CVE-2022-50885 (GCVE-0-2022-50885)

Vulnerability from cvelistv5 – Published: 2025-12-30 12:34 – Updated: 2025-12-30 12:34
VLAI?
Title
RDMA/rxe: Fix NULL-ptr-deref in rxe_qp_do_cleanup() when socket create failed
Summary
In the Linux kernel, the following vulnerability has been resolved: RDMA/rxe: Fix NULL-ptr-deref in rxe_qp_do_cleanup() when socket create failed There is a null-ptr-deref when mount.cifs over rdma: BUG: KASAN: null-ptr-deref in rxe_qp_do_cleanup+0x2f3/0x360 [rdma_rxe] Read of size 8 at addr 0000000000000018 by task mount.cifs/3046 CPU: 2 PID: 3046 Comm: mount.cifs Not tainted 6.1.0-rc5+ #62 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.14.0-1.fc3 Call Trace: <TASK> dump_stack_lvl+0x34/0x44 kasan_report+0xad/0x130 rxe_qp_do_cleanup+0x2f3/0x360 [rdma_rxe] execute_in_process_context+0x25/0x90 __rxe_cleanup+0x101/0x1d0 [rdma_rxe] rxe_create_qp+0x16a/0x180 [rdma_rxe] create_qp.part.0+0x27d/0x340 ib_create_qp_kernel+0x73/0x160 rdma_create_qp+0x100/0x230 _smbd_get_connection+0x752/0x20f0 smbd_get_connection+0x21/0x40 cifs_get_tcp_session+0x8ef/0xda0 mount_get_conns+0x60/0x750 cifs_mount+0x103/0xd00 cifs_smb3_do_mount+0x1dd/0xcb0 smb3_get_tree+0x1d5/0x300 vfs_get_tree+0x41/0xf0 path_mount+0x9b3/0xdd0 __x64_sys_mount+0x190/0x1d0 do_syscall_64+0x35/0x80 entry_SYSCALL_64_after_hwframe+0x46/0xb0 The root cause of the issue is the socket create failed in rxe_qp_init_req(). So move the reset rxe_qp_do_cleanup() after the NULL ptr check.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
Vendor Product Version
Linux Linux Affected: 8700e3e7c4857d28ebaa824509934556da0b3e76 , < ee24de095569935eba600f7735e8e8ddea5b418e (git)
Affected: 8700e3e7c4857d28ebaa824509934556da0b3e76 , < 7340ca9f782be6fbe3f64a134dc112772764f766 (git)
Affected: 8700e3e7c4857d28ebaa824509934556da0b3e76 , < bd7106a6004f1077a365ca7f5a99c7a708e20714 (git)
Affected: 8700e3e7c4857d28ebaa824509934556da0b3e76 , < 6bb5a62bfd624039b05157745c234068508393a9 (git)
Affected: 8700e3e7c4857d28ebaa824509934556da0b3e76 , < f64f08b9e6fb305a25dd75329e06ae342b9ce336 (git)
Affected: 8700e3e7c4857d28ebaa824509934556da0b3e76 , < 5b924632d84a60bc0c7fe6e9bbbce99d03908957 (git)
Affected: 8700e3e7c4857d28ebaa824509934556da0b3e76 , < 821f9a18210f6b9fd6792471714c799607b25db4 (git)
Affected: 8700e3e7c4857d28ebaa824509934556da0b3e76 , < f67376d801499f4fa0838c18c1efcad8840e550d (git)
Create a notification for this product.
    Linux Linux Affected: 4.8
Unaffected: 0 , < 4.8 (semver)
Unaffected: 4.14.303 , ≤ 4.14.* (semver)
Unaffected: 4.19.270 , ≤ 4.19.* (semver)
Unaffected: 5.4.229 , ≤ 5.4.* (semver)
Unaffected: 5.10.163 , ≤ 5.10.* (semver)
Unaffected: 5.15.86 , ≤ 5.15.* (semver)
Unaffected: 6.0.16 , ≤ 6.0.* (semver)
Unaffected: 6.1.2 , ≤ 6.1.* (semver)
Unaffected: 6.2 , ≤ * (original_commit_for_fix)
Create a notification for this product.
