CVE-2022-50003

See a problem?
Please try reporting it to the source first.
Source
https://nvd.nist.gov/vuln/detail/CVE-2022-50003
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2022-50003.json
JSON Data
https://api.test.osv.dev/v1/vulns/CVE-2022-50003
Downstream
Related
Published
2025-06-18T11:01:03Z
Modified
2025-10-13T23:52:02.407789Z
Summary
ice: xsk: prohibit usage of non-balanced queue id
Details

In the Linux kernel, the following vulnerability has been resolved:

ice: xsk: prohibit usage of non-balanced queue id

Fix the following scenario: 1. ethtool -L $IFACE rx 8 tx 96 2. xdpsock -q 10 -t -z

Above refers to a case where user would like to attach XSK socket in txonly mode at a queue id that does not have a corresponding Rx queue. At this moment ice's XSK logic is tightly bound to act on a "queue pair", e.g. both Tx and Rx queues at a given queue id are disabled/enabled and both of them will get XSK pool assigned, which is broken for the presented queue configuration. This results in the splat included at the bottom, which is basically an OOB access to Rx ring array.

To fix this, allow using the ids only in scope of "combined" queues reported by ethtool. However, logic should be rewritten to allow such configurations later on, which would end up as a complete rewrite of the control path, so let us go with this temporary fix.

[420160.558008] BUG: kernel NULL pointer dereference, address: 0000000000000082 [420160.566359] #PF: supervisor read access in kernel mode [420160.572657] #PF: errorcode(0x0000) - not-present page [420160.579002] PGD 0 P4D 0 [420160.582756] Oops: 0000 [#1] PREEMPT SMP NOPTI [420160.588396] CPU: 10 PID: 21232 Comm: xdpsock Tainted: G OE 5.19.0-rc7+ #10 [420160.597893] Hardware name: Intel Corporation S2600WFT/S2600WFT, BIOS SE5C620.86B.02.01.0008.031920191559 03/19/2019 [420160.609894] RIP: 0010:icexskpoolsetup+0x44/0x7d0 [ice] [420160.616968] Code: f3 48 83 ec 40 48 8b 4f 20 48 8b 3f 65 48 8b 04 25 28 00 00 00 48 89 44 24 38 31 c0 48 8d 04 ed 00 00 00 00 48 01 c1 48 8b 11 <0f> b7 92 82 00 00 00 48 85 d2 0f 84 2d 75 00 00 48 8d 72 ff 48 85 [420160.639421] RSP: 0018:ffffc9002d2afd48 EFLAGS: 00010282 [420160.646650] RAX: 0000000000000050 RBX: ffff88811d8bdd00 RCX: ffff888112c14ff8 [420160.655893] RDX: 0000000000000000 RSI: ffff88811d8bdd00 RDI: ffff888109861000 [420160.665166] RBP: 000000000000000a R08: 000000000000000a R09: 0000000000000000 [420160.674493] R10: 000000000000889f R11: 0000000000000000 R12: 000000000000000a [420160.683833] R13: 000000000000000a R14: 0000000000000000 R15: ffff888117611828 [420160.693211] FS: 00007fa869fc1f80(0000) GS:ffff8897e0880000(0000) knlGS:0000000000000000 [420160.703645] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [420160.711783] CR2: 0000000000000082 CR3: 00000001d076c001 CR4: 00000000007706e0 [420160.721399] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [420160.731045] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [420160.740707] PKRU: 55555554 [420160.745960] Call Trace: [420160.750962] <TASK> [420160.755597] ? kmalloclargenode+0x79/0x90 [420160.762703] ? _kmallocnode+0x3f5/0x4b0 [420160.769341] xpassigndev+0xfd/0x210 [420160.775661] ? shmemfilereaditer+0x29a/0x420 [420160.782896] xskbind+0x152/0x490 [420160.788943] _sysbind+0xd0/0x100 [420160.795097] ? exittousermodeprepare+0x20/0x120 [420160.802801] _x64sysbind+0x16/0x20 [420160.809298] dosyscall64+0x38/0x90 [420160.815741] entrySYSCALL64afterhwframe+0x63/0xcd [420160.823731] RIP: 0033:0x7fa86a0dd2fb [420160.830264] Code: c3 66 0f 1f 44 00 00 48 8b 15 69 8b 0c 00 f7 d8 64 89 02 b8 ff ff ff ff eb bc 0f 1f 44 00 00 f3 0f 1e fa b8 31 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 3d 8b 0c 00 f7 d8 64 89 01 48 [420160.855410] RSP: 002b:00007ffc1146f618 EFLAGS: 00000246 ORIGRAX: 0000000000000031 [420160.866366] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007fa86a0dd2fb [420160.876957] RDX: 0000000000000010 RSI: 00007ffc1146f680 RDI: 0000000000000003 [420160.887604] RBP: 000055d7113a0520 R08: 00007fa868fb8000 R09: 0000000080000000 [420160.898293] R10: 0000000000008001 R11: 0000000000000246 R12: 000055d7113a04e0 [420160.909038] R13: 000055d7113a0320 R14: 000000000000000a R15: 0000000000000000 [420160.919817] </TASK> [420160.925659] Modules linked in: ice(OE) afpacket binfmtmisc ---truncated---

