CVE-2022-50699 (GCVE-0-2022-50699)

Vulnerability from cvelistv5 – Published: 2025-12-24 10:55 – Updated: 2025-12-24 10:55
VLAI?
Title
selinux: enable use of both GFP_KERNEL and GFP_ATOMIC in convert_context()
Summary
In the Linux kernel, the following vulnerability has been resolved: selinux: enable use of both GFP_KERNEL and GFP_ATOMIC in convert_context() The following warning was triggered on a hardware environment: SELinux: Converting 162 SID table entries... BUG: sleeping function called from invalid context at __might_sleep+0x60/0x74 0x0 in_atomic(): 1, irqs_disabled(): 128, non_block: 0, pid: 5943, name: tar CPU: 7 PID: 5943 Comm: tar Tainted: P O 5.10.0 #1 Call trace: dump_backtrace+0x0/0x1c8 show_stack+0x18/0x28 dump_stack+0xe8/0x15c ___might_sleep+0x168/0x17c __might_sleep+0x60/0x74 __kmalloc_track_caller+0xa0/0x7dc kstrdup+0x54/0xac convert_context+0x48/0x2e4 sidtab_context_to_sid+0x1c4/0x36c security_context_to_sid_core+0x168/0x238 security_context_to_sid_default+0x14/0x24 inode_doinit_use_xattr+0x164/0x1e4 inode_doinit_with_dentry+0x1c0/0x488 selinux_d_instantiate+0x20/0x34 security_d_instantiate+0x70/0xbc d_splice_alias+0x4c/0x3c0 ext4_lookup+0x1d8/0x200 [ext4] __lookup_slow+0x12c/0x1e4 walk_component+0x100/0x200 path_lookupat+0x88/0x118 filename_lookup+0x98/0x130 user_path_at_empty+0x48/0x60 vfs_statx+0x84/0x140 vfs_fstatat+0x20/0x30 __se_sys_newfstatat+0x30/0x74 __arm64_sys_newfstatat+0x1c/0x2c el0_svc_common.constprop.0+0x100/0x184 do_el0_svc+0x1c/0x2c el0_svc+0x20/0x34 el0_sync_handler+0x80/0x17c el0_sync+0x13c/0x140 SELinux: Context system_u:object_r:pssp_rsyslog_log_t:s0:c0 is not valid (left unmapped). It was found that within a critical section of spin_lock_irqsave in sidtab_context_to_sid(), convert_context() (hooked by sidtab_convert_params.func) might cause the process to sleep via allocating memory with GFP_KERNEL, which is problematic. As Ondrej pointed out [1], convert_context()/sidtab_convert_params.func has another caller sidtab_convert_tree(), which is okay with GFP_KERNEL. Therefore, fix this problem by adding a gfp_t argument for convert_context()/sidtab_convert_params.func and pass GFP_KERNEL/_ATOMIC properly in individual callers. [PM: wrap long BUG() output lines, tweak subject line]
Severity ?
No CVSS data available.
Assigner
References
Impacted products
Vendor Product Version
Linux Linux Affected: ee1a84fdfeedfd7362e9a8a8f15fedc3482ade2d , < 2723875e9d677401d775a03a72abab7e9538c20c (git)
Affected: ee1a84fdfeedfd7362e9a8a8f15fedc3482ade2d , < 3006766d247bc93a25b34e92fff2f75bda597e2e (git)
Affected: ee1a84fdfeedfd7362e9a8a8f15fedc3482ade2d , < 277378631d26477451424cc73982b977961f3d8b (git)
Affected: ee1a84fdfeedfd7362e9a8a8f15fedc3482ade2d , < abe3c631447dcd1ba7af972fe6f054bee6f136fa (git)
Create a notification for this product.
    Linux Linux Affected: 5.0
Unaffected: 0 , < 5.0 (semver)
Unaffected: 5.10.152 , ≤ 5.10.* (semver)
Unaffected: 5.15.76 , ≤ 5.15.* (semver)
Unaffected: 6.0.6 , ≤ 6.0.* (semver)
Unaffected: 6.1 , ≤ * (original_commit_for_fix)
Create a notification for this product.
