github - ghsa-mpjj-88pq-258q

ghsa-mpjj-88pq-258q

Vulnerability from github

Published

2025-06-18 12:30

Modified

2025-06-18 12:30

Details

In the Linux kernel, the following vulnerability has been resolved:

xfrm: policy: fix metadata dst->dev xmit null pointer dereference

When we try to transmit an skb with metadata_dst attached (i.e. dst->dev == NULL) through xfrm interface we can hit a null pointer dereference[1] in xfrmi_xmit2() -> xfrm_lookup_with_ifid() due to the check for a loopback skb device when there's no policy which dereferences dst->dev unconditionally. Not having dst->dev can be interepreted as it not being a loopback device, so just add a check for a null dst_orig->dev.

With this fix xfrm interface's Tx error counters go up as usual.

[1] net-next calltrace captured via netconsole: BUG: kernel NULL pointer dereference, address: 00000000000000c0 #PF: supervisor read access in kernel mode #PF: error_code(0x0000) - not-present page PGD 0 P4D 0 Oops: 0000 [#1] PREEMPT SMP CPU: 1 PID: 7231 Comm: ping Kdump: loaded Not tainted 5.19.0+ #24 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.0-1.fc36 04/01/2014 RIP: 0010:xfrm_lookup_with_ifid+0x5eb/0xa60 Code: 8d 74 24 38 e8 26 a4 37 00 48 89 c1 e9 12 fc ff ff 49 63 ed 41 83 fd be 0f 85 be 01 00 00 41 be ff ff ff ff 45 31 ed 48 8b 03 80 c0 00 00 00 08 75 0f 41 80 bc 24 19 0d 00 00 01 0f 84 1e 02 RSP: 0018:ffffb0db82c679f0 EFLAGS: 00010246 RAX: 0000000000000000 RBX: ffffd0db7fcad430 RCX: ffffb0db82c67a10 RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffffb0db82c67a80 RBP: ffffb0db82c67a80 R08: ffffb0db82c67a14 R09: 0000000000000000 R10: 0000000000000000 R11: ffff8fa449667dc8 R12: ffffffff966db880 R13: 0000000000000000 R14: 00000000ffffffff R15: 0000000000000000 FS: 00007ff35c83f000(0000) GS:ffff8fa478480000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00000000000000c0 CR3: 000000001ebb7000 CR4: 0000000000350ee0 Call Trace: xfrmi_xmit+0xde/0x460 ? tcf_bpf_act+0x13d/0x2a0 dev_hard_start_xmit+0x72/0x1e0 __dev_queue_xmit+0x251/0xd30 ip_finish_output2+0x140/0x550 ip_push_pending_frames+0x56/0x80 raw_sendmsg+0x663/0x10a0 ? try_charge_memcg+0x3fd/0x7a0 ? __mod_memcg_lruvec_state+0x93/0x110 ? sock_sendmsg+0x30/0x40 sock_sendmsg+0x30/0x40 __sys_sendto+0xeb/0x130 ? handle_mm_fault+0xae/0x280 ? do_user_addr_fault+0x1e7/0x680 ? kvm_read_and_reset_apf_flags+0x3b/0x50 __x64_sys_sendto+0x20/0x30 do_syscall_64+0x34/0x80 entry_SYSCALL_64_after_hwframe+0x46/0xb0 RIP: 0033:0x7ff35cac1366 Code: eb 0b 00 f7 d8 64 89 02 48 c7 c0 ff ff ff ff eb b8 0f 1f 00 41 89 ca 64 8b 04 25 18 00 00 00 85 c0 75 11 b8 2c 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 72 c3 90 55 48 83 ec 30 44 89 4c 24 2c 4c 89 RSP: 002b:00007fff738e4028 EFLAGS: 00000246 ORIG_RAX: 000000000000002c RAX: ffffffffffffffda RBX: 00007fff738e57b0 RCX: 00007ff35cac1366 RDX: 0000000000000040 RSI: 0000557164e4b450 RDI: 0000000000000003 RBP: 0000557164e4b450 R08: 00007fff738e7a2c R09: 0000000000000010 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000040 R13: 00007fff738e5770 R14: 00007fff738e4030 R15: 0000001d00000001 Modules linked in: netconsole veth br_netfilter bridge bonding virtio_net [last unloaded: netconsole] CR2: 00000000000000c0