References

Affected packages

Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git

Affected ranges

Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
2d4238f5569722197612656163d824098208519c
Fixed
1bfdcde723d8ceb2d73291b0415767e7c1cc1d8a
Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
2d4238f5569722197612656163d824098208519c
Fixed
fe76b3e674665ea4059337f8f66d20cdfb0168eb
Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
2d4238f5569722197612656163d824098208519c
Fixed
03a3f29fe5b1751ad9b5c892c894183e75a6e4c4
Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
2d4238f5569722197612656163d824098208519c
Fixed
5a42f112d367bb4700a8a41f5c12724fde6bfbb9

Affected versions

v5.*

v5.10
v5.10-rc1
v5.10-rc2
v5.10-rc3
v5.10-rc4
v5.10-rc5
v5.10-rc6
v5.10-rc7
v5.10.1
v5.10.10
v5.10.100
v5.10.101
v5.10.102
v5.10.103
v5.10.104
v5.10.105
v5.10.106
v5.10.107
v5.10.108
v5.10.109
v5.10.11
v5.10.110
v5.10.111
v5.10.112
v5.10.113
v5.10.114
v5.10.115
v5.10.116
v5.10.117
v5.10.118
v5.10.119
v5.10.12
v5.10.120
v5.10.121
v5.10.122
v5.10.123
v5.10.124
v5.10.125
v5.10.126
v5.10.127
v5.10.128
v5.10.129
v5.10.13
v5.10.130
v5.10.131
v5.10.132
v5.10.133
v5.10.134
v5.10.135
v5.10.136
v5.10.137
v5.10.138
v5.10.139
v5.10.14
v5.10.15
v5.10.16
v5.10.17
v5.10.18
v5.10.19
v5.10.2
v5.10.20
v5.10.21
v5.10.22
v5.10.23
v5.10.24
v5.10.25
v5.10.26
v5.10.27
v5.10.28
v5.10.29
v5.10.3
v5.10.30
v5.10.31
v5.10.32
v5.10.33
v5.10.34
v5.10.35
v5.10.36
v5.10.37
v5.10.38
v5.10.39
v5.10.4
v5.10.40
v5.10.41
v5.10.42
v5.10.43
v5.10.44
v5.10.45
v5.10.46
v5.10.47
v5.10.48
v5.10.49
v5.10.5
v5.10.50
v5.10.51
v5.10.52
v5.10.53
v5.10.54
v5.10.55
v5.10.56
v5.10.57
v5.10.58
v5.10.59
v5.10.6
v5.10.60
v5.10.61
v5.10.62
v5.10.63
v5.10.64
v5.10.65
v5.10.66
v5.10.67
v5.10.68
v5.10.69
v5.10.7
v5.10.70
v5.10.71
v5.10.72
v5.10.73
v5.10.74
v5.10.75
v5.10.76
v5.10.77
v5.10.78
v5.10.79
v5.10.8
v5.10.80
v5.10.81
