{
"threat_severity" : "Moderate",
"public_date" : "2025-02-26T00:00:00Z",
"bugzilla" : {
"description" : "kernel: bpf, sockmap: Fix more uncharged while msg has more_data",
"id" : "2348220",
"url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2348220"
},
"cvss3" : {
"cvss3_base_score" : "5.5",
"cvss3_scoring_vector" : "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"status" : "verified"
},
"cwe" : "CWE-400",
"details" : [ "In the Linux kernel, the following vulnerability has been resolved:\nbpf, sockmap: Fix more uncharged while msg has more_data\nIn tcp_bpf_send_verdict(), if msg has more data after\ntcp_bpf_sendmsg_redir():\ntcp_bpf_send_verdict()\ntosend = msg->sg.size //msg->sg.size = 22220\ncase __SK_REDIRECT:\nsk_msg_return() //uncharged msg->sg.size(22220) sk->sk_forward_alloc\ntcp_bpf_sendmsg_redir() //after tcp_bpf_sendmsg_redir, msg->sg.size=11000\ngoto more_data;\ntosend = msg->sg.size //msg->sg.size = 11000\ncase __SK_REDIRECT:\nsk_msg_return() //uncharged msg->sg.size(11000) to sk->sk_forward_alloc\nThe msg->sg.size(11000) has been uncharged twice, to fix we can charge the\nremaining msg->sg.size before goto more data.\nThis issue can cause the following info:\nWARNING: CPU: 0 PID: 9860 at net/core/stream.c:208 sk_stream_kill_queues+0xd4/0x1a0\nCall Trace:\n\ninet_csk_destroy_sock+0x55/0x110\n__tcp_close+0x279/0x470\ntcp_close+0x1f/0x60\ninet_release+0x3f/0x80\n__sock_release+0x3d/0xb0\nsock_close+0x11/0x20\n__fput+0x92/0x250\ntask_work_run+0x6a/0xa0\ndo_exit+0x33b/0xb60\ndo_group_exit+0x2f/0xa0\nget_signal+0xb6/0x950\narch_do_signal_or_restart+0xac/0x2a0\n? vfs_write+0x237/0x290\nexit_to_user_mode_prepare+0xa9/0x200\nsyscall_exit_to_user_mode+0x12/0x30\ndo_syscall_64+0x46/0x80\nentry_SYSCALL_64_after_hwframe+0x44/0xae\n\nWARNING: CPU: 0 PID: 2136 at net/ipv4/af_inet.c:155 inet_sock_destruct+0x13c/0x260\nCall Trace:\n\n__sk_destruct+0x24/0x1f0\nsk_psock_destroy+0x19b/0x1c0\nprocess_one_work+0x1b3/0x3c0\nworker_thread+0x30/0x350\n? process_one_work+0x3c0/0x3c0\nkthread+0xe6/0x110\n? kthread_complete_and_exit+0x20/0x20\nret_from_fork+0x22/0x30\n" ],
"affected_release" : [ {
"product_name" : "Red Hat Enterprise Linux 9",
"release_date" : "2023-05-09T00:00:00Z",
"advisory" : "RHSA-2023:2458",
"cpe" : "cpe:/a:redhat:enterprise_linux:9",
"package" : "kernel-0:5.14.0-284.11.1.el9_2"
}, {
"product_name" : "Red Hat Enterprise Linux 9",
"release_date" : "2023-05-09T00:00:00Z",
"advisory" : "RHSA-2023:2458",
"cpe" : "cpe:/o:redhat:enterprise_linux:9",
"package" : "kernel-0:5.14.0-284.11.1.el9_2"
} ],
"package_state" : [ {
"product_name" : "Red Hat Enterprise Linux 10",
"fix_state" : "Not affected",
"package_name" : "kernel",
"cpe" : "cpe:/o:redhat:enterprise_linux:10"
}, {
"product_name" : "Red Hat Enterprise Linux 6",
"fix_state" : "Not affected",
"package_name" : "kernel",
"cpe" : "cpe:/o:redhat:enterprise_linux:6"
}, {
"product_name" : "Red Hat Enterprise Linux 7",
"fix_state" : "Not affected",
"package_name" : "kernel",
"cpe" : "cpe:/o:redhat:enterprise_linux:7"
}, {
"product_name" : "Red Hat Enterprise Linux 7",
"fix_state" : "Not affected",
"package_name" : "kernel-rt",
"cpe" : "cpe:/o:redhat:enterprise_linux:7"
}, {
"product_name" : "Red Hat Enterprise Linux 8",
"fix_state" : "Fix deferred",
"package_name" : "kernel",
"cpe" : "cpe:/o:redhat:enterprise_linux:8"
}, {
"product_name" : "Red Hat Enterprise Linux 8",
"fix_state" : "Fix deferred",
"package_name" : "kernel-rt",
"cpe" : "cpe:/o:redhat:enterprise_linux:8"
}, {
"product_name" : "Red Hat Enterprise Linux 9",
"fix_state" : "Fix deferred",
"package_name" : "kernel-rt",
"cpe" : "cpe:/o:redhat:enterprise_linux:9"
} ],
"references" : [ "https://www.cve.org/CVERecord?id=CVE-2022-49204\nhttps://nvd.nist.gov/vuln/detail/CVE-2022-49204\nhttps://lore.kernel.org/linux-cve-announce/2025022618-CVE-2022-49204-38c3@gregkh/T" ],
"name" : "CVE-2022-49204",
"csaw" : false
}