{ "threat_severity" : "Low", "public_date" : "2025-02-26T00:00:00Z", "bugzilla" : { "description" : "kernel: net: preserve skb_end_offset() in skb_unclone_keeptruesize()", "id" : "2347898", "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2347898" }, "cvss3" : { "cvss3_base_score" : "5.5", "cvss3_scoring_vector" : "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status" : "verified" }, "details" : [ "In the Linux kernel, the following vulnerability has been resolved:\nnet: preserve skb_end_offset() in skb_unclone_keeptruesize()\nsyzbot found another way to trigger the infamous WARN_ON_ONCE(delta < len)\nin skb_try_coalesce() [1]\nI was able to root cause the issue to kfence.\nWhen kfence is in action, the following assertion is no longer true:\nint size = xxxx;\nvoid *ptr1 = kmalloc(size, gfp);\nvoid *ptr2 = kmalloc(size, gfp);\nif (ptr1 && ptr2)\nASSERT(ksize(ptr1) == ksize(ptr2));\nWe attempted to fix these issues in the blamed commits, but forgot\nthat TCP was possibly shifting data after skb_unclone_keeptruesize()\nhas been used, notably from tcp_retrans_try_collapse().\nSo we not only need to keep same skb->truesize value,\nwe also need to make sure TCP wont fill new tailroom\nthat pskb_expand_head() was able to get from a\naddr = kmalloc(...) followed by ksize(addr)\nSplit skb_unclone_keeptruesize() into two parts:\n1) Inline skb_unclone_keeptruesize() for the common case,\nwhen skb is not cloned.\n2) Out of line __skb_unclone_keeptruesize() for the 'slow path'.\nWARNING: CPU: 1 PID: 6490 at net/core/skbuff.c:5295 skb_try_coalesce+0x1235/0x1560 net/core/skbuff.c:5295\nModules linked in:\nCPU: 1 PID: 6490 Comm: syz-executor161 Not tainted 5.17.0-rc4-syzkaller-00229-g4f12b742eb2b #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011\nRIP: 0010:skb_try_coalesce+0x1235/0x1560 net/core/skbuff.c:5295\nCode: bf 01 00 00 00 0f b7 c0 89 c6 89 44 24 20 e8 62 24 4e fa 8b 44 24 20 83 e8 01 0f 85 e5 f0 ff ff e9 87 f4 ff ff e8 cb 20 4e fa <0f> 0b e9 06 f9 ff ff e8 af b2 95 fa e9 69 f0 ff ff e8 95 b2 95 fa\nRSP: 0018:ffffc900063af268 EFLAGS: 00010293\nRAX: 0000000000000000 RBX: 00000000ffffffd5 RCX: 0000000000000000\nRDX: ffff88806fc05700 RSI: ffffffff872abd55 RDI: 0000000000000003\nRBP: ffff88806e675500 R08: 00000000ffffffd5 R09: 0000000000000000\nR10: ffffffff872ab659 R11: 0000000000000000 R12: ffff88806dd554e8\nR13: ffff88806dd9bac0 R14: ffff88806dd9a2c0 R15: 0000000000000155\nFS: 00007f18014f9700(0000) GS:ffff8880b9c00000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 0000000020002000 CR3: 000000006be7a000 CR4: 00000000003506f0\nDR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\nDR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\nCall Trace:\n\ntcp_try_coalesce net/ipv4/tcp_input.c:4651 [inline]\ntcp_try_coalesce+0x393/0x920 net/ipv4/tcp_input.c:4630\ntcp_queue_rcv+0x8a/0x6e0 net/ipv4/tcp_input.c:4914\ntcp_data_queue+0x11fd/0x4bb0 net/ipv4/tcp_input.c:5025\ntcp_rcv_established+0x81e/0x1ff0 net/ipv4/tcp_input.c:5947\ntcp_v4_do_rcv+0x65e/0x980 net/ipv4/tcp_ipv4.c:1719\nsk_backlog_rcv include/net/sock.h:1037 [inline]\n__release_sock+0x134/0x3b0 net/core/sock.c:2779\nrelease_sock+0x54/0x1b0 net/core/sock.c:3311\nsk_wait_data+0x177/0x450 net/core/sock.c:2821\ntcp_recvmsg_locked+0xe28/0x1fd0 net/ipv4/tcp.c:2457\ntcp_recvmsg+0x137/0x610 net/ipv4/tcp.c:2572\ninet_recvmsg+0x11b/0x5e0 net/ipv4/af_inet.c:850\nsock_recvmsg_nosec net/socket.c:948 [inline]\nsock_recvmsg net/socket.c:966 [inline]\nsock_recvmsg net/socket.c:962 [inline]\n____sys_recvmsg+0x2c4/0x600 net/socket.c:2632\n___sys_recvmsg+0x127/0x200 net/socket.c:2674\n__sys_recvmsg+0xe2/0x1a0 net/socket.c:2704\ndo_syscall_x64 arch/x86/entry/common.c:50 [inline]\ndo_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80\nentry_SYSCALL_64_after_hwframe+0x44/0xae" ], "affected_release" : [ { "product_name" : "Red Hat Enterprise Linux 9", "release_date" : "2022-11-15T00:00:00Z", "advisory" : "RHSA-2022:8267", "cpe" : "cpe:/a:redhat:enterprise_linux:9", "package" : "kernel-0:5.14.0-162.6.1.el9_1" }, { "product_name" : "Red Hat Enterprise Linux 9", "release_date" : "2022-11-15T00:00:00Z", "advisory" : "RHSA-2022:8267", "cpe" : "cpe:/o:redhat:enterprise_linux:9", "package" : "kernel-0:5.14.0-162.6.1.el9_1" } ], "package_state" : [ { "product_name" : "Red Hat Enterprise Linux 10", "fix_state" : "Not affected", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:10" }, { "product_name" : "Red Hat Enterprise Linux 6", "fix_state" : "Out of support scope", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:6" }, { "product_name" : "Red Hat Enterprise Linux 7", "fix_state" : "Out of support scope", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:7" }, { "product_name" : "Red Hat Enterprise Linux 7", "fix_state" : "Out of support scope", "package_name" : "kernel-rt", "cpe" : "cpe:/o:redhat:enterprise_linux:7" }, { "product_name" : "Red Hat Enterprise Linux 8", "fix_state" : "Not affected", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:8" }, { "product_name" : "Red Hat Enterprise Linux 8", "fix_state" : "Not affected", "package_name" : "kernel-rt", "cpe" : "cpe:/o:redhat:enterprise_linux:8" }, { "product_name" : "Red Hat Enterprise Linux 9", "fix_state" : "Fix deferred", "package_name" : "kernel-rt", "cpe" : "cpe:/o:redhat:enterprise_linux:9" } ], "references" : [ "https://www.cve.org/CVERecord?id=CVE-2022-49142\nhttps://nvd.nist.gov/vuln/detail/CVE-2022-49142\nhttps://lore.kernel.org/linux-cve-announce/2025022607-CVE-2022-49142-b3b9@gregkh/T" ], "name" : "CVE-2022-49142", "csaw" : false }