Show details on NVD website
To clipboard 

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/infiniband/sw/rxe/rxe_qp.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "ee24de095569935eba600f7735e8e8ddea5b418e",
              "status": "affected",
              "version": "8700e3e7c4857d28ebaa824509934556da0b3e76",
              "versionType": "git"
            },
            {
              "lessThan": "7340ca9f782be6fbe3f64a134dc112772764f766",
              "status": "affected",
              "version": "8700e3e7c4857d28ebaa824509934556da0b3e76",
              "versionType": "git"
            },
            {
              "lessThan": "bd7106a6004f1077a365ca7f5a99c7a708e20714",
              "status": "affected",
              "version": "8700e3e7c4857d28ebaa824509934556da0b3e76",
              "versionType": "git"
            },
            {
              "lessThan": "6bb5a62bfd624039b05157745c234068508393a9",
              "status": "affected",
              "version": "8700e3e7c4857d28ebaa824509934556da0b3e76",
              "versionType": "git"
            },
            {
              "lessThan": "f64f08b9e6fb305a25dd75329e06ae342b9ce336",
              "status": "affected",
              "version": "8700e3e7c4857d28ebaa824509934556da0b3e76",
              "versionType": "git"
            },
            {
              "lessThan": "5b924632d84a60bc0c7fe6e9bbbce99d03908957",
              "status": "affected",
              "version": "8700e3e7c4857d28ebaa824509934556da0b3e76",
              "versionType": "git"
            },
            {
              "lessThan": "821f9a18210f6b9fd6792471714c799607b25db4",
              "status": "affected",
              "version": "8700e3e7c4857d28ebaa824509934556da0b3e76",
              "versionType": "git"
            },
            {
              "lessThan": "f67376d801499f4fa0838c18c1efcad8840e550d",
              "status": "affected",
              "version": "8700e3e7c4857d28ebaa824509934556da0b3e76",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/infiniband/sw/rxe/rxe_qp.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "4.8"
            },
            {
              "lessThan": "4.8",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "4.14.*",
              "status": "unaffected",
              "version": "4.14.303",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "4.19.*",
              "status": "unaffected",
              "version": "4.19.270",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.4.*",
              "status": "unaffected",
              "version": "5.4.229",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.163",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.86",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.0.*",
              "status": "unaffected",
              "version": "6.0.16",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.2",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.2",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "4.14.303",
                  "versionStartIncluding": "4.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "4.19.270",
                  "versionStartIncluding": "4.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.4.229",
                  "versionStartIncluding": "4.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.163",
                  "versionStartIncluding": "4.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.86",
                  "versionStartIncluding": "4.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.0.16",
                  "versionStartIncluding": "4.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.2",
                  "versionStartIncluding": "4.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.2",
                  "versionStartIncluding": "4.8",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nRDMA/rxe: Fix NULL-ptr-deref in rxe_qp_do_cleanup() when socket create failed\n\nThere is a null-ptr-deref when mount.cifs over rdma:\n\n  BUG: KASAN: null-ptr-deref in rxe_qp_do_cleanup+0x2f3/0x360 [rdma_rxe]\n  Read of size 8 at addr 0000000000000018 by task mount.cifs/3046\n\n  CPU: 2 PID: 3046 Comm: mount.cifs Not tainted 6.1.0-rc5+ #62\n  Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.14.0-1.fc3\n  Call Trace:\n   \u003cTASK\u003e\n   dump_stack_lvl+0x34/0x44\n   kasan_report+0xad/0x130\n   rxe_qp_do_cleanup+0x2f3/0x360 [rdma_rxe]\n   execute_in_process_context+0x25/0x90\n   __rxe_cleanup+0x101/0x1d0 [rdma_rxe]\n   rxe_create_qp+0x16a/0x180 [rdma_rxe]\n   create_qp.part.0+0x27d/0x340\n   ib_create_qp_kernel+0x73/0x160\n   rdma_create_qp+0x100/0x230\n   _smbd_get_connection+0x752/0x20f0\n   smbd_get_connection+0x21/0x40\n   cifs_get_tcp_session+0x8ef/0xda0\n   mount_get_conns+0x60/0x750\n   cifs_mount+0x103/0xd00\n   cifs_smb3_do_mount+0x1dd/0xcb0\n   smb3_get_tree+0x1d5/0x300\n   vfs_get_tree+0x41/0xf0\n   path_mount+0x9b3/0xdd0\n   __x64_sys_mount+0x190/0x1d0\n   do_syscall_64+0x35/0x80\n   entry_SYSCALL_64_after_hwframe+0x46/0xb0\n\nThe root cause of the issue is the socket create failed in\nrxe_qp_init_req().