CVE-2022-49814

See a problem?
Please try reporting it to the source first.

Source

https://nvd.nist.gov/vuln/detail/CVE-2022-49814

Import Source

https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2022-49814.json

JSON Data

https://api.test.osv.dev/v1/vulns/CVE-2022-49814

Related

UBUNTU-CVE-2022-49814

Published

2025-05-01T15:16:04Z

Modified

2025-05-02T14:48:06.716813Z

Summary

[none]

Details

In the Linux kernel, the following vulnerability has been resolved:

kcm: close race conditions on skreceivequeue

sk->skreceivequeue is protected by skb queue lock, but for KCM sockets its RX path takes mux->rxlock to protect more than just skb queue. However, kcmrecvmsg() still only grabs the skb queue lock, so race conditions still exist.

We can teach kcmrecvmsg() to grab mux->rxlock too but this would introduce a potential performance regression as struct kcm_mux can be shared by multiple KCM sockets.

So we have to enforce skb queue lock in requeuerxmsgs() and handle skb peek case carefully in kcmwaitdata(). Fortunately, skbrecvdatagram() already handles it nicely and is widely used by other sockets, we can just switch to skbrecvdatagram() after getting rid of the unnecessary sock lock in kcmrecvmsg() and kcmspliceread(). Side note: SOCKDONE is not used by KCM sockets, so it is safe to get rid of this check too.

I ran the original syzbot reproducer for 30 min without seeing any issue.

References

Affected packages

Debian:11 / linux

Package

Name: linux
Purl: pkg:deb/debian/linux?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

5.10.158-1

Affected versions

5.*

5.10.46-4

5.10.46-5

5.10.70-1~bpo10+1

5.10.70-1

5.10.84-1

5.10.92-1~bpo10+1

5.10.92-1

5.10.92-2

5.10.103-1~bpo10+1

5.10.103-1

5.10.106-1

5.10.113-1

5.10.120-1~bpo10+1

5.10.120-1

5.10.127-1

5.10.127-2~bpo10+1

5.10.127-2

5.10.136-1

5.10.140-1

5.10.148-1

5.10.149-1

5.10.149-2

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:12 / linux

Package

Name: linux
Purl: pkg:deb/debian/linux?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

6.0.10-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:13 / linux

Package

Name: linux
Purl: pkg:deb/debian/linux?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

6.0.10-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}