CVE-2022-49973 | THREATINT

Description

In the Linux kernel, the following vulnerability has been resolved: skmsg: Fix wrong last sg check in sk_msg_recvmsg() Fix one kernel NULL pointer dereference as below: [ 224.462334] Call Trace: [ 224.462394] __tcp_bpf_recvmsg+0xd3/0x380 [ 224.462441] ? sock_has_perm+0x78/0xa0 [ 224.462463] tcp_bpf_recvmsg+0x12e/0x220 [ 224.462494] inet_recvmsg+0x5b/0xd0 [ 224.462534] __sys_recvfrom+0xc8/0x130 [ 224.462574] ? syscall_trace_enter+0x1df/0x2e0 [ 224.462606] ? __do_page_fault+0x2de/0x500 [ 224.462635] __x64_sys_recvfrom+0x24/0x30 [ 224.462660] do_syscall_64+0x5d/0x1d0 [ 224.462709] entry_SYSCALL_64_after_hwframe+0x65/0xca In commit 9974d37ea75f ("skmsg: Fix invalid last sg check in sk_msg_recvmsg()"), we change last sg check to sg_is_last(), but in sockmap redirection case (without stream_parser/stream_verdict/ skb_verdict), we did not mark the end of the scatterlist. Check the sk_msg_alloc, sk_msg_page_add, and bpf_msg_push_data functions, they all do not mark the end of sg. They are expected to use sg.end for end judgment. So the judgment of '(i != msg_rx->sg.end)' is added back here.

Reserved 2025-06-18 | Published 2025-06-18 | Updated 2025-06-18 | Assigner Linux

Product status

Default status

unaffected

293c53b7dbf9073cbcc488f938bc053ff4caeec0 before de22cba333d8699ad77e79f862fe1320cb1284de

affected

1295dae30f30c3daa03005ed8958d44b17f037fd before 10ee118a1756141f8e9c87aa7344ed12b41630a8

affected

9974d37ea75f01b47d16072b5dad305bd8d23fcc before 583585e48d965338e73e1eb383768d16e0922d73

affected

4674c0da448b546e390a981b819cd4af5cb16cf9

affected

Default status

unaffected

5.15.61 before 5.15.66

affected

5.19.2 before 5.19.8

affected

References

git.kernel.org/...c/de22cba333d8699ad77e79f862fe1320cb1284de

git.kernel.org/...c/10ee118a1756141f8e9c87aa7344ed12b41630a8

git.kernel.org/...c/583585e48d965338e73e1eb383768d16e0922d73

cve.org (CVE-2022-49973)

nvd.nist.gov (CVE-2022-49973)

Download JSON