Show details on source website

JSON

To clipboard

{
  "affected": [],
  "aliases": [
    "CVE-2022-50004"
  ],
  "database_specific": {
    "cwe_ids": [],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-06-18T11:15:28Z",
    "severity": null
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nxfrm: policy: fix metadata dst-\u003edev xmit null pointer dereference\n\nWhen we try to transmit an skb with metadata_dst attached (i.e. dst-\u003edev\n== NULL) through xfrm interface we can hit a null pointer dereference[1]\nin xfrmi_xmit2() -\u003e xfrm_lookup_with_ifid() due to the check for a\nloopback skb device when there\u0027s no policy which dereferences dst-\u003edev\nunconditionally. Not having dst-\u003edev can be interepreted as it not being\na loopback device, so just add a check for a null dst_orig-\u003edev.\n\nWith this fix xfrm interface\u0027s Tx error counters go up as usual.\n\n[1] net-next calltrace captured via netconsole:\n  BUG: kernel NULL pointer dereference, address: 00000000000000c0\n  #PF: supervisor read access in kernel mode\n  #PF: error_code(0x0000) - not-present page\n  PGD 0 P4D 0\n  Oops: 0000 [#1] PREEMPT SMP\n  CPU: 1 PID: 7231 Comm: ping Kdump: loaded Not tainted 5.19.0+ #24\n  Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.0-1.fc36 04/01/2014\n  RIP: 0010:xfrm_lookup_with_ifid+0x5eb/0xa60\n  Code: 8d 74 24 38 e8 26 a4 37 00 48 89 c1 e9 12 fc ff ff 49 63 ed 41 83 fd be 0f 85 be 01 00 00 41 be ff ff ff ff 45 31 ed 48 8b 03 \u003cf6\u003e 80 c0 00 00 00 08 75 0f 41 80 bc 24 19 0d 00 00 01 0f 84 1e 02\n  RSP: 0018:ffffb0db82c679f0 EFLAGS: 00010246\n  RAX: 0000000000000000 RBX: ffffd0db7fcad430 RCX: ffffb0db82c67a10\n  RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffffb0db82c67a80\n  RBP: ffffb0db82c67a80 R08: ffffb0db82c67a14 R09: 0000000000000000\n  R10: 0000000000000000 R11: ffff8fa449667dc8 R12: ffffffff966db880\n  R13: 0000000000000000 R14: 00000000ffffffff R15: 0000000000000000\n  FS:  00007ff35c83f000(0000) GS:ffff8fa478480000(0000) knlGS:0000000000000000\n  CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n  CR2: 00000000000000c0 CR3: 000000001ebb7000 CR4: 0000000000350ee0\n  Call Trace:\n   \u003cTASK\u003e\n   xfrmi_xmit+0xde/0x460\n   ? tcf_bpf_act+0x13d/0x2a0\n   dev_hard_start_xmit+0x72/0x1e0\n   __dev_queue_xmit+0x251/0xd30\n   ip_finish_output2+0x140/0x550\n   ip_push_pending_frames+0x56/0x80\n   raw_sendmsg+0x663/0x10a0\n   ? try_charge_memcg+0x3fd/0x7a0\n   ? __mod_memcg_lruvec_state+0x93/0x110\n   ? sock_sendmsg+0x30/0x40\n   sock_sendmsg+0x30/0x40\n   __sys_sendto+0xeb/0x130\n   ? handle_mm_fault+0xae/0x280\n   ? do_user_addr_fault+0x1e7/0x680\n   ? kvm_read_and_reset_apf_flags+0x3b/0x50\n   __x64_sys_sendto+0x20/0x30\n   do_syscall_64+0x34/0x80\n   entry_SYSCALL_64_after_hwframe+0x46/0xb0\n  RIP: 0033:0x7ff35cac1366\n  Code: eb 0b 00 f7 d8 64 89 02 48 c7 c0 ff ff ff ff eb b8 0f 1f 00 41 89 ca 64 8b 04 25 18 00 00 00 85 c0 75 11 b8 2c 00 00 00 0f 05 \u003c48\u003e 3d 00 f0 ff ff 77 72 c3 90 55 48 83 ec 30 44 89 4c 24 2c 4c 89\n  RSP: 002b:00007fff738e4028 EFLAGS: 00000246 ORIG_RAX: 000000000000002c\n  RAX: ffffffffffffffda RBX: 00007fff738e57b0 RCX: 00007ff35cac1366\n  RDX: 0000000000000040 RSI: 0000557164e4b450 RDI: 0000000000000003\n  RBP: 0000557164e4b450 R08: 00007fff738e7a2c R09: 0000000000000010\n  R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000040\n  R13: 00007fff738e5770 R14: 00007fff738e4030 R15: 0000001d00000001\n   \u003c/TASK\u003e\n  Modules linked in: netconsole veth br_netfilter bridge bonding virtio_net [last unloaded: netconsole]\n  CR2: 00000000000000c0",
  "id": "GHSA-mpjj-88pq-258q",
  "modified": "2025-06-18T12:30:40Z",
  "published": "2025-06-18T12:30:40Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-50004"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/17ecd4a4db4783392edd4944f5e8268205083f70"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/2761612bcde9776dd93ce60ce55ef0b7c7329153"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/96f2758a6d028d1ac08616de9c3c7ff2a122ecf1"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/e26d676c1f9f335510780b566a10475c47ce03d0"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

CVE-2022-50004 (GCVE-0-2022-50004)

Vulnerability from cvelistv5

Published

2025-06-18 11:01

Modified

2025-06-18 11:01

Severity ?

