CVE-2022-48819
N/A
Summary
In the Linux kernel, the following vulnerability has been resolved:
tcp: take care of mixed splice()/sendmsg(MSG_ZEROCOPY) case
syzbot found that mixing sendpage() and sendmsg(MSG_ZEROCOPY) calls over the same TCP socket would again trigger the infamous warning in inet_sock_destruct()
WARN_ON(sk_forward_alloc_get(sk));
While Talal took into account a mix of regular copied data and MSG_ZEROCOPY one in the same skb, the sendpage() path has been forgotten.
We want the charging to happen for sendpage(), because pages could be coming from a pipe. What is missing is the downgrading of pure zerocopy status to make sure sk_forward_alloc will stay synced.
Add tcp_downgrade_zcopy_pure() helper so that we can use it from the two callers.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| Linux | Linux | 9b65b17db72313b7a4fe9bc9502928c88be57986 < 47f3860c4931175f112f28dcac66eacca9b1040f | affected |
| Linux | Linux | 9b65b17db72313b7a4fe9bc9502928c88be57986 < f8d9d938514f46c4892aff6bfe32f425e84d81cc | affected |
| Linux | Linux | 5.16 | affected |
| Linux | Linux | 0 < 5.16 | unaffected |
| Linux | Linux | 5.16.10 <= 5.16.* | unaffected |
| Linux | Linux | 5.17 <= * | unaffected |
Weaknesses
ADP Enrichment
CVE Program Container
Additional References
- https://git.kernel.org/stable/c/47f3860c4931175f112f28dcac66eacca9b1040f
- https://git.kernel.org/stable/c/f8d9d938514f46c4892aff6bfe32f425e84d81cc
CISA ADP Vulnrichment
- SSVC:
- Exploitation: none
- Automatable: no
- Technical Impact: partial
References
- https://git.kernel.org/stable/c/47f3860c4931175f112f28dcac66eacca9b1040f
- https://git.kernel.org/stable/c/f8d9d938514f46c4892aff6bfe32f425e84d81cc
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.