v5.10.82
v5.10.83
v5.10.84
v5.10.85
v5.10.86
v5.10.87
v5.10.88
v5.10.89
v5.10.9
v5.10.90
v5.10.91
v5.10.92
v5.10.93
v5.10.94
v5.10.95
v5.10.96
v5.10.97
v5.10.98
v5.10.99
v5.11
v5.11-rc1
v5.11-rc2
v5.11-rc3
v5.11-rc4
v5.11-rc5
v5.11-rc6
v5.11-rc7
v5.12
v5.12-rc1
v5.12-rc1-dontuse
v5.12-rc2
v5.12-rc3
v5.12-rc4
v5.12-rc5
v5.12-rc6
v5.12-rc7
v5.12-rc8
v5.13
v5.13-rc1
v5.13-rc2
v5.13-rc3
v5.13-rc4
v5.13-rc5
v5.13-rc6
v5.13-rc7
v5.14
v5.14-rc1
v5.14-rc2
v5.14-rc3
v5.14-rc4
v5.14-rc5
v5.14-rc6
v5.14-rc7
v5.15
v5.15-rc1
v5.15-rc2
v5.15-rc3
v5.15-rc4
v5.15-rc5
v5.15-rc6
v5.15-rc7
v5.15.1
v5.15.10
v5.15.11
v5.15.12
v5.15.13
v5.15.14
v5.15.15
v5.15.16
v5.15.17
v5.15.18
v5.15.19
v5.15.2
v5.15.20
v5.15.21
v5.15.22
v5.15.23
v5.15.24
v5.15.25
v5.15.26
v5.15.27
v5.15.28
v5.15.29
v5.15.3
v5.15.30
v5.15.31
v5.15.32
v5.15.33
v5.15.34
v5.15.35
v5.15.36
v5.15.37
v5.15.38
v5.15.39
v5.15.4
v5.15.40
v5.15.41
v5.15.42
v5.15.43
v5.15.44
v5.15.45
v5.15.46
v5.15.47
v5.15.48
v5.15.49
v5.15.5
v5.15.50
v5.15.51
v5.15.52
v5.15.53
v5.15.54
v5.15.55
v5.15.56
v5.15.57
v5.15.58
v5.15.59
v5.15.6
v5.15.60
v5.15.61
v5.15.62
v5.15.63
v5.15.7
v5.15.8
v5.15.9
v5.16
v5.16-rc1
v5.16-rc2
v5.16-rc3
v5.16-rc4
v5.16-rc5
v5.16-rc6
v5.16-rc7
v5.16-rc8
v5.17
v5.17-rc1
v5.17-rc2
v5.17-rc3
v5.17-rc4
v5.17-rc5
v5.17-rc6
v5.17-rc7
v5.17-rc8
v5.18
v5.18-rc1
v5.18-rc2
v5.18-rc3
v5.18-rc4
v5.18-rc5
v5.18-rc6
v5.18-rc7
v5.19
v5.19-rc1
v5.19-rc2
v5.19-rc3
v5.19-rc4
v5.19-rc5
v5.19-rc6
v5.19-rc7
v5.19-rc8
v5.19.1
v5.19.2
v5.19.3
v5.19.4
v5.19.5
v5.4
v5.4-rc6
v5.4-rc7
v5.4-rc8
v5.5
v5.5-rc1
v5.5-rc2
v5.5-rc3
v5.5-rc4
v5.5-rc5
v5.5-rc6
v5.5-rc7
v5.6
v5.6-rc1
v5.6-rc2
v5.6-rc3
v5.6-rc4
v5.6-rc5
v5.6-rc6
v5.6-rc7
v5.7
v5.7-rc1
v5.7-rc2
v5.7-rc3
v5.7-rc4
v5.7-rc5
v5.7-rc6
v5.7-rc7
v5.8
v5.8-rc1
v5.8-rc2
v5.8-rc3
v5.8-rc4
v5.8-rc5
v5.8-rc6
v5.8-rc7
v5.9
v5.9-rc1
v5.9-rc2
v5.9-rc3
v5.9-rc4
v5.9-rc5
v5.9-rc6
v5.9-rc7
v5.9-rc8

