CVE-2022-48819

Summary

In the Linux kernel, the following vulnerability has been resolved:

tcp: take care of mixed splice()/sendmsg(MSG_ZEROCOPY) case

syzbot found that mixing sendpage() and sendmsg(MSG_ZEROCOPY) calls over the same TCP socket would again trigger the infamous warning in inet_sock_destruct()

WARN_ON(sk_forward_alloc_get(sk));

While Talal took into account a mix of regular copied data and MSG_ZEROCOPY one in the same skb, the sendpage() path has been forgotten.

We want the charging to happen for sendpage(), because pages could be coming from a pipe. What is missing is the downgrading of pure zerocopy status to make sure sk_forward_alloc will stay synced.

Add tcp_downgrade_zcopy_pure() helper so that we can use it from the two callers.

Affected Software

VendorProductVersion RangeStatus
LinuxLinux9b65b17db72313b7a4fe9bc9502928c88be57986 < 47f3860c4931175f112f28dcac66eacca9b1040faffected
LinuxLinux9b65b17db72313b7a4fe9bc9502928c88be57986 < f8d9d938514f46c4892aff6bfe32f425e84d81ccaffected
LinuxLinux5.16affected
LinuxLinux0 < 5.16unaffected
LinuxLinux5.16.10 <= 5.16.*unaffected
LinuxLinux5.17 <= *unaffected

Weaknesses

ADP Enrichment

CVE Program Container

Additional References

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

References