\n\nSo move the reset rxe_qp_do_cleanup() after the NULL ptr check."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-12-30T12:34:12.093Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/ee24de095569935eba600f7735e8e8ddea5b418e"
        },
        {
          "url": "https://git.kernel.org/stable/c/7340ca9f782be6fbe3f64a134dc112772764f766"
        },
        {
          "url": "https://git.kernel.org/stable/c/bd7106a6004f1077a365ca7f5a99c7a708e20714"
        },
        {
          "url": "https://git.kernel.org/stable/c/6bb5a62bfd624039b05157745c234068508393a9"
        },
        {
          "url": "https://git.kernel.org/stable/c/f64f08b9e6fb305a25dd75329e06ae342b9ce336"
        },
        {
          "url": "https://git.kernel.org/stable/c/5b924632d84a60bc0c7fe6e9bbbce99d03908957"
        },
        {
          "url": "https://git.kernel.org/stable/c/821f9a18210f6b9fd6792471714c799607b25db4"
        },
        {
          "url": "https://git.kernel.org/stable/c/f67376d801499f4fa0838c18c1efcad8840e550d"
        }
      ],
      "title": "RDMA/rxe: Fix NULL-ptr-deref in rxe_qp_do_cleanup() when socket create failed",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2022-50885",
    "datePublished": "2025-12-30T12:34:12.093Z",
    "dateReserved": "2025-12-30T12:26:05.425Z",
    "dateUpdated": "2025-12-30T12:34:12.093Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2022-50885\",\"sourceIdentifier\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"published\":\"2025-12-30T13:16:03.603\",\"lastModified\":\"2025-12-30T13:16:03.603\",\"vulnStatus\":\"Received\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"In the Linux kernel, the following vulnerability has been resolved:\\n\\nRDMA/rxe: Fix NULL-ptr-deref in rxe_qp_do_cleanup() when socket create failed\\n\\nThere is a null-ptr-deref when mount.cifs over rdma:\\n\\n  BUG: KASAN: null-ptr-deref in rxe_qp_do_cleanup+0x2f3/0x360 [rdma_rxe]\\n  Read of size 8 at addr 0000000000000018 by task mount.cifs/3046\\n\\n  CPU: 2 PID: 3046 Comm: mount.cifs Not tainted 6.1.0-rc5+ #62\\n  Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.14.0-1.fc3\\n  Call Trace:\\n   \u003cTASK\u003e\\n   dump_stack_lvl+0x34/0x44\\n   kasan_report+0xad/0x130\\n   rxe_qp_do_cleanup+0x2f3/0x360 [rdma_rxe]\\n   execute_in_process_context+0x25/0x90\\n   __rxe_cleanup+0x101/0x1d0 [rdma_rxe]\\n   rxe_create_qp+0x16a/0x180 [rdma_rxe]\\n   create_qp.part.0+0x27d/0x340\\n   ib_create_qp_kernel+0x73/0x160\\n   rdma_create_qp+0x100/0x230\\n   _smbd_get_connection+0x752/0x20f0\\n   smbd_get_connection+0x21/0x40\\n   cifs_get_tcp_session+0x8ef/0xda0\\n   mount_get_conns+0x60/0x750\\n   cifs_mount+0x103/0xd00\\n   cifs_smb3_do_mount+0x1dd/0xcb0\\n   smb3_get_tree+0x1d5/0x300\\n   vfs_get_tree+0x41/0xf0\\n   path_mount+0x9b3/0xdd0\\n   __x64_sys_mount+0x190/0x1d0\\n   do_syscall_64+0x35/0x80\\n   entry_SYSCALL_64_after_hwframe+0x46/0xb0\\n\\nThe root cause of the issue is the socket create failed in\\nrxe_qp_init_req().\\n\\nSo move the reset rxe_qp_do_cleanup() after the NULL ptr check.\"}],\"metrics\":{},\"references\":[{\"url\":\"https://git.kernel.org/stable/c/5b924632d84a60bc0c7fe6e9bbbce99d03908957\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/6bb5a62bfd624039b05157745c234068508393a9\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/7340ca9f782be6fbe3f64a134dc112772764f766\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/821f9a18210f6b9fd6792471714c799607b25db4\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/bd7106a6004f1077a365ca7f5a99c7a708e20714\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/ee24de095569935eba600f7735e8e8ddea5b418e\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/f64f08b9e6fb305a25dd75329e06ae342b9ce336\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/f67376d801499f4fa0838c18c1efcad8840e550d\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"}]}}"
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.