ghsa-h8g4-6mrj-mfm8
Vulnerability from github
In the Linux kernel, the following vulnerability has been resolved:
bpf, sockmap: Fix the sk->sk_forward_alloc warning of sk_stream_kill_queues
When running test_sockmap selftests, the following warning appears:
WARNING: CPU: 2 PID: 197 at net/core/stream.c:205 sk_stream_kill_queues+0xd3/0xf0 Call Trace: inet_csk_destroy_sock+0x55/0x110 tcp_rcv_state_process+0xd28/0x1380 ? tcp_v4_do_rcv+0x77/0x2c0 tcp_v4_do_rcv+0x77/0x2c0 __release_sock+0x106/0x130 __tcp_close+0x1a7/0x4e0 tcp_close+0x20/0x70 inet_release+0x3c/0x80 __sock_release+0x3a/0xb0 sock_close+0x14/0x20 __fput+0xa3/0x260 task_work_run+0x59/0xb0 exit_to_user_mode_prepare+0x1b3/0x1c0 syscall_exit_to_user_mode+0x19/0x50 do_syscall_64+0x48/0x90 entry_SYSCALL_64_after_hwframe+0x44/0xae
The root case is in commit 84472b436e76 ("bpf, sockmap: Fix more uncharged while msg has more_data"), where I used msg->sg.size to replace the tosend, causing breakage:
if (msg->apply_bytes && msg->apply_bytes < tosend) tosend = psock->apply_bytes;
{
"affected": [],
"aliases": [
"CVE-2022-49877"
],
"database_specific": {
"cwe_ids": [],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-05-01T15:16:12Z",
"severity": null
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf, sockmap: Fix the sk-\u003esk_forward_alloc warning of sk_stream_kill_queues\n\nWhen running `test_sockmap` selftests, the following warning appears:\n\n WARNING: CPU: 2 PID: 197 at net/core/stream.c:205 sk_stream_kill_queues+0xd3/0xf0\n Call Trace:\n \u003cTASK\u003e\n inet_csk_destroy_sock+0x55/0x110\n tcp_rcv_state_process+0xd28/0x1380\n ? tcp_v4_do_rcv+0x77/0x2c0\n tcp_v4_do_rcv+0x77/0x2c0\n __release_sock+0x106/0x130\n __tcp_close+0x1a7/0x4e0\n tcp_close+0x20/0x70\n inet_release+0x3c/0x80\n __sock_release+0x3a/0xb0\n sock_close+0x14/0x20\n __fput+0xa3/0x260\n task_work_run+0x59/0xb0\n exit_to_user_mode_prepare+0x1b3/0x1c0\n syscall_exit_to_user_mode+0x19/0x50\n do_syscall_64+0x48/0x90\n entry_SYSCALL_64_after_hwframe+0x44/0xae\n\nThe root case is in commit 84472b436e76 (\"bpf, sockmap: Fix more uncharged\nwhile msg has more_data\"), where I used msg-\u003esg.size to replace the tosend,\ncausing breakage:\n\n if (msg-\u003eapply_bytes \u0026\u0026 msg-\u003eapply_bytes \u003c tosend)\n tosend = psock-\u003eapply_bytes;",
"id": "GHSA-h8g4-6mrj-mfm8",
"modified": "2025-05-01T15:31:51Z",
"published": "2025-05-01T15:31:50Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-49877"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/14e8bc3bf7bd6af64d7538a0684c8238d96cdfd7"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/8ec95b94716a1e4d126edc3fb2bc426a717e2dba"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/95adbd2ac8de82e43fd6b347e7e1b47f74dc1abb"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/cc21dc48a78cc9e5af9a4d039cd456446a6e73ff"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/d975bec1eaeb52341acc9273db79ddb078220399"
}
],
"schema_version": "1.4.0",
"severity": []
}
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.