Home

Description

In the Linux kernel, the following vulnerability has been resolved: tipc: fix an information leak in tipc_topsrv_kern_subscr Use a 8-byte write to initialize sub.usr_handle in tipc_topsrv_kern_subscr(), otherwise four bytes remain uninitialized when issuing setsockopt(..., SOL_TIPC, ...). This resulted in an infoleak reported by KMSAN when the packet was received: ===================================================== BUG: KMSAN: kernel-infoleak in copyout+0xbc/0x100 lib/iov_iter.c:169 instrument_copy_to_user ./include/linux/instrumented.h:121 copyout+0xbc/0x100 lib/iov_iter.c:169 _copy_to_iter+0x5c0/0x20a0 lib/iov_iter.c:527 copy_to_iter ./include/linux/uio.h:176 simple_copy_to_iter+0x64/0xa0 net/core/datagram.c:513 __skb_datagram_iter+0x123/0xdc0 net/core/datagram.c:419 skb_copy_datagram_iter+0x58/0x200 net/core/datagram.c:527 skb_copy_datagram_msg ./include/linux/skbuff.h:3903 packet_recvmsg+0x521/0x1e70 net/packet/af_packet.c:3469 ____sys_recvmsg+0x2c4/0x810 net/socket.c:? ___sys_recvmsg+0x217/0x840 net/socket.c:2743 __sys_recvmsg net/socket.c:2773 __do_sys_recvmsg net/socket.c:2783 __se_sys_recvmsg net/socket.c:2780 __x64_sys_recvmsg+0x364/0x540 net/socket.c:2780 do_syscall_x64 arch/x86/entry/common.c:50 do_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x63/0xcd arch/x86/entry/entry_64.S:120 ... Uninit was stored to memory at: tipc_sub_subscribe+0x42d/0xb50 net/tipc/subscr.c:156 tipc_conn_rcv_sub+0x246/0x620 net/tipc/topsrv.c:375 tipc_topsrv_kern_subscr+0x2e8/0x400 net/tipc/topsrv.c:579 tipc_group_create+0x4e7/0x7d0 net/tipc/group.c:190 tipc_sk_join+0x2a8/0x770 net/tipc/socket.c:3084 tipc_setsockopt+0xae5/0xe40 net/tipc/socket.c:3201 __sys_setsockopt+0x87f/0xdc0 net/socket.c:2252 __do_sys_setsockopt net/socket.c:2263 __se_sys_setsockopt net/socket.c:2260 __x64_sys_setsockopt+0xe0/0x160 net/socket.c:2260 do_syscall_x64 arch/x86/entry/common.c:50 do_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x63/0xcd arch/x86/entry/entry_64.S:120 Local variable sub created at: tipc_topsrv_kern_subscr+0x57/0x400 net/tipc/topsrv.c:562 tipc_group_create+0x4e7/0x7d0 net/tipc/group.c:190 Bytes 84-87 of 88 are uninitialized Memory access of size 88 starts at ffff88801ed57cd0 Data copied to user address 0000000020000400 ... =====================================================

PUBLISHED Reserved 2025-10-07 | Published 2025-10-07 | Updated 2025-10-07 | Assigner Linux

Product status

Default status
unaffected

026321c6d056a54b4145522492245d2b5913ee1d before 3d1b83ff7b6575a4e41283203e6b2e25ea700cd7
affected

026321c6d056a54b4145522492245d2b5913ee1d before 567f8de358b61015dcfb8878a1f06c5369a45f54
affected

026321c6d056a54b4145522492245d2b5913ee1d before e558e148938442dd49628cd7ef61c360832bef31
affected

026321c6d056a54b4145522492245d2b5913ee1d before dbc01c0a4e202a7e925dad1d4b7c1d6eb0c81154
affected

026321c6d056a54b4145522492245d2b5913ee1d before fef70f978bc289642501d88d2a3f5e841bd31a67
affected

026321c6d056a54b4145522492245d2b5913ee1d before 777ecaabd614d47c482a5c9031579e66da13989a
affected

Default status
affected

4.17
affected

Any version before 4.17
unaffected

4.19.264
unaffected

5.4.221
unaffected

5.10.152
unaffected

5.15.76
unaffected

6.0.6
unaffected

6.1
unaffected

References

git.kernel.org/...c/3d1b83ff7b6575a4e41283203e6b2e25ea700cd7

git.kernel.org/...c/567f8de358b61015dcfb8878a1f06c5369a45f54

git.kernel.org/...c/e558e148938442dd49628cd7ef61c360832bef31

git.kernel.org/...c/dbc01c0a4e202a7e925dad1d4b7c1d6eb0c81154

git.kernel.org/...c/fef70f978bc289642501d88d2a3f5e841bd31a67

git.kernel.org/...c/777ecaabd614d47c482a5c9031579e66da13989a

cve.org (CVE-2022-50531)

nvd.nist.gov (CVE-2022-50531)

Download JSON