{"dataType":"CVE_RECORD","dataVersion":"5.1","cveMetadata":{"cveId":"CVE-2022-49205","assignerOrgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","state":"PUBLISHED","assignerShortName":"Linux","dateReserved":"2025-02-26T01:49:39.291Z","datePublished":"2025-02-26T01:55:45.177Z","dateUpdated":"2025-05-04T08:32:19.084Z"},"containers":{"cna":{"providerMetadata":{"orgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","shortName":"Linux","dateUpdated":"2025-05-04T08:32:19.084Z"},"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nbpf, sockmap: Fix double uncharge the mem of sk_msg\n\nIf tcp_bpf_sendmsg is running during a tear down operation, psock may be\nfreed.\n\ntcp_bpf_sendmsg()\n tcp_bpf_send_verdict()\n  sk_msg_return()\n  tcp_bpf_sendmsg_redir()\n   unlikely(!psock))\n     sk_msg_free()\n\nThe mem of msg has been uncharged in tcp_bpf_send_verdict() by\nsk_msg_return(), and would be uncharged by sk_msg_free() again. When psock\nis null, we can simply returning an error code, this would then trigger\nthe sk_msg_free_nocharge in the error path of __SK_REDIRECT and would have\nthe side effect of throwing an error up to user space. This would be a\nslight change in behavior from user side but would look the same as an\nerror if the redirect on the socket threw an error.\n\nThis issue can cause the following info:\nWARNING: CPU: 0 PID: 2136 at net/ipv4/af_inet.c:155 inet_sock_destruct+0x13c/0x260\nCall Trace:\n <TASK>\n __sk_destruct+0x24/0x1f0\n sk_psock_destroy+0x19b/0x1c0\n process_one_work+0x1b3/0x3c0\n worker_thread+0x30/0x350\n ? process_one_work+0x3c0/0x3c0\n kthread+0xe6/0x110\n ? kthread_complete_and_exit+0x20/0x20\n ret_from_fork+0x22/0x30\n </TASK>"}],"affected":[{"product":"Linux","vendor":"Linux","defaultStatus":"unaffected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["net/ipv4/tcp_bpf.c"],"versions":[{"version":"604326b41a6fb9b4a78b6179335decee0365cd8c","lessThan":"94c6ac22abcdede72bfaa0f4c22fb370891f4002","status":"affected","versionType":"git"},{"version":"604326b41a6fb9b4a78b6179335decee0365cd8c","lessThan":"cd84ea3920aef936c559b63099ef0013ce6b2325","status":"affected","versionType":"git"},{"version":"604326b41a6fb9b4a78b6179335decee0365cd8c","lessThan":"cb6f141ae705af0101e819065a79e6d029f6e393","status":"affected","versionType":"git"},{"version":"604326b41a6fb9b4a78b6179335decee0365cd8c","lessThan":"223f3c51ab163852dd4819d357dcf33039929434","status":"affected","versionType":"git"},{"version":"604326b41a6fb9b4a78b6179335decee0365cd8c","lessThan":"ac3ecb7760c750c8e4fc09c719241d8e6e88028c","status":"affected","versionType":"git"},{"version":"604326b41a6fb9b4a78b6179335decee0365cd8c","lessThan":"2486ab434b2c2a14e9237296db00b1e1b7ae3273","status":"affected","versionType":"git"}]},{"product":"Linux","vendor":"Linux","defaultStatus":"affected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["net/ipv4/tcp_bpf.c"],"versions":[{"version":"4.20","status":"affected"},{"version":"0","lessThan":"4.20","status":"unaffected","versionType":"semver"},{"version":"5.4.189","lessThanOrEqual":"5.4.*","status":"unaffected","versionType":"semver"},{"version":"5.10.110","lessThanOrEqual":"5.10.*","status":"unaffected","versionType":"semver"},{"version":"5.15.33","lessThanOrEqual":"5.15.*","status":"unaffected","versionType":"semver"},{"version":"5.16.19","lessThanOrEqual":"5.16.*","status":"unaffected","versionType":"semver"},{"version":"5.17.2","lessThanOrEqual":"5.17.*","status":"unaffected","versionType":"semver"},{"version":"5.18","lessThanOrEqual":"*","status":"unaffected","versionType":"original_commit_for_fix"}]}],"cpeApplicability":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"4.20","versionEndExcluding":"5.4.189"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"4.20","versionEndExcluding":"5.10.110"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"4.20","versionEndExcluding":"5.15.33"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"4.20","versionEndExcluding":"5.16.19"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"4.20","versionEndExcluding":"5.17.2"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"4.20","versionEndExcluding":"5.18"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/94c6ac22abcdede72bfaa0f4c22fb370891f4002"},{"url":"https://git.kernel.org/stable/c/cd84ea3920aef936c559b63099ef0013ce6b2325"},{"url":"https://git.kernel.org/stable/c/cb6f141ae705af0101e819065a79e6d029f6e393"},{"url":"https://git.kernel.org/stable/c/223f3c51ab163852dd4819d357dcf33039929434"},{"url":"https://git.kernel.org/stable/c/ac3ecb7760c750c8e4fc09c719241d8e6e88028c"},{"url":"https://git.kernel.org/stable/c/2486ab434b2c2a14e9237296db00b1e1b7ae3273"}],"title":"bpf, sockmap: Fix double uncharge the mem of sk_msg","x_generator":{"engine":"bippy-1.2.0"}}}}