FKIE_CVE-2022-49732

Vulnerability from fkie_nvd - Published: 2025-02-26 15:15 - Updated: 2025-10-24 18:48
Severity ?
5.5 (Medium) - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Summary
In the Linux kernel, the following vulnerability has been resolved: sock: redo the psock vs ULP protection check Commit 8a59f9d1e3d4 ("sock: Introduce sk->sk_prot->psock_update_sk_prot()") has moved the inet_csk_has_ulp(sk) check from sk_psock_init() to the new tcp_bpf_update_proto() function. I'm guessing that this was done to allow creating psocks for non-inet sockets. Unfortunately the destruction path for psock includes the ULP unwind, so we need to fail the sk_psock_init() itself. Otherwise if ULP is already present we'll notice that later, and call tcp_update_ulp() with the sk_proto of the ULP itself, which will most likely result in the ULP looping its callbacks.
References
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/72fa0f65b56605b8a9ae9fba2082f2123f7fe017Patch
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/922309e50befb0cfa5cb65e4989b7706d6578846Patch
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/e34a07c0ae3906f97eb18df50902e2a01c1015b6Patch
Impacted products
Vendor Product Version
linux linux_kernel *
linux linux_kernel *
linux linux_kernel 5.19
linux linux_kernel 5.19
linux linux_kernel 5.19
To clipboard 

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "AA59AD4A-9F0B-4A17-9F76-4D464C6F1DDD",
              "versionEndExcluding": "5.15.51",
              "versionStartIncluding": "5.13",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "0172D3FA-DDEB-482A-A270-4A1495A8798C",
              "versionEndExcluding": "5.18.8",
              "versionStartIncluding": "5.16",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:linux:linux_kernel:5.19:rc1:*:*:*:*:*:*",
              "matchCriteriaId": "A8C30C2D-F82D-4D37-AB48-D76ABFBD5377",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:linux:linux_kernel:5.19:rc2:*:*:*:*:*:*",
              "matchCriteriaId": "BF8547FC-C849-4F1B-804B-A93AE2F04A92",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:linux:linux_kernel:5.19:rc3:*:*:*:*:*:*",
              "matchCriteriaId": "F3068028-F453-4A1C-B80F-3F5609ACEF60",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nsock: redo the psock vs ULP protection check\n\nCommit 8a59f9d1e3d4 (\"sock: Introduce sk-\u003esk_prot-\u003epsock_update_sk_prot()\")\nhas moved the inet_csk_has_ulp(sk) check from sk_psock_init() to\nthe new tcp_bpf_update_proto() function. I\u0027m guessing that this\nwas done to allow creating psocks for non-inet sockets.\n\nUnfortunately the destruction path for psock includes the ULP\nunwind, so we need to fail the sk_psock_init() itself.\nOtherwise if ULP is already present we\u0027ll notice that later,\nand call tcp_update_ulp() with the sk_proto of the ULP\nitself, which will most likely result in the ULP looping\nits callbacks."
    },
    {
      "lang": "es",
      "value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: sock: rehacer la comprobaci\u00f3n de protecci\u00f3n psock vs ULP el commit 8a59f9d1e3d4 (\"sock: Introduce sk-\u0026gt;sk_prot-\u0026gt;psock_update_sk_prot()\") ha movido la comprobaci\u00f3n inet_csk_has_ulp(sk) de sk_psock_init() a la nueva funci\u00f3n tcp_bpf_update_proto(). Supongo que esto se hizo para permitir la creaci\u00f3n de psocks para sockets que no sean inet. Desafortunadamente, la ruta de destrucci\u00f3n para psock incluye el desenrollado de ULP, por lo que debemos hacer que falle el propio sk_psock_init(). De lo contrario, si ULP ya est\u00e1 presente, lo notaremos m\u00e1s tarde y llamaremos a tcp_update_ulp() con el sk_proto del propio ULP, lo que probablemente provocar\u00e1 que el ULP repita sus devoluciones de llamadas."
    }
  ],
  "id": "CVE-2022-49732",
  "lastModified": "2025-10-24T18:48:17.410",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "LOCAL",
          "availabilityImpact": "HIGH",
          "baseScore": 5.5,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "NONE",
          "integrityImpact": "NONE",
          "privilegesRequired": "LOW",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 1.8,
        "impactScore": 3.6,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ]
  },
  "published": "2025-02-26T15:15:17.843",
  "references": [
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "tags": [
        "Patch"
      ],
      "url": "https://git.kernel.org/stable/c/72fa0f65b56605b8a9ae9fba2082f2123f7fe017"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "tags": [
        "Patch"
      ],
      "url": "https://git.kernel.org/stable/c/922309e50befb0cfa5cb65e4989b7706d6578846"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "tags": [
        "Patch"
      ],
      "url": "https://git.kernel.org/stable/c/e34a07c0ae3906f97eb18df50902e2a01c1015b6"
    }
  ],
  "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
  "vulnStatus": "Analyzed",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "NVD-CWE-noinfo"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Primary"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.