CVE-2022-49450

See a problem?
Please try reporting it to the source first.

Source

https://nvd.nist.gov/vuln/detail/CVE-2022-49450

Import Source

https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2022-49450.json

JSON Data

https://api.test.osv.dev/v1/vulns/CVE-2022-49450

Downstream

OESA-2025-1408

UBUNTU-CVE-2022-49450

Published

2025-02-26T07:01:21Z

Modified

2025-07-01T14:23:06.112717Z

Severity

5.5 (Medium) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVSS Calculator

Summary

[none]

Details

In the Linux kernel, the following vulnerability has been resolved:

rxrpc: Fix listen() setting the bar too high for the prealloc rings

AFRXRPC's listen() handler lets you set the backlog up to 32 (if you bump up the sysctl), but whilst the preallocation circular buffers have 32 slots in them, one of them has to be a dead slot because we're using CIRCCNT().

This means that listen(rxrpcsock, 32) will cause an oops when the socket is closed because rxrpcservicepreallocone() allocated one too many calls and rxrpcdiscardprealloc() won't then be able to get rid of them because it'll think the ring is empty. rxrpcreleasecallsonsocket() then tries to abort them, but oopses because call->peer isn't yet set.

Fix this by setting the maximum backlog to RXRPCBACKLOGMAX - 1 to match the ring capacity.

BUG: kernel NULL pointer dereference, address: 0000000000000086 ... RIP: 0010:rxrpcsendabortpacket+0x73/0x240 [rxrpc] Call Trace: <TASK> ? _wakeupcommonlock+0x7a/0x90 ? rxrpcnotifysocket+0x8e/0x140 [rxrpc] ? rxrpcabortcall+0x4c/0x60 [rxrpc] rxrpcreleasecallsonsocket+0x107/0x1a0 [rxrpc] rxrpcrelease+0xc9/0x1c0 [rxrpc] _sockrelease+0x37/0xa0 sockclose+0x11/0x20 _fput+0x89/0x240 taskworkrun+0x59/0x90 do_exit+0x319/0xaa0

References

Affected packages

Debian:11 / linux

Package

Name: linux
Purl: pkg:deb/debian/linux?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

5.10.127-1

Affected versions

5.*

5.10.46-4

5.10.46-5

5.10.70-1~bpo10+1

5.10.70-1

5.10.84-1

5.10.92-1~bpo10+1

5.10.92-1

5.10.92-2

5.10.103-1~bpo10+1

5.10.103-1

5.10.106-1

5.10.113-1

5.10.120-1~bpo10+1

5.10.120-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:12 / linux

Package

Name: linux
Purl: pkg:deb/debian/linux?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

5.18.5-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:13 / linux

Package

Name: linux
Purl: pkg:deb/debian/linux?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

5.18.5-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}