Summary

In the Linux kernel, the following vulnerability has been resolved: xfrm: policy: fix metadata dst->dev xmit null pointer dereference When we try to transmit an skb with metadata_dst attached (i.e. dst->dev == NULL) through xfrm interface we can hit a null pointer dereference[1] in xfrmi_xmit2() -> xfrm_lookup_with_ifid() due to the check for a loopback skb device when there's no policy which dereferences dst->dev unconditionally. Not having dst->dev can be interepreted as it not being a loopback device, so just add a check for a null dst_orig->dev. With this fix xfrm interface's Tx error counters go up as usual. [1] net-next calltrace captured via netconsole: BUG: kernel NULL pointer dereference, address: 00000000000000c0 #PF: supervisor read access in kernel mode #PF: error_code(0x0000) - not-present page PGD 0 P4D 0 Oops: 0000 [#1] PREEMPT SMP CPU: 1 PID: 7231 Comm: ping Kdump: loaded Not tainted 5.19.0+ #24 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.0-1.fc36 04/01/2014 RIP: 0010:xfrm_lookup_with_ifid+0x5eb/0xa60 Code: 8d 74 24 38 e8 26 a4 37 00 48 89 c1 e9 12 fc ff ff 49 63 ed 41 83 fd be 0f 85 be 01 00 00 41 be ff ff ff ff 45 31 ed 48 8b 03 <f6> 80 c0 00 00 00 08 75 0f 41 80 bc 24 19 0d 00 00 01 0f 84 1e 02 RSP: 0018:ffffb0db82c679f0 EFLAGS: 00010246 RAX: 0000000000000000 RBX: ffffd0db7fcad430 RCX: ffffb0db82c67a10 RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffffb0db82c67a80 RBP: ffffb0db82c67a80 R08: ffffb0db82c67a14 R09: 0000000000000000 R10: 0000000000000000 R11: ffff8fa449667dc8 R12: ffffffff966db880 R13: 0000000000000000 R14: 00000000ffffffff R15: 0000000000000000 FS: 00007ff35c83f000(0000) GS:ffff8fa478480000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00000000000000c0 CR3: 000000001ebb7000 CR4: 0000000000350ee0 Call Trace: <TASK> xfrmi_xmit+0xde/0x460 ? tcf_bpf_act+0x13d/0x2a0 dev_hard_start_xmit+0x72/0x1e0 __dev_queue_xmit+0x251/0xd30 ip_finish_output2+0x140/0x550 ip_push_pending_frames+0x56/0x80 raw_sendmsg+0x663/0x10a0 ? try_charge_memcg+0x3fd/0x7a0 ? __mod_memcg_lruvec_state+0x93/0x110 ? sock_sendmsg+0x30/0x40 sock_sendmsg+0x30/0x40 __sys_sendto+0xeb/0x130 ? handle_mm_fault+0xae/0x280 ? do_user_addr_fault+0x1e7/0x680 ? kvm_read_and_reset_apf_flags+0x3b/0x50 __x64_sys_sendto+0x20/0x30 do_syscall_64+0x34/0x80 entry_SYSCALL_64_after_hwframe+0x46/0xb0 RIP: 0033:0x7ff35cac1366 Code: eb 0b 00 f7 d8 64 89 02 48 c7 c0 ff ff ff ff eb b8 0f 1f 00 41 89 ca 64 8b 04 25 18 00 00 00 85 c0 75 11 b8 2c 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 72 c3 90 55 48 83 ec 30 44 89 4c 24 2c 4c 89 RSP: 002b:00007fff738e4028 EFLAGS: 00000246 ORIG_RAX: 000000000000002c RAX: ffffffffffffffda RBX: 00007fff738e57b0 RCX: 00007ff35cac1366 RDX: 0000000000000040 RSI: 0000557164e4b450 RDI: 0000000000000003 RBP: 0000557164e4b450 R08: 00007fff738e7a2c R09: 0000000000000010 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000040 R13: 00007fff738e5770 R14: 00007fff738e4030 R15: 0000001d00000001 </TASK> Modules linked in: netconsole veth br_netfilter bridge bonding virtio_net [last unloaded: netconsole] CR2: 00000000000000c0

References

►

URL

Tags

	https://git.kernel.org/stable/c/2761612bcde9776dd93ce60ce55ef0b7c7329153
	https://git.kernel.org/stable/c/96f2758a6d028d1ac08616de9c3c7ff2a122ecf1
	https://git.kernel.org/stable/c/e26d676c1f9f335510780b566a10475c47ce03d0
	https://git.kernel.org/stable/c/17ecd4a4db4783392edd4944f5e8268205083f70

Impacted products

Vendor

Product

Version

►

Linux

Version: 5b7f84b1f9f46327360a64c529433fa0d68cc3f4
Version: 2d151d39073aff498358543801fca0f670fea981
Version: 2d151d39073aff498358543801fca0f670fea981
Version: 2d151d39073aff498358543801fca0f670fea981

Linux

Version: 5.15

Show details on NVD website