Show details on NVD website
To clipboard 

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "security/selinux/ss/services.c",
            "security/selinux/ss/sidtab.c",
            "security/selinux/ss/sidtab.h"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "2723875e9d677401d775a03a72abab7e9538c20c",
              "status": "affected",
              "version": "ee1a84fdfeedfd7362e9a8a8f15fedc3482ade2d",
              "versionType": "git"
            },
            {
              "lessThan": "3006766d247bc93a25b34e92fff2f75bda597e2e",
              "status": "affected",
              "version": "ee1a84fdfeedfd7362e9a8a8f15fedc3482ade2d",
              "versionType": "git"
            },
            {
              "lessThan": "277378631d26477451424cc73982b977961f3d8b",
              "status": "affected",
              "version": "ee1a84fdfeedfd7362e9a8a8f15fedc3482ade2d",
              "versionType": "git"
            },
            {
              "lessThan": "abe3c631447dcd1ba7af972fe6f054bee6f136fa",
              "status": "affected",
              "version": "ee1a84fdfeedfd7362e9a8a8f15fedc3482ade2d",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "security/selinux/ss/services.c",
            "security/selinux/ss/sidtab.c",
            "security/selinux/ss/sidtab.h"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "5.0"
            },
            {
              "lessThan": "5.0",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.152",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.76",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.0.*",
              "status": "unaffected",
              "version": "6.0.6",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.1",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.152",
                  "versionStartIncluding": "5.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.76",
                  "versionStartIncluding": "5.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.0.6",
                  "versionStartIncluding": "5.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1",
                  "versionStartIncluding": "5.0",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nselinux: enable use of both GFP_KERNEL and GFP_ATOMIC in convert_context()\n\nThe following warning was triggered on a hardware environment:\n\n  SELinux: Converting 162 SID table entries...\n  BUG: sleeping function called from invalid context at\n       __might_sleep+0x60/0x74 0x0\n  in_atomic(): 1, irqs_disabled(): 128, non_block: 0, pid: 5943, name: tar\n  CPU: 7 PID: 5943 Comm: tar Tainted: P O 5.10.0 #1\n  Call trace:\n   dump_backtrace+0x0/0x1c8\n   show_stack+0x18/0x28\n   dump_stack+0xe8/0x15c\n   ___might_sleep+0x168/0x17c\n   __might_sleep+0x60/0x74\n   __kmalloc_track_caller+0xa0/0x7dc\n   kstrdup+0x54/0xac\n   convert_context+0x48/0x2e4\n   sidtab_context_to_sid+0x1c4/0x36c\n   security_context_to_sid_core+0x168/0x238\n   security_context_to_sid_default+0x14/0x24\n   inode_doinit_use_xattr+0x164/0x1e4\n   inode_doinit_with_dentry+0x1c0/0x488\n   selinux_d_instantiate+0x20/0x34\n   security_d_instantiate+0x70/0xbc\n   d_splice_alias+0x4c/0x3c0\n   ext4_lookup+0x1d8/0x200 [ext4]\n   __lookup_slow+0x12c/0x1e4\n   walk_component+0x100/0x200\n   path_lookupat+0x88/0x118\n   filename_lookup+0x98/0x130\n   user_path_at_empty+0x48/0x60\n   vfs_statx+0x84/0x140\n   vfs_fstatat+0x20/0x30\n   __se_sys_newfstatat+0x30/0x74\n   __arm64_sys_newfstatat+0x1c/0x2c\n   el0_svc_common.constprop.0+0x100/0x184\n   do_el0_svc+0x1c/0x2c\n   el0_svc+0x20/0x34\n   el0_sync_handler+0x80/0x17c\n   el0_sync+0x13c/0x140\n  SELinux: Context system_u:object_r:pssp_rsyslog_log_t:s0:c0 is\n           not valid (left unmapped).\n\nIt was found that within a critical section of spin_lock_irqsave in\nsidtab_context_to_sid(), convert_context() (hooked by\nsidtab_convert_params.func) might cause the process to sleep via\nallocating memory with GFP_KERNEL, which is problematic.\n\nAs Ondrej pointed out [1], convert_context()/sidtab_convert_params.func\nhas another caller sidtab_convert_tree(), which is okay with GFP_KERNEL.\nTherefore, fix this problem by adding a gfp_t argument for\nconvert_context()/sidtab_convert_params.func and pass GFP_KERNEL/_ATOMIC\nproperly in individual callers.\n\n[PM: wrap long BUG() output lines, tweak subject line]"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-12-24T10:55:15.468Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/2723875e9d677401d775a03a72abab7e9538c20c"
