\\n tipc_topsrv_kern_subscr+0x2e8/0x400 net/tipc/topsrv.c:579\\n tipc_group_create+0x4e7/0x7d0 net/tipc/group.c:190\\n tipc_sk_join+0x2a8/0x770 net/tipc/socket.c:3084\\n tipc_setsockopt+0xae5/0xe40 net/tipc/socket.c:3201\\n __sys_setsockopt+0x87f/0xdc0 net/socket.c:2252\\n __do_sys_setsockopt net/socket.c:2263\\n __se_sys_setsockopt net/socket.c:2260\\n __x64_sys_setsockopt+0xe0/0x160 net/socket.c:2260\\n do_syscall_x64 arch/x86/entry/common.c:50\\n do_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:80\\n entry_SYSCALL_64_after_hwframe+0x63/0xcd arch/x86/entry/entry_64.S:120\\n\\n Local variable sub created at:\\n tipc_topsrv_kern_subscr+0x57/0x400 net/tipc/topsrv.c:562\\n tipc_group_create+0x4e7/0x7d0 net/tipc/group.c:190\\n\\n Bytes 84-87 of 88 are uninitialized\\n Memory access of size 88 starts at ffff88801ed57cd0\\n Data copied to user address 0000000020000400\\n ...\\n =====================================================\"}],\"metrics\":{},\"references\":[{\"url\":\"https://git.kernel.org/stable/c/3d1b83ff7b6575a4e41283203e6b2e25ea700cd7\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/567f8de358b61015dcfb8878a1f06c5369a45f54\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/777ecaabd614d47c482a5c9031579e66da13989a\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/dbc01c0a4e202a7e925dad1d4b7c1d6eb0c81154\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/e558e148938442dd49628cd7ef61c360832bef31\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/fef70f978bc289642501d88d2a3f5e841bd31a67\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"}]}}"
}
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.
Loading…
Loading…