CVE-2022-49838

See a problem?
Please try reporting it to the source first.

Source

https://nvd.nist.gov/vuln/detail/CVE-2022-49838

Import Source

https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2022-49838.json

JSON Data

https://api.test.osv.dev/v1/vulns/CVE-2022-49838

Related

UBUNTU-CVE-2022-49838

Published

2025-05-01T15:16:07Z

Modified

2025-05-02T14:48:29.406882Z

Summary

[none]

Details

In the Linux kernel, the following vulnerability has been resolved:

sctp: clear out_curr if all frag chunks of current msg are pruned

A crash was reported by Zhen Chen:

listdel corruption, ffffa035ddf01c18->next is NULL WARNING: CPU: 1 PID: 250682 at lib/listdebug.c:49 listdelentryvalid+0x59/0xe0 RIP: 0010:listdelentryvalid+0x59/0xe0 Call Trace: sctpscheddequeuecommon+0x17/0x70 [sctp] sctpschedfcfsdequeue+0x37/0x50 [sctp] sctpoutqflushdata+0x85/0x360 [sctp] sctpoutquncork+0x77/0xa0 [sctp] sctpcmdinterpreter.constprop.0+0x164/0x1450 [sctp] sctpsideeffects+0x37/0xe0 [sctp] sctpdosm+0xd0/0x230 [sctp] sctpprimitiveSEND+0x2f/0x40 [sctp] sctpsendmsgtoasoc+0x3fa/0x5c0 [sctp] sctpsendmsg+0x3d5/0x440 [sctp] socksendmsg+0x5b/0x70

and in sctpschedfcfsdequeue() it dequeued a chunk from stream outcurr outq while this outq was empty.

Normally stream->outcurr must be set to NULL once all frag chunks of current msg are dequeued, as we can see in sctpscheddequeuedone(). However, in sctpprsctppruneunsent() as it is not a proper dequeue, sctpscheddequeuedone() is not called to do this.

This patch is to fix it by simply setting outcurr to NULL when the last frag chunk of current msg is dequeued from outcurr stream in sctpprsctpprune_unsent().

References

Affected packages

Debian:11 / linux

Package

Name: linux
Purl: pkg:deb/debian/linux?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

5.10.158-1

Affected versions

5.*

5.10.46-4

5.10.46-5

5.10.70-1~bpo10+1

5.10.70-1

5.10.84-1

5.10.92-1~bpo10+1

5.10.92-1

5.10.92-2

5.10.103-1~bpo10+1

5.10.103-1

5.10.106-1

5.10.113-1

5.10.120-1~bpo10+1

5.10.120-1

5.10.127-1

5.10.127-2~bpo10+1

5.10.127-2

5.10.136-1

5.10.140-1

5.10.148-1

5.10.149-1

5.10.149-2

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:12 / linux

Package

Name: linux
Purl: pkg:deb/debian/linux?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

6.0.10-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:13 / linux

Package

Name: linux
Purl: pkg:deb/debian/linux?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

6.0.10-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}