        },
        {
          "url": "https://git.kernel.org/stable/c/3006766d247bc93a25b34e92fff2f75bda597e2e"
        },
        {
          "url": "https://git.kernel.org/stable/c/277378631d26477451424cc73982b977961f3d8b"
        },
        {
          "url": "https://git.kernel.org/stable/c/abe3c631447dcd1ba7af972fe6f054bee6f136fa"
        }
      ],
      "title": "selinux: enable use of both GFP_KERNEL and GFP_ATOMIC in convert_context()",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2022-50699",
    "datePublished": "2025-12-24T10:55:15.468Z",
    "dateReserved": "2025-12-24T10:53:15.517Z",
    "dateUpdated": "2025-12-24T10:55:15.468Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2022-50699\",\"sourceIdentifier\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"published\":\"2025-12-24T11:15:50.050\",\"lastModified\":\"2025-12-29T15:58:56.260\",\"vulnStatus\":\"Awaiting Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"In the Linux kernel, the following vulnerability has been resolved:\\n\\nselinux: enable use of both GFP_KERNEL and GFP_ATOMIC in convert_context()\\n\\nThe following warning was triggered on a hardware environment:\\n\\n  SELinux: Converting 162 SID table entries...\\n  BUG: sleeping function called from invalid context at\\n       __might_sleep+0x60/0x74 0x0\\n  in_atomic(): 1, irqs_disabled(): 128, non_block: 0, pid: 5943, name: tar\\n  CPU: 7 PID: 5943 Comm: tar Tainted: P O 5.10.0 #1\\n  Call trace:\\n   dump_backtrace+0x0/0x1c8\\n   show_stack+0x18/0x28\\n   dump_stack+0xe8/0x15c\\n   ___might_sleep+0x168/0x17c\\n   __might_sleep+0x60/0x74\\n   __kmalloc_track_caller+0xa0/0x7dc\\n   kstrdup+0x54/0xac\\n   convert_context+0x48/0x2e4\\n   sidtab_context_to_sid+0x1c4/0x36c\\n   security_context_to_sid_core+0x168/0x238\\n   security_context_to_sid_default+0x14/0x24\\n   inode_doinit_use_xattr+0x164/0x1e4\\n   inode_doinit_with_dentry+0x1c0/0x488\\n   selinux_d_instantiate+0x20/0x34\\n   security_d_instantiate+0x70/0xbc\\n   d_splice_alias+0x4c/0x3c0\\n   ext4_lookup+0x1d8/0x200 [ext4]\\n   __lookup_slow+0x12c/0x1e4\\n   walk_component+0x100/0x200\\n   path_lookupat+0x88/0x118\\n   filename_lookup+0x98/0x130\\n   user_path_at_empty+0x48/0x60\\n   vfs_statx+0x84/0x140\\n   vfs_fstatat+0x20/0x30\\n   __se_sys_newfstatat+0x30/0x74\\n   __arm64_sys_newfstatat+0x1c/0x2c\\n   el0_svc_common.constprop.0+0x100/0x184\\n   do_el0_svc+0x1c/0x2c\\n   el0_svc+0x20/0x34\\n   el0_sync_handler+0x80/0x17c\\n   el0_sync+0x13c/0x140\\n  SELinux: Context system_u:object_r:pssp_rsyslog_log_t:s0:c0 is\\n           not valid (left unmapped).\\n\\nIt was found that within a critical section of spin_lock_irqsave in\\nsidtab_context_to_sid(), convert_context() (hooked by\\nsidtab_convert_params.func) might cause the process to sleep via\\nallocating memory with GFP_KERNEL, which is problematic.\\n\\nAs Ondrej pointed out [1], convert_context()/sidtab_convert_params.func\\nhas another caller sidtab_convert_tree(), which is okay with GFP_KERNEL.\\nTherefore, fix this problem by adding a gfp_t argument for\\nconvert_context()/sidtab_convert_params.func and pass GFP_KERNEL/_ATOMIC\\nproperly in individual callers.\\n\\n[PM: wrap long BUG() output lines, tweak subject line]\"}],\"metrics\":{},\"references\":[{\"url\":\"https://git.kernel.org/stable/c/2723875e9d677401d775a03a72abab7e9538c20c\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/277378631d26477451424cc73982b977961f3d8b\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/3006766d247bc93a25b34e92fff2f75bda597e2e\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/abe3c631447dcd1ba7af972fe6f054bee6f136fa\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"}]}}"
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.