v6.*

v6.0-rc1

Database specific 

{
    "vanir_signatures": [
        {
            "signature_type": "Function",
            "target": {
                "file": "drivers/net/ethernet/intel/ice/ice_xsk.c",
                "function": "ice_xsk_pool_setup"
            },
            "signature_version": "v1",
            "digest": {
                "length": 1026.0,
                "function_hash": "57584326147476972667062826739016466991"
            },
            "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@fe76b3e674665ea4059337f8f66d20cdfb0168eb",
            "deprecated": false,
            "id": "CVE-2022-50003-2876d558"
        },
        {
            "signature_type": "Line",
            "target": {
                "file": "drivers/net/ethernet/intel/ice/ice_xsk.c"
            },
            "signature_version": "v1",
            "digest": {
                "threshold": 0.9,
                "line_hashes": [
                    "337046368400857778990887196741067728711",
                    "53731866551517152841979178648594997975",
                    "93475432831644062056913897815409387287"
                ]
            },
            "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@fe76b3e674665ea4059337f8f66d20cdfb0168eb",
            "deprecated": false,
            "id": "CVE-2022-50003-3b35fd4b"
        },
        {
            "signature_type": "Line",
            "target": {
                "file": "drivers/net/ethernet/intel/ice/ice_xsk.c"
            },
            "signature_version": "v1",
            "digest": {
                "threshold": 0.9,
                "line_hashes": [
                    "337046368400857778990887196741067728711",
                    "53731866551517152841979178648594997975",
                    "93475432831644062056913897815409387287"
                ]
            },
            "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@03a3f29fe5b1751ad9b5c892c894183e75a6e4c4",
            "deprecated": false,
            "id": "CVE-2022-50003-556b14b1"
        },
        {
            "signature_type": "Function",
            "target": {
                "file": "drivers/net/ethernet/intel/ice/ice_xsk.c",
                "function": "ice_xsk_pool_setup"
            },
            "signature_version": "v1",
            "digest": {
                "length": 1026.0,
                "function_hash": "57584326147476972667062826739016466991"
            },
            "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@03a3f29fe5b1751ad9b5c892c894183e75a6e4c4",
            "deprecated": false,
            "id": "CVE-2022-50003-5b0842f6"
        },
        {
            "signature_type": "Function",
            "target": {
                "file": "drivers/net/ethernet/intel/ice/ice_xsk.c",
                "function": "ice_xsk_pool_setup"
            },
            "signature_version": "v1",
            "digest": {
                "length": 1026.0,
                "function_hash": "57584326147476972667062826739016466991"
            },
            "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@5a42f112d367bb4700a8a41f5c12724fde6bfbb9",
            "deprecated": false,
            "id": "CVE-2022-50003-7f87cbd4"
        },
        {
            "signature_type": "Function",
            "target": {
                "file": "drivers/net/ethernet/intel/ice/ice_xsk.c",
                "function": "ice_xsk_pool_setup"
            },
            "signature_version": "v1",
            "digest": {
                "length": 1026.0,
                "function_hash": "57584326147476972667062826739016466991"
            },
            "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@1bfdcde723d8ceb2d73291b0415767e7c1cc1d8a",
            "deprecated": false,
            "id": "CVE-2022-50003-9166258c"
        },
        {
            "signature_type": "Line",
            "target": {
                "file": "drivers/net/ethernet/intel/ice/ice_xsk.c"
            },
            "signature_version": "v1",
            "digest": {
                "threshold": 0.9,
                "line_hashes": [
                    "337046368400857778990887196741067728711",
                    "53731866551517152841979178648594997975",
                    "93475432831644062056913897815409387287"
                ]
            },
            "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@5a42f112d367bb4700a8a41f5c12724fde6bfbb9",
            "deprecated": false,
            "id": "CVE-2022-50003-9cc6b795"
        },
        {
            "signature_type": "Line",
            "target": {
                "file": "drivers/net/ethernet/intel/ice/ice_xsk.c"
            },
            "signature_version": "v1",
            "digest": {
                "threshold": 0.9,
                "line_hashes": [
                    "337046368400857778990887196741067728711",
                    "53731866551517152841979178648594997975",
                    "93475432831644062056913897815409387287"
                ]
            },
            "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@1bfdcde723d8ceb2d73291b0415767e7c1cc1d8a",
            "deprecated": false,
            "id": "CVE-2022-50003-a4a252ba"
        }
    ]
}

Linux / Kernel

Package

Name
Kernel

Affected ranges

Type
ECOSYSTEM
Events
Introduced
5.5.0
Fixed
5.10.140
Type
ECOSYSTEM
Events
Introduced
5.11.0
Fixed
5.15.64
Type
ECOSYSTEM
Events
Introduced
5.16.0
Fixed
5.19.6